NAC 4.5 ADSSO on multiple AD servers not working, how to troubleshoot?

rc.castillo · ‎11-19-2009

Hi All,

I'm handling a NAC (CAS and CAM ver 4.5) to be implemented to a network on production. The network has two working AD servers, one acting as back-up. We want to configure the NAC to be able to run ADSSO even if the active AD fails, so we configured NAC to run ADSSO on multiple servers. I followed the documents, run ktpass for multiple ADs, installed kerbtray to see Kerb tickets, but still I'm puzzled of the problem. My CAS shows the the ADSSO service is already started, but my workstation cannot perform Single-sign On. After the "performing AD authentication" window, the agent then reverts back to as a local account. Please help guys. I'm willing to share other details about this. Thanks.

Regards,

Dan

Faisal Sehbai · ‎11-20-2009

Dan,

If the service is started and SSO still failing, check for open ports on your unauthenticated traffic policy. For testing you can open all IP, and if that works, then look closely at the documented port openings and have them open.

HTH,

Faisal

rc.castillo · ‎11-22-2009

Hi Faisal,

The Unauthorized role is already in all trafic enabled policy. My problem is that the KT that is shown in the workstation is different from the one I created using ktpass, although I matched the cases of the domain and the one in the ktpass. I deeply appreciate if you can help. Thanks.

Regards,

Dan

Faisal Sehbai · ‎11-23-2009

Dan,

Do you still have the text of the ktpass run you did on that account?

Faisal

alex goshtaei · ‎11-20-2009

Make sure check "Domain" instead of "single AD server" in CAS authentication page.

Alex

grant.maynard · ‎11-23-2009

Check the syntax of ktpass.

Also make sure the DCs and the CAS are synchronised to the same time source (or the CAS is synched to the DC itself)