> Date: Wed, 29 Oct 2008 14:14:11 -0500 > From: Jeff Stewart <[EMAIL PROTECTED]> > Subject: AD SSO > > I feel like I have followed all of the directions for setting up AD SSO > but I can't get the service to start on the CAS. Anyone out there have > similar trouble? > > Thanks, > > Jeff > > -- > Jeffrey Stewart > > Network Engineer > Network Computing & Support > Western Kentucky University > > "better than a sharp stick in the eye" > > ------------------------------
If you are running a virtual gateway, and your managed LAN has the same address space as your AD DCs have, you may want to add a /32 route to each of your AD DC servers indicating that the traffic should leave on the secure interface, not the interface facing the managed LAN. In our case we had a flat LAN like that and had the same issue. Also, check all the Cisco suggested culprits, especially time. Kerberos hates clock drift. Also make sure you have a traffic policy that supports AD authentication from your unauthenticated LAN to the LAN your servers are on. I think the NAC should automatically proxy this authentication traffic, but since they don't you have to open at least one DC to the unauthenticated clients on a lot of bad ports, to support authentication, which kind of begs the whole NAC question. My policy currently allows TCP ports as follows, 67,DHCP,88-kerberos,135-rpc,137,138-NETBIOS, 389-ldap, 445-SMB,1025-rpc,1026-rpc UDP ports 53-DNS 67-BOOTP 68 DHCP 88-kerberos 389-ldap 636-ldap with SSL I had to re-run KTPASS a few times before everybody got on the same page, I don't know why exactly. Finally, have you tried starting it manually by toggling the enable check box on and off? Occasionally, SSO just won't start. That's not supposed to happen but it does. It even happened in my CANAC Cisco sanctioned classroom lab. If you still don't resolve this, could you provide a bit more specifics about your config? If you already have, I apologize, I don't always read the list as diligently as I should. Cheers, Daniel Sichel, CCNP, MCSE,MCSA,MCTS (Windows 2008) Network Engineer Ponderosa Telephone (559) 868-6367
