1 / 18

Configuring and Troubleshooting Active Directory Windows Single Sign On (SSO)

Configuring and Troubleshooting Active Directory Windows Single Sign On (SSO). Prem Ananthakrishnan (aprem@cisco.com) Technical Marketing Engineer (NAC Appliance) Cisco Sytems. Configuring Windows SSO. Get started.

kali
Download Presentation

Configuring and Troubleshooting Active Directory Windows Single Sign On (SSO)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Configuring and Troubleshooting Active Directory Windows Single Sign On (SSO) Prem Ananthakrishnan (aprem@cisco.com) Technical Marketing Engineer (NAC Appliance) Cisco Sytems

  2. Configuring Windows SSO

  3. Get started • Make sure DC is running Win2K SP4/Win2k3 (Standard or Enterprise) SP1 or Win 2K3 R2. Win 2K3 without SP1 is NOT supported • Windows SSO is supported in AD environment only. Win NT environment is not supported. Clean Access Agent is a MUST • Setup CAS account as shown in CAM Guide:- Pg 169-172 (7-23 through 7-27)

  4. Setup AD SSO provider • You cannot do Auth test to a AD SSO provider (or even VPN SSO) • The LDAP lookup server is needed only if they want to do Mapping rules for AD SSO, so that after ADSSO, the users will be placed in roles based on AD attributes. This is NOT needed to get basic SSO working (without Role mapping)

  5. Run KTPass on the DC • KTPASS is a tool available as a part of Windows 2K/2K3 support tools. (Refer CAM Guide Pg 173, Chap 7-27 to install Support Tools) • When running ktpass it is important to note that the computer name that always falls between the “/” and the “@” highlighted in red below matches “CASE BY CASE” to the name of the DC as it would appear under Control Panel >> System >> Computer Name >> Full Computer Name on the DC • Also, do make sure that the realm name that appears after @ highlighted in blue below is always in CAPITALS. C:\Program Files\Support Tools>ktpass -princ ccasso/prem-vm-2003.win2k3.local@WIN2K3.LOCAL -mapuser ccasso -pass Cisco123 -out c:\test.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly Targeting domain controller: prem-vm-2003.win2k3.local Using legacy password setting method Successfully mapped ccasso/prem-vm-2003.win2k3.local to ccasso. //confirms ccasso acct is mapped Key created. Output keytab to c:\test.keytab: Keytab version: 0x502 keysize 80 ccasso/prem-vm-2003.win2k3.local@WIN2K3.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0xf2e787d376cbf6d6dd3600132e9c215d) Account ccasso has been set for DES-only encryption.

  6. SSO Configuration on the CAS:-CCA Servers>>Manage>>Authentication>>Windows Auth>>Active Directory SSO • Active Directory Domain = Kerberos realm name = NEEDS TO BE in CAPITAL • Active Directory Server (FQDN) – Please make sure that CAS can resolve this name via DNS. This field cannot be an IP address. In this example, log on to CAS via SSH and do “nslookup prem-vm-2003.win2k3.local” and make sure it resolves successfully 3) Please make sure FQDN matches CASE by CASE the name of the AD server (DC) as it appears under under “Control Panel > System > Computer Name | Full computer name on the AD server machine (DC)”

  7. SSO Service started • Please confirm that SSO service has been started as shown under CCA Servers>>Manage>>Status Also confirm that the CAS is now listening on TCP 8910 (Used for Windows SSO) • [root@cs-ccas02 ~]# netstat -a | grep 8910 tcp 0 0 *:8910 *:* LISTEN

  8. Open Ports to DC • Open appropriate ports to the DC • For testing, always open complete access to DC. Then, once you get SSO working you can tie it down to specific ports • Specific ports for AD SSO that need to be opened in the unauthenticated role are indicated in the CAM Administrator Guide. • Ensure that client is running CCA Agent 4.0.0.1 or higher. • Login into the PC using Windows domain credentials. Make sure you are logging into the domain (not Local Account)

  9. Client sees Agent performing SSO

  10. SSO completed

  11. SSO User seen on Online User list

  12. Troubleshooting Windows SSO

  13. Could not start the SSO service • 1) Check to make sure KTPass is run correctly. Important to check the fields as mentioned in slide X. If KTpass was run incorrectly, delete the account and create a new account on AD and run KTPass again • 2) Make sure time on CAS is synchronized with the DC. This can be done by pointing them both to the same time server OR in lab setups by just pointing the CAS to the DC itself for time (DC runs Windows time). Kerberos is sensitive to clock and skew cannot be greater than 5 minutes (300 secs) • 3) Make sure Active Directory Domain is in CAPS (Realm) and CAS can resolve FQDN in DNS. For lab setups you can point to a DC that runs DNS (AD requires at lease one DNS server) • 4) Login to CAS directly as https://<CAS-IP-address>/admin. Then click on Support Logs and change the logging level for Active Directory communication logging to “INFO”. Recreate problem and download support logs.

  14. SSO Service is started, but client is not doing SSO • This is usually due to some communication issue between the DC/client PC or between client PC and the CAS • A few things to make sure are client does have Kerberos keys, ports are open to the DC so that the client can connect, Get agent logs, Get logs on the CAS, Time/Clock on client PC is synchronized with DC • Also confirm CAS is listening on port 8910. An sniffer trace on the client PC will also help • Make sure CCA Agent is 4.0.0.1 or higher. • Make sure the user is actually logged in using the domain account and not using the local account.

  15. Kerbtray Kerbtray can be used to Confim that the client has Obtained the Kerberos Tickets (TGT and ST) Our concern is the ST Also known as Service Ticket, which is for the CAS Account that we created On the DC Kerbtray is a free tool available From Microsoft Support tools. It Can also be used to purge the Kerberos Tickets on a client machine. A green Kerbtray Icon on the system Tray indicated that client has active Kerberos Tickets. However, u need to check to see If that ticket is correct (valid) for CAS account

  16. Debug Logs from Agent • 6/25/2006 5:10:17 PM [Debug] [SWISSPacket]SWISSS response : 14, 192.168.237.15 • 6/25/2006 5:10:17 PM [Debug] [SWISSClient] - SendQuery: PacketReceived True • 6/25/2006 5:10:17 PM [Debug] [SWISSPacket] Login Status: 96 • 6/25/2006 5:10:17 PM [Debug] OS:False, SSO:True, Cert:True, Remo:False, User:0, Devi:0, L3:False • 6/25/2006 5:10:17 PM [Debug] [Application] Login - Status:64 • 6/25/2006 5:10:17 PM [Debug] [frmSysTray] Set quarantine timer: 0 seconds • 6/25/2006 5:10:17 PM [Debug] [frmLogin] Switch to frame : 16384 • 6/25/2006 5:10:17 PM [Fatal] [frmLogin] Unknown frame number : 16384 • 6/25/2006 5:10:17 PM [Debug] [SWISSPacket] Client version length: 7 • 6/25/2006 5:10:17 PM [Debug] Agent OS: WINDOWS_XP, Agent Version: 4.0.0.0 • 6/25/2006 5:10:17 PM [Debug] [SWISSPacket] Client OS Length: 10 • 6/25/2006 5:10:17 PM [Debug] [AppUtil] Total number of adapters : 1 • 6/25/2006 5:10:17 PM [Debug] [SWISSPacket]SWISS Nounce Length : 10 • 6/25/2006 5:10:17 PM [Debug] [AppUtil] Total number of adapters : 1 ---------<snip> ----------------------- • 6/25/2006 5:10:17 PM [Debug] [SWISSPacket]SWISSS response : 14, 192.168.237.15 • 6/25/2006 5:10:17 PM [Debug] [SWISSClient] - SendQuery: PacketReceived True • 6/25/2006 5:10:17 PM [Debug] Acquiring credentials from current logon session.... • 6/25/2006 5:10:17 PM [Debug] Successfully acquired credentials handle: 1641992|854584 • 6/25/2006 5:10:17 PM [Debug] [SSPIClient - QryCred] Using credentials: prem@WIN2K3.LOCAL • 6/25/2006 5:10:18 PM [Debug] Connected to 192.168.237.15:8910 • 6/25/2006 5:10:18 PM [Debug] Using context requirements Confidentiality, Replay Detect,Sequence Detect, Mutual Auth & Connection • 6/25/2006 5:10:18 PM [Debug] Is Context Initalized? 0 • 6/25/2006 5:10:18 PM [Debug] Initializing security context with SPN: ccasso/prem-vm-2003.win2k3.local@WIN2K3.LOCAL • 6/25/2006 5:10:18 PM [Debug] Token to be sent to server:

  17. CAS Logs – Cannot start SSO service Log file of interest on the CAS is /perfigo/logs/perfigo-redirect-log0.log.0 AD SSO Service does not start on CAS is a CAS-DC communication issue:- 1) SEVERE: startServer - SSO Service authentication failed. Clock skew too great (37)Aug 3, 2006 7:52:48 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDC Means Clock is not synchronized between CAS and the Domain Controller. 2) Aug 21, 2006 3:39:11 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDC INFO: GSSServer - SPN : [ccass/PreM-vM-2003.win2k3public.local@WIN2K3PUBLIC.LOCAL] Aug 21, 2006 3:39:11 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDC SEVERE: startServer - SSO Service authentication failed. Client not found in Kerberos database (6) Aug 21, 2006 3:39:11 PM com.perfigo.wlan.jmx.admin.GSSServer startServer WARNING: GSSServer loginSubject could not be created. Above means username is incorrect. Note the wrong username “ccass”, error code 6 and the last warning 3)Aug 21, 2006 3:40:26 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDC INFO: GSSServer - SPN : [ccasso/PreM-vM-2003.win2k3public.local@WIN2K3PUBLIC.LOCAL] Aug 21, 2006 3:40:26 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDC SEVERE: startServer - SSO Service authentication failed. Pre-authentication information was invalid (24) Aug 21, 2006 3:40:26 PM com.perfigo.wlan.jmx.admin.GSSServer startServer WARNING: GSSServer loginSubject could not be created. Password is incorrect or Realm is invalid (not in CAPS?). Bad FQDN? KTPASS runn incorrectly? Note the Error 24 AND last warning Client – CAS Communication Issue:- • Aug 3, 2006 10:03:05 AM com.perfigo.wlan.jmx.admin.GSSHandler run SEVERE: GSS Error: Failure unspecified at GSS-API level (Mechanism level: Clock skew too great (37)) This error is seen when the client PCs time is not synchronized with DC. (Please note the difference between this error and the one where CAS’s time is not synchronized with DC

  18. Known issues • CSCse64395 - 4.0 Agent does not resolve DNS for Windows SSO – Resolved in 4.0.0.1 of Agent • CSCse46141 - SSO fails in case CAS cannot reach Active Directory server during startup - Workaround: Goto CCA Servers > Manage [CAS_IP] Authentication > Windows Auth > Active Directory SSO and click the Update button to restart the AD SSO service • Do a “service perfigo restart” on the CAS. There is a caching issue when the old credentials are cached on the CAS and it does not use the new one until Tomcat is restarted.

More Related