10-12-2010 03:42 AM - edited 02-21-2020 04:06 AM
Hello Dear's,
I m facing issues with single sign on only with Windows 7 , rest windows XP and vista in my network are working fine with single sign on.I m getting popup 2 times for user login in windows 7. My NAC agent version is 4.7.3.2. And NAC version is 4.7.(2)
where i m missing something???
Thanks,
Solved! Go to Solution.
10-12-2010 05:15 AM
Hi,
For windows 7 you need to do few things to make it work.
Please find detailed info here:
Hope this helps.
Tiago
==================
PS. If you found this usefull please rate it!! Thanks!
10-17-2010 01:41 AM
Hi,
Please take special attention to the case of the leters.
The syntaxe is case sensitive so please make sure you enter the correct leters on the domain for example.
Ibelieve it should be something like:
KTPASS.EXE –princ cascisco/korea.com@KOREA.COM -mapuser cascisco –pass cisco –out c:\cascisco.keytab –ptype KRB5_NT_PRINCIPAL –crypto All
HTH,
Tiago
10-12-2010 05:15 AM
Hi,
For windows 7 you need to do few things to make it work.
Please find detailed info here:
Hope this helps.
Tiago
==================
PS. If you found this usefull please rate it!! Thanks!
10-14-2010 03:23 AM
Hello Tiago,
Just Need to confirm :
Enable Additional Algorithms on Existing AD Servers: For Windows 7
Question: Create a new AD SSO service account according to the guidelines in Add Active Directory SSO Auth Server, page 8-6. Cisco recommends that the current AD SSO account remain unchanged to allow you to quickly switch between the original DES encryption system and the this multi-algorithm option.
Answer: The Existing AD SSO which is already running for Windows XP ,vista should be as it is and i should create a New AD SSO Service account by same authentication type Active Directory SSO for Windows 7. ????? Please correct me if i m wrong????????
Question:Run KTPASS.EXE to allow multiple algorithms for this new service account
For Windows Server 2008:
KTPASS.EXE –princ newadsso/[adserver.]domain.com@DOMAIN.COM -mapuser newadsso –pass PasswordText –out c:\newadsso.keytab –ptype KRB5_NT_PRINCIPAL –crypto All
Answer After running the KTPASS account with the new username i have to modify the old user name of CAS which i have created in Manager and Active Directory. Please correct me if i m wrong????????
Question: Can i use the existing username and password of CAS that i used for running KTPASS.exe for XP and Vista. Only there will be changes in the end of the command.
Answer:KTPASS.EXE –princ newadsso/[adserver.]domain.com@DOMAIN.COM -mapuser newadsso –pass PasswordText –out c:\newadsso.keytab –ptype KRB5_NT_PRINCIPAL –crypto All
Thanks
10-14-2010 03:29 AM
Hi,
Basically there is no need to change the username when running the new ktpass, only to allow all crypto methods.
------------------------------------
Question: Can i use the existing username and password of CAS that i used for running KTPASS.exe for XP and Vista. Only there will be changes in the end of the command.
Answer:KTPASS.EXE –princ newadsso/[adserver.]domain.com@DOMAIN.COM -mapuser newadsso –pass PasswordText –out c:\newadsso.keytab –ptype KRB5_NT_PRINCIPAL –crypto All
-------------------------------------
Correct.
HTH,
Tiago
--
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.
10-14-2010 08:16 AM
Hello Tiago
So conclusion is only to change the command –crypto All in KTPASS with the existing username and password.
KTPASS.EXE –princ newadsso/[adserver.]domain.com@DOMAIN.COM -mapuser newadsso –pass PasswordText –out c:\newadsso.keytab –ptype KRB5_NT_PRINCIPAL –crypto All
i will execute command tomorrow in NAC and i will update the ratings
Thank U.
10-16-2010 11:08 PM
Hello Dear,
The below command should run in all Domain controllers primary and secondary?????? please correct me if i m wrong.
KTPASS.EXE –princ newadsso/[adserver.]domain.com@DOMAIN.COM -mapuser newadsso –pass PasswordText –out c:\newadsso.keytab –ptype KRB5_NT_PRINCIPAL –crypto All.
Thanks
10-16-2010 11:27 PM
HI,
Nope, only in one DC is enough.
The DCs will then replicate the new user amongst each other.
If you have a single DC this is the command:
KTPASS.EXE –princ newadsso/[adserver.]domain.com@DOMAIN.COM -mapuser newadsso –pass PasswordText –out c:\newadsso.keytab –ptype KRB5_NT_PRINCIPAL –crypto All
If you have multiple DCs, then use the command refering only the domain itself:
KTPASS.EXE –princ newadsso/domain.com@DOMAIN.COM -mapuser newadsso –pass PasswordText –out c:\newadsso.keytab –ptype KRB5_NT_PRINCIPAL –crypto All
Note that this command is if you have windows 2008 servers.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
10-17-2010 01:34 AM
Dear Tiago,
I have multiple DC and as per ur previous mail u told me not to create a new user on exiting user just we have to run KTPASS command with -crypto ALL included
so from the following information:the command will be:
Computer name: koreaAD
domain: korea.com
nas user:cascisco
Nas Pass:cisco
SO I HOPE below will be the command.
KTPASS.EXE –princ cascisco/korea.com@korea.COM -mapuser cascisco –pass cisco –out c:\cascisco.keytab –ptype KRB5_NT_PRINCIPAL –crypto All
Please confirm the above steps are correct.
Thanks
10-17-2010 01:41 AM
Hi,
Please take special attention to the case of the leters.
The syntaxe is case sensitive so please make sure you enter the correct leters on the domain for example.
Ibelieve it should be something like:
KTPASS.EXE –princ cascisco/korea.com@KOREA.COM -mapuser cascisco –pass cisco –out c:\cascisco.keytab –ptype KRB5_NT_PRINCIPAL –crypto All
HTH,
Tiago
10-17-2010 02:20 AM
Hello Expert,
U r the real expert,such crucial information can be given by only those u have worked a lot on NAC, Thanks for precious reply and hint on case sensitive,i will apply the command with the existing username and password and update the ratings.
Thanks,
11-15-2011 01:31 AM
Hello Tiago,
I'm configuring my NAC with Windows 2008 SP2.
I use ktpass file version 6.0.6002.18005
KTPASS.EXE –princ newadsso/domain.com@DOMAIN.COM -mapuser newadsso –pass Passw0rdText –out c:\newadsso.keytab –ptype KRB5_NT_PRINCIPAL –crypto All
But ADSSO Service still doesn't start. Plz help me!!
Thanks u so much!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide