Reset Search
 

 

Article

KB25351 - Can the Pulse Policy Secure's machine account be added in the backend Active Directory for SPNEGO SSO to add the SPN to the user for Active Directory Integration?

« Go Back

Information

 
Last Modified Date8/1/2015 7:34 PM
Synopsis
This article provides information on whether the Pulse Policy Secure’s machine account in the backend AD is supported for SPNEGO SSO to add the SPN to the user for Active Directory Integration.

 
Problem or Goal
  • Pulse Policy Secure's machine account in the backend AD is not supported in SPNEGO SSO for adding the SPN to the user for Active Directory Integration.
 
  • Only a User account can be added to the SPN.
Cause
Solution
Pulse Policy Secure’s Machine account is not supported in SPNEGO SSO to add SPN to the user for Active Directory Integration. Only a User account can be added to the SPN; this will be used to create the keytab file in the Active directory by using ktpass.exe.

During AD authentication, PPS joins the Active Directory domain controller as a machine, by authenticating itself and this allows the PPS to obtain group information for all the authenticated users. The PPS account that is created in the backend is usually in the following format:
 
  • Account Name: vc0000aabbccdd (or the name entered as Computer Name on the AD Auth Server page)
 
  • Account password: (this password of IC keeps changing)

As the PPS machine account password keeps changing, creating a keytab file with the machine account in AD for SPNEGO SSO will result in failure. So, it is recommended to create a dedicated user account with the following settings:

User Account Settings required on Active Directory:
 
  • You must set a password for the user.
 
  • The user must change the password on next logon option should not be enabled.
 
  • The Password never expires option should be enabled.

If the Keytab file is generated with the machine account, the following error message is generated in the the PPS user access log with the SPNEGO SSO failure information:
Info WEB24618 2012-03-27 18:46:02 - ic - [172.19.111.1] dav\engineer(Users)[engss] - Web SSO: Fetched Kerberos TGT Ticket Client: engineer@abc.def, Server: krbtgt/DAV.LUX@ABC.DEF, auth 06/27/12 18:46:02, start 06/27/12 18:46:02, end 06/28/12 04:46:02, renew 01/01/70 01:00:00, current 03/27/12 18:46:02
Info AUT23457 2012-03-27 18:45:39 - ic - [172.19.111.1] System(Users)[] - Login failed using auth server AD2008 (Samba). Reason: SPNEGO_SSO
Info AUT24327 2012-03-27 18:45:39 - ic - [172.19.111.1] System(Users)[] - Primary authentication failed for /AD2008 from 172.19.111.1
The above failure can be resolved by creating a dedicated user account for SPNEGO in the backend Active Directory Server and adding the SPN to this user via ktpass.exe (this will generate the keytab). This keytab file can be re-imported to the PPS Active Directory authentication server for successful SPNEGO SSO authentication.

Note: The SPNEGO SSO feature is available only in Pulse Policy Secure that run 4.2X or later.
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255