Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1104
Views
0
Helpful
3
Replies

AD SSO "unknown user" error

Xavier Lloyd
Level 1
Level 1

‎02-18-2011 09:49 AM - edited ‎03-09-2019 11:24 PM

Hi all,

I've been having trouble with AD SSO on NAC deployed in L2 OOB VG mode.

Users are getting a message that says:

Unknown user

Please contact your administrator if the problem persists.

I check the event logs in the NAC Manager and it says "Unknown user via ADSSO, [MAC_ADDRESS ## IP_ADDRESS] user@DOMAIN"

The AS SSO service is shown as "started" for the NAC Server however, running the command "netstat -a | grep 8910" at the terminal returns nothing.

I also try an auth test to see if there was a problem with the agent but that shows up with the same "unknown user" error.

I tried creating an LDAP authentication server with the same options as the LDAP lookup server for AD SSO and I get the same error.

The AD SSO was working a few days ago and the System Admin says he hasn't changed anything in the domain controller. I haven't changed anything else in the NAC config except I started rolling it out to more users.

Anyone have any idea what the problem could be?

Labels:
0 Helpful
3 Replies 3

Xavier Lloyd
Level 1
Level 1

‎02-18-2011 02:16 PM

This got resolved by the way. The problem was on the domain controller end.

0 Helpful

JUAN HUICAB
Level 1
Level 1
In response to Xavier Lloyd

‎02-18-2011 04:41 PM

Hi could you share which thing do you change at the AD, because I have the same problem I know that the issue is at AD because a windows update but I unistalled the security patches and still have the problem.

Juan Huicab Internetworking juan.huicab@nextiraone.com.mx T 52 (81) 1001 8000 E 8015 C 52 (81) 1077 2435 San Pedro Garza García, N. L. México www.nextiraone.com.mx
0 Helpful

Xavier Lloyd
Level 1
Level 1
In response to JUAN HUICAB

‎02-21-2011 05:52 AM

Hi huicab,

The problem was that the LDAP user in the AD was in the wrong OU. I'm not the sys admin so I'm just telling you what he told me lol.

We sniffed the port of the AD server and he realised that the credentials were being denied by AD even though no failed login attempts were logged in the system (weird =/). So he did some stuff on the user, double checked the password and all the other values and it started working. I have no clue how come it stopped working though. Now that you mention it, it was probably a security patch in the domain controller that stops users in a certian OU or outside of a certain OU from doing certain stuff. I dunno I'm really not a Windows guy but I'd recommend using Wireshark to sniff the Domain Controller's NIC at the time of the AD SSO login attempts to see what packets it gets and what reply it sends out, then you can take action from there.

Hope this helps!

~ Xavier

0 Helpful
Customers Also Viewed These Support Documents