Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1626
Views
10
Helpful
10
Replies

NAC 4.7.2

Go to solution
estelamathew
Level 2
Level 2

‎10-12-2010 03:42 AM - edited ‎02-21-2020 04:06 AM

Hello Dear's,

I m facing issues with single sign on only with Windows 7 , rest windows XP and vista in my network are working fine with single sign on.I m getting popup 2 times for user login in windows 7. My NAC agent version is 4.7.3.2.  And NAC version is 4.7.(2)

where i m missing something???

Thanks,

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee

‎10-12-2010 05:15 AM

Hi,

For windows 7 you need to do few things to make it work.

Please find detailed info here:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cas/s_adsso.html#wp1257882.

Hope this helps.

Tiago

==================

PS. If you found this usefull please rate it!! Thanks!

View solution in original post

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee
In response to estelamathew

‎10-17-2010 01:41 AM

Hi,

Please take special attention to the case of the leters.

The syntaxe is case sensitive so please make sure you enter the correct leters on the domain for example.

Ibelieve it should be something like:

KTPASS.EXE –princ cascisco/korea.com@KOREA.COM -mapuser cascisco –pass cisco –out c:\cascisco.keytab –ptype KRB5_NT_PRINCIPAL –crypto All

HTH,

Tiago

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee

‎10-12-2010 05:15 AM

Hi,

For windows 7 you need to do few things to make it work.

Please find detailed info here:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cas/s_adsso.html#wp1257882.

Hope this helps.

Tiago

==================

PS. If you found this usefull please rate it!! Thanks!

Go to solution
estelamathew
Level 2
Level 2
In response to Tiago Antunes

‎10-14-2010 03:23 AM

Hello Tiago,

Just Need to confirm :

Enable Additional Algorithms on Existing AD Servers: For Windows 7

Question: Create a new AD SSO service account according to the guidelines in Add Active Directory SSO Auth Server, page 8-6. Cisco recommends that  the current AD SSO account remain unchanged to allow you to quickly switch between the original DES encryption system and the this multi-algorithm option.

Answer: The Existing AD SSO which is already running for Windows XP ,vista should be as it is and i should create a New AD SSO Service account by same authentication type Active Directory SSO  for Windows 7. ?????               Please correct me if i m wrong????????

Question:Run KTPASS.EXE to allow multiple algorithms for this new service account
For Windows Server 2008:
KTPASS.EXE –princ newadsso/[adserver.]domain.com@DOMAIN.COM -mapuser newadsso –pass PasswordText –out c:\newadsso.keytab –ptype KRB5_NT_PRINCIPAL –crypto All

Answer After running the KTPASS account with the new username i have to modify the old user name of CAS which i have created in Manager and Active Directory. Please correct me if i m wrong????????

Question: Can i use the existing username and password of CAS that i used for running KTPASS.exe for XP and Vista. Only there will be changes in the end of the command.

Answer:KTPASS.EXE –princ newadsso/[adserver.]domain.com@DOMAIN.COM  -mapuser newadsso –pass PasswordText –out  c:\newadsso.keytab –ptype KRB5_NT_PRINCIPAL –crypto All

Thanks


0 Helpful

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee
In response to estelamathew

‎10-14-2010 03:29 AM

Hi,

Basically there is no need to change the username when running the new ktpass, only to allow all crypto methods.

------------------------------------

Question: Can i use the existing username and password of CAS that i used for  running KTPASS.exe for XP and Vista. Only there will be changes in the  end of the command.

Answer:KTPASS.EXE –princ newadsso/[adserver.]domain.com@DOMAIN.COM  -mapuser newadsso –pass PasswordText –out  c:\newadsso.keytab –ptype KRB5_NT_PRINCIPAL –crypto All

-------------------------------------

Correct.

HTH,

Tiago

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to Tiago Antunes

‎10-14-2010 08:16 AM

Hello Tiago

So conclusion is only to change the command –crypto  All in KTPASS with  the existing username and password.

KTPASS.EXE –princ newadsso/[adserver.]domain.com@DOMAIN.COM   -mapuser newadsso  –pass PasswordText –out  c:\newadsso.keytab  –ptype KRB5_NT_PRINCIPAL –crypto  All

i will execute command tomorrow in NAC and i will update the ratings

Thank U.

0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to estelamathew

‎10-16-2010 11:08 PM

Hello Dear,

The below command should run in all Domain controllers primary and secondary??????   please correct me if i m wrong.

KTPASS.EXE –princ newadsso/[adserver.]domain.com@DOMAIN.COM    -mapuser newadsso   –pass PasswordText –out  c:\newadsso.keytab   –ptype KRB5_NT_PRINCIPAL –crypto   All.

Thanks

0 Helpful

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee
In response to estelamathew

‎10-16-2010 11:27 PM

HI,

Nope, only in one DC is enough.

The DCs will then replicate the new user amongst each other.

If you have a single DC this is the command:

KTPASS.EXE –princ newadsso/[adserver.]domain.com@DOMAIN.COM    -mapuser newadsso   –pass PasswordText –out  c:\newadsso.keytab   –ptype KRB5_NT_PRINCIPAL –crypto   All

If you have multiple DCs, then use the command refering only the domain itself:

KTPASS.EXE –princ newadsso/domain.com@DOMAIN.COM    -mapuser newadsso   –pass PasswordText –out  c:\newadsso.keytab   –ptype KRB5_NT_PRINCIPAL –crypto   All

Note that this command is if you have windows 2008 servers.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to Tiago Antunes

‎10-17-2010 01:34 AM

Dear Tiago,

I have multiple DC and as per ur previous mail u told me not to create a new user on exiting user just we have to run KTPASS command with -crypto ALL included

so from the following information:the command will be:

Computer name: koreaAD

domain: korea.com

nas user:cascisco

Nas Pass:cisco

SO I HOPE below will be the command.

KTPASS.EXE –princ cascisco/korea.com@korea.COM     -mapuser cascisco    –pass cisco –out  c:\cascisco.keytab   –ptype KRB5_NT_PRINCIPAL –crypto   All

Please confirm the above steps are correct.

Thanks

0 Helpful

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee
In response to estelamathew

‎10-17-2010 01:41 AM

Hi,

Please take special attention to the case of the leters.

The syntaxe is case sensitive so please make sure you enter the correct leters on the domain for example.

Ibelieve it should be something like:

KTPASS.EXE –princ cascisco/korea.com@KOREA.COM -mapuser cascisco –pass cisco –out c:\cascisco.keytab –ptype KRB5_NT_PRINCIPAL –crypto All

HTH,

Tiago

0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to Tiago Antunes

‎10-17-2010 02:20 AM

Hello Expert,

U r the real expert,such crucial information can be given by only those u have worked a lot on NAC, Thanks for precious reply and hint on case sensitive,i will apply the command with the existing username and password and update the ratings.

Thanks,

0 Helpful

Go to solution
truongthanhsang
Level 1
Level 1

‎11-15-2011 01:31 AM

Hello Tiago,

I'm configuring my NAC with Windows 2008 SP2.

I use ktpass file version 6.0.6002.18005

KTPASS.EXE –princ newadsso/domain.com@DOMAIN.COM    -mapuser newadsso   –pass Passw0rdText –out  c:\newadsso.keytab   –ptype KRB5_NT_PRINCIPAL –crypto   All

But ADSSO Service still doesn't start. Plz help me!!

Thanks u so much!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card