03-14-2008 06:30 AM - edited 02-21-2020 01:56 AM
Hi there,
I have 1 CAS and 1 CAM. Everything works fine if I use localDB authentication.
I tried to complete SSO AD configuration, from CAM installation guide. SSO service started to work successful. I'm trying to login to the domain - It's ok, I see green kerbtray icon, tickets are ok, but anyway I receive CCA Agent login/password screen.
AD logging looks like: (172.16.13.100 is AD server)
Mar 14, 2008 1:10:00 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDC
INFO: GSSServer - SPN : [cisco/computer-c.zozo.gov@ZOZO.GOV]
Mar 14, 2008 1:10:00 PM com.perfigo.wlan.jmx.admin.GSSServer buildKDCList
INFO: buildKDCList - KDC-1: computer-c.zozo.gov/172.16.13.100
Mar 14, 2008 1:10:10 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDC
INFO: GSSServer - KDC(s) : [172.16.13.100]
Mar 14, 2008 1:14:22 PM com.perfigo.wlan.jmx.admin.GSSRetrier$RetrierTask run
INFO: GSSR - Windows SSO is running
Mar 14, 2008 1:19:22 PM com.perfigo.wlan.jmx.admin.GSSRetrier$RetrierTask run
INFO: GSSR - Windows SSO is running
What's may be wrong in my configuration? Local time on CAM, CAS and AD is the same, TCP/8910 in CAS is in listening mode. I opened full IP from * to my AD Server for Unauthenticated Role.
Regards,
Andrey
03-14-2008 08:35 AM
ooops, I found the problem.
Workstation OS version was w2003server. With w2000wks and XP my configuration is working.
Regards,
Andrey
05-30-2008 09:27 AM
I am having issue with AD SSO. CAS talks to AD because the service is started.
1. I can login to the domain but the NAC agent displays the window..Windows domain authentication but gives me a username and password window with drop down box as LOCAL DB.
Any help is appreciated.
06-02-2008 07:19 AM
Have you created an Authentication Server for your AD SSO?
Log on to CAM
User Management -> Authentication Server
06-10-2008 07:50 PM
Have you verify User Login Page content setting to include "Available Providers"?
06-11-2008 06:09 AM
It worked. I was missing the VLAN mapping.
08-04-2008 10:15 AM
hello yprasannas...
We are having the same issue with AD SSO...Loging into the domain is ok, but we set the CCA Agent login/password screen as well...We also configured vlan mapping as well, but no luck...
I noticed vlan mapping fixed your issue, what other things did you do?
Thanks
08-04-2008 03:19 PM
Are you running OOB Layer-3 with Real-IP gateway? Are you running 4.1.3? Are you using Certificate Authority? If the answer is yes to all. You may want to review this http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/413/413rn.html#wp74768. Be careful though, you may also need to apply an egress ACL to block trusted vlan from sending TCP-8910 to the FQDN of the OOB-CAS's Untrusted IP. Otherwise, the CCA agent may continue to send TCP-8910 to CAS and process SSO and refresh IP continuously(looping process).
08-05-2008 06:47 AM
i answered yes to the first 2...not sure about the certificate authority...ill take a look at the link and update....thanks for the response
12-01-2009 02:53 PM
I am having an issue with Windows Server 2008 Datacenter Core 2 64Bit and AD SSO.
I am getting the “Client not found in Kerberos database (6)” error I confirmed that the customer has the KB951191 hot fix.
TAC is saying it is not supported on Windows 2008 64Bit although their documentation says it IS supported with the new v4.7.1
Anyone else running 2008 64 with issues similar?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide