Are the machines accessing the DCs domain members? If not, it is probably a Kerberos authentication issue. There is a Kerberos log on the DCs somewhere that might help. Offhand (Im not sitting in front of a DC right now) Im not sure where you set it but you may need to allow NTLM authentication in order for users to log on to AD from machines that arent in the domain. We have that set up somewhere for our Mac machines...
Jeff ________________________________________ From: Cisco Clean Access Users and Administrators [EMAIL PROTECTED] On Behalf Of Justin Howell [EMAIL PROTECTED] Sent: Tuesday, May 20, 2008 1:12 PM To: [email protected] Subject: Re: [CLEANACCESS] AD SSO - required open ports? Yeah we had the same experience when we set things up. After hours of troubleshooting with TAC we finally threw in the towel, allowed all traffic to the DC's, and added ACLs to limit access. We never could figure out why the logons would never complete, never saw any traffic on a sniff that looked like it was being blocked. Justin Howell Telecommunications Network Technician Solano Community College -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On Behalf Of Jay Patel Sent: Tuesday, May 20, 2008 9:43 AM To: [email protected] Subject: Re: AD SSO - required open ports? It truly is a beast. Are you using roaming profiles? ---- -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On Behalf Of Stempien, Dave Sent: Tuesday, May 20, 2008 12:29 PM To: [email protected] Subject: AD SSO - required open ports? Does anyone have a definitive list of the ports required to be open in the unauthenticated role for AD SSO to work? I've opened the following ports to our DCs per the suggestion of the Cisco documentation: TCP 88 - Kerberos TCP 135 - RPC TCP 389 - LDAP TCP 1025 - RPC TCP 1026 - RPC After doing some sniffing, I discovered that our DCs are also using UDP for kerberos and LDAP, so I opened the following: UDP 88 - UDP-Kerberos UDP 389 - UDP-LDAP Also, per a previous suggestion by Cisco TAC, I also opened: TCP 445 - SMB Finally, ICMP and DNS is also allowed. Currently, my test machine won't even completely log into the domain let alone perform SSO. It's stuck at "Applying computer settings..." If I completely disable my unauthenticated policy (except for ICMP and DNS), I can log into my test machine using cached credentials. Has anyone else beaten this beast and care to share your experiences? Thanks! -- Dave Stempien, Network Security Engineer University of Rochester Medical Center Information Systems Division (585) 784-2427
