Configuring the AD Server and Running the ktpass Command

The following is how to prepare and configure the AD server for AD SSO: Step 1 Create the NAS user account in AD. Step 2 Install the support tools from the Windows 2003 Server CD. Step 3 Run the ktpass.exe command.

Creating the NAS User Account in AD

Use the following steps to create the NAS user account in the AD server:

Step 1 In the AD server, go to Start > Administrative Tools > Active Directory Users and Computers.

Step 2 Go to the Users folder under the AD domain. In this example, the AD domain is selab.net.

Step 3 Right-click Users > New > User.

Step 4 Enter the user account name for NAS. In this example, the NAS user account is "ccasso." Click Next after entering the ccasso user credential. Figure 11-7 shows the creation of the NAS user account in AD.

Figure 11-7 Creating the NAS User Account in AD

Figure 11-7 Creating the NAS User Account in AD

Step 5 At the password screen, enter a password acceptable by AD. The sample password used is Cisco123. Also, click on Password Never Expires. (This is common practice for service accounts only.) If you choose to allow AD to expire the NAS user password, you must go back into the NAS and change the AD SSO account password when AD expires the account. Click Next when complete.

Step 6 Review the NAS user logon name and password expiration period. If okay, click Finish. You should see the ccasso account successfully created in AD.

Installing the Support Tools from the Windows 2003 Server CD

To install the support tools from the Windows 2003 Server CD, do the following:

Step 1 Within your Windows 2003 Server CD, go to the D:\SUPPORT\TOOLS directory. You should see the SUPTOOLS.MSI installer package. Double-click it to start the installation process.

Step 2 Follow the typical Windows installation process and click Finish when complete.

Step 3 When complete, go to the C:\Program Files\Support Tools directory, where you should see many new files. ktpass.exe (~80kB) should be there.

CAUTION At the time of this writing, the current verified version of ktpass.exe that works with NAC AD SSO is file version 5.2.3790.0. Other versions of ktpass failed to work with NAC AD SSO. Figure 11-8 shows the compatible ktpass.exe file version for AD SSO.

Figure 11-8 Supported Version of the ktpass.exe File

General Version | Compatibility | Security | Summary | File version: fflEMEIlIl Description: Kerberos key tab tool Copyright: © Microsoft Corporation. All rights reserved.

Other version information-

Item name: Value:

General Version | Compatibility | Security | Summary | File version: fflEMEIlIl Description: Kerberos key tab tool Copyright: © Microsoft Corporation. All rights reserved.

Other version information-

Item name: Value:

Microsoft Corporation

File Version

Internal Name

Language

Original File name

Product Name

Product Version

m

Running the ktpass.exe Command

The ktpass.exe file is required because NAC Appliance uses a Linux OS. Linux uses Data Encryption Standard (DES) encryption, whereas Microsoft Active Directory uses RC4 encryption for Kerberos. For NAC appliance to communicate to MS AD in Kerberos, both have to agree on a common encryption format. Running the ktpass.exe command on the AD domain controller changes the NAS user account to use DES-only encryption.

In addition, every domain controller that the NAS communicates with must run the ktpass.exe command. This applies to multiple controllers used by multiple NAS server under a single domain. The NAS user account will be replicated to other multiple controllers, but the map user functionality will have to be modified on each domain controller. Therefore, the ktpass.exe command has to be run on each domain controller defined on NAS. Keep the following in mind:

• ktpass.exe must be run in a DOS window. Open a DOS window. Change the directory to the Support Tools directory using cd\program files\support tools.

• The ktpass.exe command line is rather lengthy. Please execute with caution and accuracy because typos are very common.

The ktpass.exe command syntax is as follows:

ktpass.exe -princ NASusername/[email protected]_DOMAIN -mapuser NASusername -pass NASpassword -out c:\NASusername.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly

In this case:

• NASusername (this is the NAS user account name): ccasso

• NASpassword: Cisco123

• Full_AD_DomainName (case sensitive): win2003-ad-ca.selab.net

• AD_DOMAIN (must be all capitals): SELAB.NET Example 11-5 shows a sample ktpass.exe execution.

Example 11-5 Sample ktpass.exe Command Run

C:\Program Files\Support Tools>ktpass.exe -princ ccasso/win2003-ad-[email protected] -mapuser ccasso -pass Cisco123 -out c:\ccasso.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly

Targeting domain controller: win2003-ad-ca.selab.net Successfully mapped ccasso/win2003-ad-ca.selab.net to ccasso. Key created.

Output keytab to c:\ccasso.keytab: Keytab version: 0x502

keysize 67 ccasso/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x91cec19e40f4e3dc) Account ccasso has been set for DES-only encryption.

NOTE It is highly recommended that the ktpass.exe output be saved for support and troubleshooting purposes with Cisco Technical Assistance Center when needed.

Was this article helpful?

0 0

Post a comment