I'm having problems with SSO process on workstations with Windows 7 and I need help to solve it.
Clean Access Manager: 4.9.0
Clean Access Server: 4.9.0
Clean Access Agent: 188.8.131.52
Compliance Module: 184.108.40.206
Windows Domain : Windows 2003 Server Full Functional Level
Status of Active Directory SSO: Started
ktpass –princ NAC_USER/mydomain.net@MYDOMAIN.NET -mapuser NAC_USER –pass mypass –out c:\nac_user.keytab –ptype KRB5_NT_PRINCIPAL
The file nac_user.keytab was created in c:\ of DC.
I have many workstations running Windows 7 and can not do this manual procedure in all of them.
running tail -f /perfigo/access/tomcat/logs/nac_server.log command in CAS, i see the follow messages during an attempt to do SSO with unchanged Windows 7:
2012-03-09 11:45:21.231 +0100 RMI TCP Connection(481)-10.5.32.248 WARN com.perfigo.wlan.jmx.adsso.GSSServer - Server was not running ...
2012-03-09 11:45:21.231 +0100 RMI TCP Connection(481)-10.5.32.248 INFO com.perfigo.wlan.jmx.adsso.GSSServer - Server starting server ...
2012-03-09 11:45:21.329 +0100 RMI TCP Connection(481)-10.5.32.248 INFO com.perfigo.wlan.jmx.adsso.GSSServer - Server is now running ...
2012-03-09 11:45:21.329 +0100 Thread-88 INFO com.perfigo.wlan.jmx.adsso.GSSServer - GSSServer - SPN : [NAC_USER/mydomain.net@MYDOMAIN.NET]
2012-03-09 11:45:21.329 +0100 Thread-88 INFO com.perfigo.wlan.jmx.adsso.GSSServer - GSSServer - building kdc list for domain mydomain.net
2012-03-09 11:45:21.469 +0100 Thread-88 INFO com.perfigo.wlan.jmx.adsso.GSSServer - GSSServer - done building kdc list for domain mydomain.net
2012-03-09 11:45:21.469 +0100 Thread-88 INFO com.perfigo.wlan.jmx.adsso.GSSServer - GSSServer - KDC(s) :[srvslsdc001.mydomain.net, srvpnpdc001.mydomain.net, srvpnpdc002.mydomain.net, srvalvdc001.mydomain.net, srvtatdco001.mydomain.net, srvtatdco002.mydomain.net, srvpaldc002.mydomain.net, srvmurdc001.mydomain.net, srvnundc001.mydomain.net]
2012-03-09 11:45:21.469 +0100 Thread-88 INFO com.perfigo.wlan.jmx.adsso.GSSServer - GSSServer - writeKrbFile: writing to file ../conf/krb.txt
2012-03-09 11:45:21.469 +0100 Thread-88 INFO com.perfigo.wlan.jmx.adsso.GSSServer - GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
2012-03-09 11:45:21.470 +0100 Thread-88 INFO com.perfigo.wlan.jmx.adsso.GSSServer - GSSServer - creating login context ...
2012-03-09 11:45:21.470 +0100 Thread-88 INFO com.perfigo.wlan.jmx.adsso.GSSServer - GSSServer - created login context ...javax.security.auth.login.LoginContext@b55e97
2012-03-09 11:45:21.631 +0100 Thread-88 INFO com.perfigo.wlan.jmx.adsso.GSSServer - Notifying GSSServer status Started
2012-03-09 11:45:21.807 +0100 Thread-88 DEBUG com.perfigo.wlan.jmx.adsso.GSSServer - accepting ADSSO socket ...
2012-03-09 11:45:42.285 +0100 10.5.112.140 SWissServer Thread INFO com.perfigo.wlan.jmx.swiss.SWissUtil - opswat=220.127.116.11 dm_opswat=18.104.22.168
2012-03-09 11:45:42.329 +0100 10.5.112.140 SWissServer Thread INFO com.perfigo.wlan.jmx.swiss.SWissUtil - SWissServer: OPSWAT SDK Path=https://10.5.33.10/perfigo_download/CCAA/opswat-win.zip
As we can see, I restarted the AD SSO service and the two bold lines are the records while trying to SSO with Windows 7, but without success.
NAC Agent pop-up request for manual authentication.
does anyone know how to solve this trouble?
If you need more information please let me know .....
When I changed the files /perfigo/access/tomcat/conf/krb.txt and /perfigo/access/bin/starttomcat in CAS according to the configuration guide:
kdc_timeout = 20000
default_tkt_enctypes = RC4-HMAC
default_tgs_enctypes = RC4-HMAC
permitted_enctypes = RC4-HMAC
CATALINA_OPTS="-server ... -DKRB_OVERRIDE=true"
an error was generated in nac_server.log when i tried run SSO Service.
2012-03-07 11:52:50.655 +0100 Thread-77 ERROR com.perfigo.wlan.jmx.adsso.GSSServer - Unable to start server ... KDC has no support for encryption type (14)
But I remembered that during the changes, I checked the options for the user account I'm using to run the service to Use DES encryption types for this account.
When i uncheck this option in user account options and kept the changes to files krb.txt and starttomcat, the SSO service started with no errors and Windows 7 users now do the SSO too.
Just does not work for some users right? if so the problem is theencryption and ktpass.exe to be rotated in AD,
If you do not know just looking at the manual that has step by step.
Only one question was informed that the problem really?
Otherwise please state how it can have this problem on someone else xD.
If unable to vote if the answer was correct xD.
In my case the settings were wrong, because I was setting the file krb.txt to use RC4 encryption, while "NAC_USER" (which I use to run the SSO service at the NAC) was configured to use only DES.
I think that was the problem, because when configured for both use RC4, all Windows 7 workstations began to perform SSO.
There was no need to rerun ktpass and clean encryption settings you suggested.
Yes perfect, I suggested this action as a solution is much easier, since most often have great difficulty in accessing AD.
For the log left by the agent stations you could view this error as was reported.
Glad everything is working and congratulations solution.