Gents, Also open IP FRAGMENTS to all your domain controllers in the unauthenticated role.
HTH, Faisal On Tue, Jul 22, 2008 at 7:52 PM, Ryan Nobrega <[EMAIL PROTECTED]> wrote: > I have been setting up AD SSO and have been running into the same exact > problem. I found that by using a GPO to disable the slow link detection > feature for both the user and the computer seems to fix this problem and > speed up the login times dramatically. > > -Ryan Nobrega > -Data Network Manager > -Southern CT State University > > -----Original Message----- > From: Cisco Clean Access Users and Administrators > [mailto:[EMAIL PROTECTED] On Behalf Of Stempien, Dave > Sent: Tuesday, May 20, 2008 12:29 PM > To: [email protected] > Subject: AD SSO - required open ports? > > Does anyone have a definitive list of the ports required to be open in the > unauthenticated role for AD SSO to work? I've opened the following ports to > our DCs per the suggestion of the Cisco documentation: > > TCP 88 - Kerberos > TCP 135 - RPC > TCP 389 - LDAP > TCP 1025 - RPC > TCP 1026 - RPC > > After doing some sniffing, I discovered that our DCs are also using UDP for > kerberos and LDAP, so I opened the following: > > UDP 88 - UDP-Kerberos > UDP 389 - UDP-LDAP > > Also, per a previous suggestion by Cisco TAC, I also opened: > > TCP 445 - SMB > > Finally, ICMP and DNS is also allowed. > > Currently, my test machine won't even completely log into the domain let > alone perform SSO. It's stuck at "Applying computer settings..." If I > completely disable my unauthenticated policy (except for ICMP and DNS), I > can log into my test machine using cached credentials. > > Has anyone else beaten this beast and care to share your experiences? > > Thanks! > > -- > Dave Stempien, Network Security Engineer > University of Rochester Medical Center > Information Systems Division > (585) 784-2427 >
