cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
444
Views
0
Helpful
3
Replies

AD SSO not happening for Remote Users

MANSOORQ123
Level 1
Level 1

Dear Members


I am having an issue with the NAC Deployment for Remote users (Users behind WAN Router)

Windows AD SSO (2008) is happening for LAN users successfullly, however remote users

are not able to do AD SSO.

it is ensured that remote users even in unauthenticated state can reach Active directory. there is no filtering

on any of the device across the path, for this communication.

When i use Kerbtray on the remote PC, i found no tickets at all.(i am logged in thru Domain)

what could be going wrong, is it delay (as they are wan user) which might attribute this issue, and if so, where are the needed parameters that can be tuned for AD SSO to happen.

Any help will ne highly appreciated.

thanks

Ahad

3 Replies 3

Federico Ziliotto
Cisco Employee
Cisco Employee

Hi Ahad,

As long as ALL the policies in Table 8-1 are configured for the Unauthenticated Role

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1174219

the CAS should be out of the picture for what concerns the communication between the PC and Kerberos.

If the Kerbtray.exe output for a failing user is empty, it means that the unsuccessful users do not have any Service Ticket (ST) at all.

This points to an issue with AD (considering the fact that the CAS is already allowing all the traffic to/from AD).

The failing users are either unable to send the Ticket-Granting Ticket (TGT) to AD, or they are unable to obtain the Service Ticket (ST) from AD.

The CAS during this phase is neither performing any actions nor blocking any traffic, since all the communications to/from AD are already fully open in the unauthenticated role.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Dear Fred

Thanks for your reply,

full TCP/UDP/ICMP is allowed for AD, only thing remaining is "fragments" which i will allow & see the results,

PC has full reachability to AD, still if it is not able to take TGT or SGT, is there a way to troubleshoot in microsoft environment. Time is synchronized between the Remote PC & AD.

Thanks again

Ahad

Thank you for confirming the settings Ahad.

The fact that local LAN users are correctly getting a ST and authenticating via AD SSO is one more indication that the configuration on the NAC side is correct, especially for what concerns the traffic allowed in the Unauthenticated Role.

You might at this stage want to involve your AD admin to help you troubleshooting also the Kerberos side.
A starting point may be to collect two synchronized Wireshark traces:
1. one on the AD server;
2. the second by spanning the port of the switch while an affected user is booting up and then logging in to Windows.
In this way you should be able to confirm whether the Kerberos traffic flows correctly: if not, you could start investigating when/where it gets interrupted.

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.