Cisco Cisco NAC Appliance 4.1.0
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Troubleshooting
Troubleshooting
General
•
Make sure the date and time of the CAM,CAS and AD server are all synchronized within 3 minutes
of each other or AD SSO will not work. You will have to delete the account on AD, synchronize the
times and recreate the account. If the AD server still keeps a record of the old account even though
you have deleted it, you may need to create a new account with a different name.
of each other or AD SSO will not work. You will have to delete the account on AD, synchronize the
times and recreate the account. If the AD server still keeps a record of the old account even though
you have deleted it, you may need to create a new account with a different name.
•
When setting up the CAS account on the AD server, make sure that the CAS account does NOT
require Kerberos pre-authentication.
require Kerberos pre-authentication.
Note
Perform a
service perfigo restart
on the CAS to make sure it is not using old cached credentials.
KTPass Command
•
Make sure the computer name that is entered between “/” and “@” in the ktpass command (e.g.
“AD_DomainServer”) must exactly match CASE-BY-CASE the name of the AD server as it appears
under Control Panel > System > Computer Name | Full computer name on the AD server. See
“AD_DomainServer”) must exactly match CASE-BY-CASE the name of the AD server as it appears
under Control Panel > System > Computer Name | Full computer name on the AD server. See
for details.
•
Make sure the realm name that is entered after “@” (e.g. “AD_DOMAIN”) in the ktpass command
must always be in UPPER CASE. You must convert the Domain name that appears under Control
Panel > System > Computer Name | Domain on the AD server to UPPER CASE when entering it
in the ktpass command.
must always be in UPPER CASE. You must convert the Domain name that appears under Control
Panel > System > Computer Name | Domain on the AD server to UPPER CASE when entering it
in the ktpass command.
Cannot Start AD SSO Service on CAS
If the AD SSO service cannot start on the CAS, this typically indicates a communication issue between
the AD server and the CAS.
the AD server and the CAS.
•
If the Active Directory server is not reachable from the CAS at the time of CAS startup, AD SSO
service is not started. As a workaround, the administrator must go to Device Management > CCA
Servers > Manage [CAS_IP] > Authentication > Windows Auth > Active Directory SSO and
click the Update button to restart the AD SSO service.
service is not started. As a workaround, the administrator must go to Device Management > CCA
Servers > Manage [CAS_IP] > Authentication > Windows Auth > Active Directory SSO and
click the Update button to restart the AD SSO service.
•
Check that the KTPass command is run correctly. Verify the fields are correct as described in
. If KTPass was run incorrectly, delete the account, create a new
account on the AD server, and run KTPass again.
•
Make sure the time on the CAS is synchronized with the AD server (DC). This can be done by
pointing them both to the same time server (or, in lab setups by just pointing the CAS to the DC
itself for time (DC runs Windows time)). Kerberos is sensitive to clock timing and the clock skew
cannot be greater than 5 minutes (300 seconds).
pointing them both to the same time server (or, in lab setups by just pointing the CAS to the DC
itself for time (DC runs Windows time)). Kerberos is sensitive to clock timing and the clock skew
cannot be greater than 5 minutes (300 seconds).
•
Make sure the Active Directory Domain is in UPPERCASE (Realm) and that the CAS can resolve
the FQDN in DNS. (For lab setups you can point to a DC that runs DNS, as AD requires at least one
DNS server)
the FQDN in DNS. (For lab setups you can point to a DC that runs DNS, as AD requires at least one
DNS server)
•
Make sure the following are correct: CAS username on the AD server, CAS password (do not use
special characters such as single quotes), Active Directory Domain (Kerberos Realm) on the CAS
(uppercase), Active Directory Server (FQDN) on the CAS.
special characters such as single quotes), Active Directory Domain (Kerberos Realm) on the CAS
(uppercase), Active Directory Server (FQDN) on the CAS.