Re: AD SSO Issue

MANSOORQ123 · ‎12-08-2010

Hello Everyone

I need your expertise to help me in this scenario.

AD-SSO service is shown as started on CAS, however CAS is not listening on port 8910, which is a must for AD-SSO to work.how i can force CAS to listen on port 8910.

here are more details.

I have Windows 2008 SP2 as my AD, and CAM/CAS running ver 4.8. Agent is also 4.8.0.32.

AD-SSO Service is successfully started on the CAM (after ktpass execution & standard procedure for integration). however clients are not able to perform SSO.

When i login to the domain, i get logged in, but after a few second NAC agent pops up. i enter my domain credentials. it does not accept, when i configured a local username/password, it is accepted and Posture validation happens successfully as per the defined policies .

As per Many things to be checked.

1: Client has exactly same time as AD, CAM/CAS.

2: Client is receiving the kerberos service Ticket as checked through kerbtray.

3: i am logging through the domain and not through PC local credentials.

4: however only one thing which i found missing is that CAS trusted interface is not listening on port 8910.

when i login to the CAS through ssh and run " netstat -a | grep 8910" it shows nothing, however it shows that 8905 & 8906 are properly running.

since CAS is itself not listening on port 8910, AD-SSO is not possible, but how i can enable this port on CAS.

Traffic Policy for my unauthenticated role is allowing all TCP/UDP & ICMP Traffic towards Active Directory.

Any input will be highly appreciated.

Thanks

Ahad

Message was edited by: MANSOORQ123 Dear Members, i have added some relevant logs as asked by the members, plz have a look. Thanks - Ahad

Tiago Antunes · ‎12-08-2010

Hi,

Can you enable trace loglevel on CAS and stop/start the service?

Shre with us the CAS debugs and the Agent debugs.

We can give you more hints about what is going wrong...

HTH,
Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

MANSOORQ123 · ‎12-11-2010

Dear Tiago

Thanks for your time to look into the case, i have uploaded the needed files

Nac Agent Logs

NAC Server Logs ( clearly showing that AD SSO is running)

Configuration Snapshot.

plz have a look at them and let me know your findings.

Thanks

Ahad

Tiago Antunes · ‎12-12-2010

Hi,

It looks like the CAS could not complete the AD SSO conection to the AD:

On th elogs we see this:

...

2010-12-11 14:51:15.196 +0300 ERROR com.perfigo.wlan.jmx.adsso.GSSServer - Unable to start server ... Client not found in Kerberos database (6)

...

This means that the account used for the CAS, i.e., the one for which you have run the ktpass was not properly setup on the domain...

Can you please clarify what is the windows server version of the AD? 2003/2008? SP? R?

What version of ktpass did you used?

Are you using a single DC or domain configuration for the cas user/ AD SSO configuration?

I would double-check the ktpass version to make sure it is the correct one as it depends on the OS version.

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

MANSOORQ123 · ‎12-12-2010

Dear Tiago

Thanks again foryour feedback

Let me some add input.

Error "client not found in kerberos database"was received when we tried with a newly created username/password on the AD, suspecting that might be the old username/password was having some problem. earlier Logs show that AD SSO was running.here are few logs from the same file. ( in NAC Server Logs, these are marked in green color)

2010-12-11 00:35:43.260 +0300 INFO com.perfigo.wlan.jmx.adsso.GSSRetrier - GSSR - Windows SSO is running

2010-12-11 00:40:43.303 +0300 INFO com.perfigo.wlan.jmx.adsso.GSSRetrier - GSSR - Windows SSO is running

Further these are the details.

Windows 2008 Enterprise R2 64 bit operating System

AD SSO is configured for a sngle DC.

KTPass Version: 6.1.7600.16385

further account used on the AD has " kerberos pre-authentication disabled" as mentioned in config guide.

plz check the attched files.

luciano.carvalho · ‎12-09-2010

Hi,

Did you configured the traffic that needs to be allowed to go from Untrusted to Trusted on Unauthenticated role ?

Info from config guide page 7-21

Add IP traffic control policies for the Unauthenticated role to allow users on the untrusted side access to the domain controllers on the trusted network. Typical policies may include allowing TCP, and UDP traffic for each controller (IP address and 255.255.255.255 mask) for ports 88(Kerberos), 135 (DCE endpoint resolution), 139 (netbios-ssn), 389 (LDAP), 445(smb-tcp). See Chapter 8, “User Management: Traffic Control, Bandwidth, Schedule.”

I'm using permiting the following ports on a config that SSO is working fine :

TCP and UDP 88,135,389,1025,1026,8910

Best Regards

MANSOORQ123 · ‎12-11-2010

Dear Luciano

Yes, i have allowed entire TCP/UDP & ICMP Traffic towards Active directory (10.10.12.10) in the

unauthenticated role ( from untrusted to trusted interface).

i have uploaded some snapshots, if u can plz have a look and let me know what part exactly i am missing.