Hello Faisal,

I m getting the same error.where i m missing???

Thanks

Estela,

What AD are you on? 2k3 or 2k8?

You can try to modify it further like this:

C:\Program Files\Support Tools>ktpass.exe -princ casuser/ruspdc.rus.hom.gov.uk@
RUS.HOM.GOV.UK -mapuser casuser@rus.hom.gov.uk -pass cisco123 -out c:\casuser.keytab -ptype KR
B5_NT_PRINCIPAL +DesOnly

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

Hello Faisal,

C:\Program Files\Support Tools>ktpass.exe -princ casuser/ruspdc.rus.hom.gov.uk@
RUS.HOM.GOV.OM -mapuser casuser@rus.hom.gov.uk -pass cisco123 -out c:\casuser.
keytab -ptype KRB5_NT_PRINCIPAL +DesOnly
Targeting domain controller: ruspdc.rus.hom.gov.uk
Successfully mapped casuser/ruspdc.rus.hom.gov.uk to casuser.
Password succesfully set!
Key created.
Output keytab to c:\casuser.keytab:
Keytab version: 0x502
keysize 81 casuser/ruspdc.rus.hom.gov.uk@RUS.HOM.GOV.UK ptype 1 (KRB5_NT_PRINC
IPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0xa6bff48bf06f43ae7fb903ce7b00ee
a2)
Account casuser has been set for DES-only encryption

IT IS WIN 2K3

The user is mapped sucessfully u can see the above output but i m getting below error when i enable check box in  Enable Agent-Based Windows Single Sign-On with Active Directory

Error : Could not start the SSO service. Please check the configuration.

Troubleshooting What i did:

1. CAS CAM are both pingable from AD.
2. Time difference is only 1 sec between the CAM&CAS and AD
3. Casuser Password in AD are very much correct.
4. Ktpass run before is success as shown by above output.

In support logs I see the below error:

com.perfigo.wlan.jmx.adsso.GSSServer

I think i should use NetBios SSO instead if Active Directory SSO according to ur previous mail's netbios hints.Pls correct me if i m wrong

Enable Transparent Windows Single Sign-On with NetBIOS/SMB <------  I should enable check box here.

Thanks.

Hi Estela,

Please be aware that version 5.2.3790.3959 will not work with Win2k3 and CCA AD SSO.

The correct version is 5.2.3790.0, and i am attaching it in this post (Extract it and please rename it as "ktpass.exe").

Replace the ktpass file and run the command as shown below:

HTH,

Tiago

Hello Tiago,

I have done according to ur Ktpass.exe it is giving below error

C:\Program Files\Support Tools>ktpass.exe -princ casuser/ruspdc.rus.hom.gov.uk@
RUS.HOM.GOV.UK -mapuser casuser -pass cisco123 -out c:\casuser.keytab -ptype KR
B5_NT_PRINCIPAL +DesOnly

DsCrackNames returned 0x2 in the name entry for casuser.

Hello Faisal,

After changing the Ktpass.exe according to tiagos when i run the command ktpass.exe according to your advice in previous mail. i found the below error.

C:\Program Files\Support Tools>ktpass.exe -princ casuser/ruspdc.rus.hom.gov.uk@
RUS.HOM.GOV.UK -mapuser casuser@rus.hom.gov.uk -pass cisco123 -out c:\casuser.
keytab -ptype KRB5_NT_PRINCIPAL +DesOnly

Targeting domain controller: ruspdc.rus.hom.gov.uk
Failed to set property "servicePrincipalName" to "casuser/ruspdc.rus.hom.gov.uk
" on Dn "CN=CAS NAC,CN=Users,DC=rus,DC=hom,DC=gov,DC=uk": 0x14.
WARNING: Unable to set SPN mapping data.
  If casuser already has an SPN mapping installed for  casuser/ruspdc.rus.hom.g
ov.uk, this is no cause for concern.

Before the ktpass was sucessful but  after changing it is not what are your'll comments experts.??? please help.

Thanks

Hi Estela,

I would advise to delete the casuser and create a new one with diferent name and follow the steps:

1. Open Active Directory Management console
2. Create a user for CAS (eg: User: cas1sso, Password: cisco123)
3. Make sure FirstName = LastName = FullName = Username for the account
4. Check "Password never expires"
5. Uncheck "User must change password at next logon"
6. Execute the following command
ktpass.exe -princ cas1sso/dcse.se.cca.cisco.com@SE.CCA.CISCO.COM  -mapuser 
ssose -pass Cisco123 -out c:\ssose.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly

C:\Program Files\Support Tools>ktpass.exe -princ cas1sso/ruspdc.rus.hom.gov.uk@RUS.HOM.GOV.UK -mapuser cas1sso -pass cisco123 -out c:\cas1sso.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly

HTH,

Tiago

Hello Tiagos,

Still the same error.

DsCrackNames returned 0x2 in the  name entry for nac

I have given full rights for this user as an enterprise admin.

Thanks

Hum... this starts to be strange...

Are you sure the OS is Windows Server 2003?

Any SP?

You may want to consider opening a TAC case for deeper troubleshooting...

HTH,

Tiago

Hello Tiago,

WIN 2003 R2 Enterprise Edition SP2.

Thanks

Hi Estela,

Ok then, I confirm that the version of ktpass i provided to you is the correct one "5.2.3790.0".

If still giving the error, then i believe it is time to open a case with TAC.

Thanks,

Tiago

Anyone get this working?

Is Cisco NAC not supported on Windows 2008?

We get the similar error as above!

Targeting domain controller: domain.controller

Failed to set property "servicePrincipalName" to "nacsso/domain.controller.domain.com
" on Dn "CN=nacsso,CN=Users,DC=Domain.Controller,DC=domain,DC=com: 0x32.
WARNING: Unable to set SPN mapping data.