Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2327
Views
0
Helpful
7
Replies

NAC SSO in Windows 7 not Working

Daniel Stefani
Level 1
Level 1

‎03-09-2012 07:42 AM - edited ‎03-10-2019 06:53 PM

Hello,

I'm having problems with SSO process on workstations with Windows 7 and I need help to solve it.

ENVIRONMENT:

Clean Access Manager: 4.9.0

Clean Access Server: 4.9.0

Clean Access Agent: 4.9.0.33

Compliance Module: 3.4.27.1

Windows Domain : Windows 2003 Server Full Functional Level

Status of Active Directory SSO: Started

More Informations:

  • In Windows Domain Controller, i ran the follow command with no errors:

ktpass  –princ NAC_USER/mydomain.net@MYDOMAIN.NET -mapuser NAC_USER –pass mypass –out c:\nac_user.keytab –ptype  KRB5_NT_PRINCIPAL

The file nac_user.keytab was created in c:\ of DC.

  • in Windows XP Workstations, SSO is working correctly
  • in Windows 7 workstations work when i manually enable DES in "Start > Control Panel > System and Security > Administrative Tools > Local Security Policy > Local Policies/Security > Options >  Network security > Configure encryption types allowed"

I have many workstations running Windows 7 and can not do this manual procedure in all of them.

running tail -f /perfigo/access/tomcat/logs/nac_server.log command in CAS, i see the follow messages during an attempt to do SSO with unchanged Windows 7:

2012-03-09 11:45:21.231 +0100  RMI TCP Connection(481)-10.5.32.248 WARN  com.perfigo.wlan.jmx.adsso.GSSServer               - Server was not running ...

2012-03-09 11:45:21.231 +0100  RMI TCP Connection(481)-10.5.32.248 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - Server starting server ...

2012-03-09 11:45:21.329 +0100  RMI TCP Connection(481)-10.5.32.248 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - Server is now running ...

2012-03-09 11:45:21.329 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - SPN : [NAC_USER/mydomain.net@MYDOMAIN.NET]

2012-03-09 11:45:21.329 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - building kdc list for domain mydomain.net

2012-03-09 11:45:21.469 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - done building kdc list for domain mydomain.net

2012-03-09 11:45:21.469 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - KDC(s) :[srvslsdc001.mydomain.net, srvpnpdc001.mydomain.net, srvpnpdc002.mydomain.net, srvalvdc001.mydomain.net, srvtatdco001.mydomain.net, srvtatdco002.mydomain.net, srvpaldc002.mydomain.net, srvmurdc001.mydomain.net, srvnundc001.mydomain.net]

2012-03-09 11:45:21.469 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - writeKrbFile: writing to file ../conf/krb.txt

2012-03-09 11:45:21.469 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - writeKrbFile: wrote to file ../conf/krb.txt

2012-03-09 11:45:21.470 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - creating login context ...

2012-03-09 11:45:21.470 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - created login context ...javax.security.auth.login.LoginContext@b55e97

2012-03-09 11:45:21.631 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - Notifying GSSServer status Started

2012-03-09 11:45:21.807 +0100  Thread-88 DEBUG com.perfigo.wlan.jmx.adsso.GSSServer               - accepting ADSSO socket ...

2012-03-09 11:45:42.285 +0100 10.5.112.140 SWissServer Thread INFO  com.perfigo.wlan.jmx.swiss.SWissUtil               - opswat=3.5.2.1 dm_opswat=3.5.2.1

2012-03-09 11:45:42.329 +0100 10.5.112.140 SWissServer Thread INFO  com.perfigo.wlan.jmx.swiss.SWissUtil               - SWissServer: OPSWAT SDK Path=https://10.5.33.10/perfigo_download/CCAA/opswat-win.zip

As we can see, I restarted the AD SSO service and the two bold lines are the records while trying to SSO with Windows 7, but without success.

NAC Agent pop-up request for manual authentication.

does anyone know how to solve this trouble?

If you need more information please let me know .....

Regards,

Daniel Stefani


Labels:
0 Helpful
7 Replies 7

Daniel Stefani
Level 1
Level 1

‎03-12-2012 09:24 AM

Hi Guys,

When I changed the files /perfigo/access/tomcat/conf/krb.txt and /perfigo/access/bin/starttomcat in CAS according to the configuration guide:

/perfigo/access/tomcat/conf/krb.txt

[libdefaults]

kdc_timeout = 20000

default_tkt_enctypes = RC4-HMAC

default_tgs_enctypes = RC4-HMAC

permitted_enctypes = RC4-HMAC

and

/perfigo/access/bin/starttomcat

CATALINA_OPTS="-server ... -DKRB_OVERRIDE=true"

an error was generated in nac_server.log when i tried run SSO Service.

ERROR:

2012-03-07 11:52:50.655 +0100  Thread-77 ERROR com.perfigo.wlan.jmx.adsso.GSSServer               - Unable to start server ... KDC has no support for encryption type (14)

But I remembered that during the changes, I checked the options for the user account I'm using to run the service to Use DES encryption types for this account.

When i uncheck this option in user account options and kept the changes to files krb.txt and starttomcat,  the SSO service started with no errors and Windows 7 users now do the SSO too.

tks,

Daniel Stefani

0 Helpful

jonmarso_07
Level 1
Level 1

‎03-12-2012 09:07 PM

Remake configuration ktpass.exe and release all encryptions.

0 Helpful

jonmarso_07
Level 1
Level 1
In response to jonmarso_07

‎03-12-2012 09:10 PM

Just does not work for some users right? if so the problem is theencryption and ktpass.exe to be rotated in AD,

If you do not know just looking at the manual that has step by step.

0 Helpful

Daniel Stefani
Level 1
Level 1
In response to jonmarso_07

‎03-13-2012 12:09 PM

hi jonatas,

Everything is working......tks for reply

Sent from Cisco Technical Support iPad App

0 Helpful

jonmarso_07
Level 1
Level 1
In response to Daniel Stefani

‎03-13-2012 12:15 PM

Only one question was informed that the problem really?


Otherwise please state how it can have this problem on someone else xD.


If unable to vote if the answer was correct xD.

0 Helpful

Daniel Stefani
Level 1
Level 1
In response to jonmarso_07

‎03-14-2012 01:45 AM

Hi Jonatas,

In my case the settings were wrong, because I was setting the file krb.txt to use RC4 encryption, while "NAC_USER"  (which I use to run the SSO service at the NAC) was configured to use only DES.


I think that was the problem, because when configured for both use RC4, all Windows 7 workstations began to perform SSO.


There was no need to rerun ktpass and clean encryption settings you suggested.


regards

Daniel Stefani

0 Helpful

jonmarso_07
Level 1
Level 1
In response to Daniel Stefani

‎03-14-2012 07:18 AM

Yes perfect, I suggested this action as a solution is much easier, since most often have great difficulty in accessing AD.

For the log left by the agent stations you could view this error as was reported.


Glad everything is working and congratulations solution.

0 Helpful
Customers Also Viewed These Support Documents