There are possibly many reasons for extended authentication with Active Directory (AD) to fail for VPN client, but one of the common reasons is the Do not require Kerberos pre-authentication setting under the user profile on the AD.
The Do not require Kerberos pre-authentication setting overrides the default setting that the Kerberos Key Distribution Center requires all accounts to use pre-authentication. The default setting makes offline password-guessing attacks very difficult. You can choose to override the default setting for individual accounts when necessary for compatibility with other implementations of the protocol.
Complete these steps in order to resolve this issue:
Open Active Directory Users and Computers.
In the console tree, click Users, or choose the folder that contains the user account.
Right-click the user account, and then choose Properties.
On the Account tab, scroll through the Account options and choose the Do not require Kerberos pre-authentication checkbox, and then click OK.
Meet the Authors Event - CCIE Security in a Remote and Cloud Driven Network: SASE and Beyond
(Live event – Thursday, 29th, 2021 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 7:00 p.m. Paris)
This event will have place on Thursday 29th, April 2021 at 10...
Hello All, We are in the process of evaluating Cisco ISE as our AAA Server. Our IA Department is wanting to know what Web Server (Apachee...???) or Services or Application Server does Cisco ISE use? The information is not jumping out at us. ...
I see there's a OVA for ISE, but not for ISE-PIC? Any specific configurations I need to make the virtual for smaller environments, i.e. under 200 device on the network per step1? Step 2, again not sure where to find a OVA unless I'm not understanding some...