Antonio, I've set this up successfully for a client using NAC 4.8 and Windows 2003 domain controllers. They were running 4.8 and initially had the ktpass command with the +DesOnly at the end. When they introduced Windows 7 machines into the network we found that AD SSO did not work for those computers. At that time we followed the instructions in the guide you posted. We created another AD user to assign to the AD SSO portion of the NAC server config. The ktpass command used for this user did not have the +DesOnly at the end. We then changed the NAC Servers to use the new AD user and everything worked correctly for both the Windows 7 and Windows XP computers.
I have a little blog on why the +DesOnly is not required. http://www.netcraftsmen.net/resources/blogs/cisco-nac-ad-sso-support-for-no n-des-encryption-types.html Are you sure the users had a valid Kerberos ticket? You can use kerbtray.exe on the end clients to verify that they weren't using cached credentials... Are you using ACLs to restrict the authentication VLAN? I've seen cases when one of the domain controllers was blocked by the authentication VLAN ACL, which caused problems similar to what you're seeing... ------------------------------------------------------ Rob Chee, CCIE #8188 (R&S and Security) Senior Network Consultant Chesapeake NetCraftsmen, LLC. Company Website: http://www.netcraftsmen.net My Blog: http://www.netcraftsmen.net/resources/blogs/blogger/Rob%20Chee/ Mobile: 571-437-2829 ------------------------------------------------------ On 11/10/10 7:59 AM, "Antonio Soares" <[email protected]> wrote: >I have a customer that is running 4.8. The upgrade to this release was >made >a few days ago. After running the procedure to support the Windows 7 >clients, we see that SSO is not working. We are using ktpass version >5.2.3790.1830 and this is a Windows 2003 environment. > >The procedure is this one: > >http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide >/4 >8/cas/s_adsso.html#wp1277452 > >The problem is that the users do the Windows authentication and the NAC >Agent window appears for login. SSO does not work for these users. > >Anyone has seen this problem before ? > > >Thanks. > >Regards, > >Antonio Soares, CCIE #18473 (R&S/SP) >[email protected]
