Nac Guest - Single Sign On - ERROR

Tiago Andrade de Paula · ‎06-26-2012

"Failed to create computer account for this server on the Domain

Controller. See application log for details"

Hello people,

I have a Cisco Nac Guest configured in my customer with Sponsor authentication works with Active Directory ( Group Mapped ) and works fine.

The Cisco Nac Guest Hostname and Active Directory hostname has a fully DNS resolution ( By Ip address or name - PTR Record ).

The NTP is configured, and the time is syncronized.

The user account is the same that I used to add Active Directory servers, BUT this user is not a Admin AD account. This account is a common account that have a read permissions.

To do a Single Sign On the documentation report to use a "administration ad account". ( This is a BIG problem because for security reasons the customer hardly pass this account to use).

However, the ERROR message is related with a DNS inssues according to documentation ( http://www.cisco.com/image/gif/paws/109602/config-ad-sso-nac.pdf )

In the application logs we have this message:

"Failed to create computer account for this server on the Domain Controller:; Error: gethostbyaddr failed; Error: gethostbyaddr failed; Error: gethostbyaddr failed; Error: gethostbyaddr failed"

Domain Controller pings :

C:\Users\tpaula>ping -a 10.80.3.112

Disparando abneawdcp001.customerdomain.com.br [10.80.3.112] com 32 bytes de dados:

Resposta de 10.80.3.112: bytes=32 tempo=2ms TTL=127

Resposta de 10.80.3.112: bytes=32 tempo=3ms TTL=127

Resposta de 10.80.3.112: bytes=32 tempo=2ms TTL=127

==========================================================

C:\Users\tpaula>ping abneawdcp001.gabril.com.br

Disparando abneawdcp001.customerdomain.com.br [10.80.3.112] com 32 bytes de dados:

Resposta de 10.80.3.112: bytes=32 tempo=2ms TTL=127

Resposta de 10.80.3.112: bytes=32 tempo=3ms TTL=127

Somebody have any Ideia about this? Is may be configurations on DNS server or related account used to do Single Sign On?

I Thank any help.

Tarik Admani · ‎06-26-2012

Tiago,

You will have to have an account that will be able to add the NGS to the domain, if the NGS is unable to create its own account then it will not be able to authenticate users via SSO. Please let your client know that he will need an admin account in order to allow the NGS join the domain.

I disagree with the documentation pointing to DNS as the only reason for the error, you can use the account permissions that ISE needs in order to join the domain as this should work. Also what version of NGS are you running and also what version is the domain controller you are trying to connect to?

•The Active Directory username that you provide while joining to an Active Directory domain should be predefined in Active Directory and should have any one of the following permissions:

–Add the workstation to the domain to which you are trying to connect.

–On the computer where the Cisco ISE account was created, establish permissions for creating computer objects or deleting computer objects before you join Cisco ISE to the domain.

–Permissions for searching users and groups that are required for authentication.

Thanks

Tarik Admani

jonmarso_07 · ‎06-26-2012

You need an account to be able to add and remove people and machines in the domain.

The user you are using must be to have fewer privileges.

Tarik Admani · ‎06-27-2012

Tiago,

Let us know if this worked, SSO with NGS can be tricky and if you were able to find anything helpful please let us know so that future users can find this helpful.

Thanks,

Tarik Admani