Solved: Re: Kerberos auth, IC6000, and AD 2008

lto_ · ‎03-30-2009

Hello good people,

I am experiencing issues when trying to use Kerberos to authenticate my users.

First of all, I am using:

IC 6000, standalone, 2.2R4

Windows Server 2008 with AD as my authentication server

When using a simple LDAP bind to authenticate my users, no problem, everything works smoothly.

But, when trying to use Kerberos, it all goes wrong. Is there some kind of trouble between AD2008 and IC?

I am positive about the admin credentials I am providing to the IC (no 'domain\' before the username) and the ip address of the server (in the same subnet of the IC, but I still get an error like admin credentials are wrong, or the server is not a domain controller. I was able to add the IC to the domain once, that was when I provided the FQDN of the DC instead of the IP address, but I still had the same error when I hit the 'Test Configuration' button.

Thanks a lot,

Thomas

edit: It says on the documentation, in the part 'Multi-Domain User Authentication', that IC supports only Windows 2000 and Windows 2003. Although I only have one domaine, does this part apply to my problem? Cause it could explain a lot of things :-D

Message Edited by lto on 03-30-2009 01:40 AM

ManojReddy_ · ‎03-30-2009

Hey: Actually Windows2008 is not supported in UAC2.2R4. I missed the fact that you are using Windows2008 AD server. You need UAC3.0R1 or later for this to work.

View solution in original post

ManojReddy_ · ‎03-30-2009

for Kerberos to work, time difference between AD server and IC shouldn't be more than 2 mins(Microsoft enforces this).

please make sure that IC's and AD's time is in sync.

lto_ · ‎03-30-2009

Hi,

there is no more than 1 minute difference between those two devices. In fact they are using the same NTP server.

ManojReddy_ · ‎03-30-2009

Hey: Actually Windows2008 is not supported in UAC2.2R4. I missed the fact that you are using Windows2008 AD server. You need UAC3.0R1 or later for this to work.

lto_ · ‎03-30-2009

Thanks a lot Manoj, I'll try to install the 3.0 release this afternoon and let you know.

ManojReddy_ · ‎03-30-2009

In IC's AD Auth server configuration page, make sure that the new checkbox: "Domain Controller is a Windows 2008 server" is checked. this checkbox is newly added in UAC3.0 R1.

lto_ · ‎03-30-2009

Hey,

it works with the new 3.0 :-)

Zubin_ · ‎08-25-2009

did you have your user do 802.1x on the switch too and switch configured to do kerberos? i'm dealing with a situation where OAC client need to do machine auth at the same time using 802.1x on the switches. I have configured switch to be radius and UAC is configured to receive switche's radius auth but what's confusing me is that is the UAC is going to do the conversion from 802.1x radius to kerberose to verify the AD's LDAP database for machine name?

i would really appreicate if you could tell me your experience.

Thanks

lto_ · ‎08-26-2009

Hi Zubin,

I am sorry, the environment described in this thread does not use 802.1X, only layer 3authentication.

You might want to create a new thread for your issue

Message Edited by lto on 08-26-2009 05:46 AM