Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1812
Views
0
Helpful
3
Replies

NAC SSO to Domain W2K8 & W2K3

Mike Masalla
Level 1
Level 1

‎04-16-2011 04:14 AM - edited ‎02-21-2020 04:19 AM

Hi,

I am configuring SSO between CAS running at 4.8.1 ver and a MS Domain of two servers, a W2K8 R2 & a W2K3 Enterprise SP2.

The problem is I am getting error message in CAS Trace says "Unable to start server ... KDC has no support for encryption type (14). I did tried all possible encryptions in the KTpass; like +Desonly or encrypt ALL or leave encryption technique blank, but invain.

This problem wouldn't appear if I am binding the CAS to the W2K3 server, only. 

Any advise how to get out of this loop.

Many thanks

Mike

Preview file
12 KB
0 Helpful
3 Replies 3

fredyvalle
Level 1
Level 1

‎04-16-2011 06:41 PM

Hi,

What about time/date synchronization, because this can be a cause. I have an employment between AD 2008 and NAC 4.7.2

Try to synchronize with an NTP server.

Regards.

0 Helpful

a.chernomazov
Level 1
Level 1

‎04-18-2011 08:40 PM

Hi.

Your problem whith Kerberos

Check hotfix 978055 for Windows Server 2008 R2 (Active Directory)

0 Helpful

srilvemu
Cisco Employee
Cisco Employee
In response to a.chernomazov

‎04-21-2011 04:38 AM

Hi Mike,

Is the win 2k8 server running at 2003 functional level? If so, by default, 2003 functional level is not supported. You need to perform the below workaround for it to work at the windows 2003 functional level as per the below link:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1266896

For Windows 2008 Server at 2003 Server functional level:

ktpass -princ newadsso/[adserver.]domain.com@DOMAIN.COM -mapuser newadsso -pass 
PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL

Note Before performing the following step, Cisco strongly recommends making a backup copy of the CAS's /perfigo/access/tomcat/conf/krb.txt file.

After running the ktpass command above, manually modify two files on the CAS as follows:

In the CAS CLI, navigate to /perfigo/access/tomcat/conf/krb.txt and add the following lines:

[libdefaults]

   kdc_timeout = 20000

   default_tkt_enctypes = RC4-HMAC

   default_tgs_enctypes = RC4-HMAC

   permitted_enctypes = RC4-HMAC

Navigate to /perfigo/access/bin/starttomcat.

Search for CATALINA_OPTS.

Add -DKRB_OVERRIDE=true to the value of CATALINA_OPTS.

For example:

     Old value: CATALINA_OPTS="-server ..."

     New Value: CATALINA_OPTS="-server ... -DKRB_OVERRIDE=true"

Restart the CAS by entering the service perfigo stop and service perfigo start commands.

P.S.: Please mark the question as answered, if it has been resolved. Do rate helpful posts. Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card