When deploying Cisco NAC for desktop computers, it is imperative minimize the impact to the end user experience as much as possible. This helps to ensure that the NAC deployment does not get derailed by user complaints. One way to minimize the impact is to implement Active Directory Single Sign-On (AD SSO). With AD SSO, the user just has to complete their Microsoft logon. The NAC Appliance uses Kerberos to verify the user’s authenticity instead of prompting for a NAC logon. The NAC setup of AD SSO is easy to configure incorrectly even with the detailed steps in the Cisco NAC Server Configuration Guide. The basic steps are listed below.
- Configure an AD SSO authentication server on the NAC Manager (NAM)
- Configure the specific parameters in the NAC Server portion of the NAM Web GUI
- Configure a user in the Microsoft active directory domain with basic user rights
- Configure the domain controller with the ktpass command using the user created above
- Enable AD SSO in the NAC Server portion of the NAM Web GUI
Please read the configuration information, at that link, to get a more detailed understanding on how to configure AD SSO. I’d like to run through a number of basic problems explained in the configuration guide with extra information from my experiences.
Most of the issues revolve around the use of the ktpass command, on the Microsoft Domain Controllers. Microsoft Active Directory logon uses Kerberos as its authentication mechanism. The default encryption is RC4-HMAC. DES-CBC-CRC and DES-CBC-MD5 are also supported, but require manual configuration using the ktpass command, which is included in the Microsoft Support Tools. This application is required because the NAC Server, which implements the AD SSO, can only use DES. Additionally, ktpass must be run on every domain controller that authenticates users. There are separate toolsets for Windows 2003 SP1 and Windows 2003 SP2. In the Windows 2003 SP2 link, they provide the following details that should be followed
Note If you have an earlier version of these support tools installed on your computer, you must remove this version before you install the updated support tools for Windows Server 2003 SP2.
With ktpass properly installed, it’s also important to know where to look to troubleshoot AD SSO issues. There is one setting to change and three places to look for messages.
The setting to change is the log level on the NAC Server. Access the NAC Server webpage. Make sure the URL ends with “admin”. For example https://192.168.6.10/admin. If this is not done, the NAC login page will be displayed. Next, click on “Monitoring > Support Logs”. On the page that is displayed, turn on trace logging for the “Active Directory Communication Logging” line. Once logging is set, the NAC Server webpage can be closed
The first, and best place, to look for logs is the NAC server log files. Since the NAC server is doing the actual checks, it will provide the most detailed logs. These logs are located in the /perfigo/access/tomcat/logs/nac_server.log file on the NAC server.
The second place to look for logs is the NAC manager log file. This is located at /perfigo/control/tomcat/logs/nac_manager.log file on the NAC Manager.
The third place to look for logs is the Event logs on the NAC Manager GUI. This is located in “Monitoring > Event Logs” on the NAC Manager web GUI.
Now, let’s get into some troubleshooting scenarios
Improper ktpass version
As stated in the support information, ktpass version 5.2.3790.0 is required for Windows 2003 and ktpass version 6.0.6001.18000 is required for Windows 2008. Using an earlier version of ktpass will usually end up in a failed AD SSO setup.
Time not synchronized
In order for Kerberos to work, the time on the NAC Server and domain controller must be synchronized to within 5 minutes.
Configuring User for ktpass
When using ktpass, part of the configuration is assigning service instance account to a user. There are two problems, associated with this user account, that I’ve run into.
If the nac_manager.log file contains a log entry with “encrypt type not supported (14)”, check the Event Viewer logs on the domain controller. There may be messages stating that the key has been corrupted. The solution is to create a new password for the user.
A problem will arise if ktpass is run twice on the same domain controller. This could happen if you are using ktpass for a specific domain controller entry and, a more general, domain entry. If the same user account is used for both the entries will cease to work. The solution is to remove the account and create a new account for just one type of entry.
Configuring ktpass for Windows 2008
When configuring ktpass for Windows Server 2008, it is important to read the support information for details on the minimum ktpass version required and the minimum operating system version required.
Ktpass version: 6.0.6001.18000
Windows 2008 Server Enterprise SP1
Single Domain AD SSO is supported
Hotfix KB951191 is required
Not adding Hotfix KB951191 will result in error messages in the NAS. The error message contains “Client not found in Kerberos database (6)”.