Re: NAC 4.7.1 ADSSO can't work on client

beckman.yang · ‎12-02-2009

Dear Sir ,

I used NAC 4.7.1 and config AD SSO with Windows 2k Server . ( LDAP auth is OK)

The service of SSO is running on CAS , but TCP/8910 port can't be listen .

How should I do open TCP/8910 port and how to fix it ?

Faisal Sehbai · ‎12-07-2009

Yang,

That should be available when the SSO service is started. Is the SSO service running?

Have you bounced the perfigo service, or the server itself?

Thanks,

Faisal

beckman.yang · ‎12-13-2009

Dear Sir ,

ADSSO service is running . I had tried service restart on CAS , but can't work on client .

thanks

Faisal Sehbai · ‎12-14-2009

Hi,

If SSO service is running, then the next thing you have to look at (if it's failing at the agent) is the ports that are open in the unauthenticated role.

Can you post a listing of those?

Can you also post the output of the following command from your CAS: nslookup where your_domain_name is the domain name you're trying to do SSO against.

Faisal

beckman.yang · ‎12-15-2009

Dear Sir ,

fyi

thanks

Faisal Sehbai · ‎12-15-2009

Hi,

Two things:

- One of your DC's being returned when we do a nslookup is a 169.254 address. This means that one of your DCs has DHCP enabled on one of it's interfaces and that is also being registered in your AD as a DC. This will cause problems for you, so best to have your AD cleaned up

- You posted the netstat output. I was looking for the unauthenticated role policies. To get those, go to the CAM gui, and click on User Roles, Traffic policies, choose unauthenticated role and hit select. The resulting page is what I wanted to see.

Faisal

beckman.yang · ‎12-16-2009

Dear Sir ,

fyi

thanks

Faisal Sehbai · ‎12-17-2009

Hello,

Please open traffic to ALL your DCs, and not just one, and try again.

If that doesn't work, try opening ALL IP in the unauthenticated role (just for testing) and see if AD SSO succeeds.

Faisal

danielnunes · ‎05-13-2010

Hi Faisal,

I have the same problem and you can see the nslookup result from my CAS.

At Now I could to start the ADSSO Service on CAS but I couldn't see port 8910 opened on CAS.

thanks a lot

Faisal Sehbai · ‎05-14-2010

Daniel,

The screen shot shows the SSO service not starting. Post your CAS logs so we can see why.

Faisal

danielnunes · ‎05-14-2010

Faisal,

thanks for your attention,

We had two problems, first of all our AD Domain was with incorrect number IP add, there were more IP address that is necessary and first we made a clean-up there, second thing was that I saw that machines that couldn't make AD SSO because the kerbero ticket does not appear on machine, I used a Kerbtray program to do this, and i could figure out that there were some UDP ports that does not open.

After this everything works fine.

thanks a lot