KB25351 - Can the Pulse Policy Secure's machine account be added in the backend Active Directory for SPNEGO SSO to add the SPN to the user for Active Directory Integration?

This article provides information on whether the Pulse Policy Secure’s machine account in the backend AD is supported for SPNEGO SSO to add the SPN to the user for Active Directory Integration.

 

• Pulse Policy Secure's machine account in the backend AD is not supported in SPNEGO SSO for adding the SPN to the user for Active Directory Integration.

 

• Only a User account can be added to the SPN.

Pulse Policy Secure’s Machine account is not supported in SPNEGO SSO to add SPN to the user for Active Directory Integration. Only a User account can be added to the SPN; this will be used to create the keytab file in the Active directory by using ktpass.exe.

During AD authentication, PPS joins the Active Directory domain controller as a machine, by authenticating itself and this allows the PPS to obtain group information for all the authenticated users. The PPS account that is created in the backend is usually in the following format:
 

• Account Name: vc0000aabbccdd (or the name entered as Computer Name on the AD Auth Server page)

 

• Account password: (this password of IC keeps changing)

As the PPS machine account password keeps changing, creating a keytab file with the machine account in AD for SPNEGO SSO will result in failure. So, it is recommended to create a dedicated user account with the following settings:

User Account Settings required on Active Directory:
 

• You must set a password for the user.

 

• The user must change the password on next logon option should not be enabled.

 

• The Password never expires option should be enabled.

If the Keytab file is generated with the machine account, the following error message is generated in the the PPS user access log with the SPNEGO SSO failure information:

Info WEB24618 2012-03-27 18:46:02 - ic - [172.19.111.1] dav\engineer(Users)[engss] - Web SSO: Fetched Kerberos TGT Ticket Client: engineer@abc.def, Server: krbtgt/DAV.LUX@ABC.DEF, auth 06/27/12 18:46:02, start 06/27/12 18:46:02, end 06/28/12 04:46:02, renew 01/01/70 01:00:00, current 03/27/12 18:46:02
Info AUT23457 2012-03-27 18:45:39 - ic - [172.19.111.1] System(Users)[] - Login failed using auth server AD2008 (Samba). Reason: SPNEGO_SSO
Info AUT24327 2012-03-27 18:45:39 - ic - [172.19.111.1] System(Users)[] - Primary authentication failed for /AD2008 from 172.19.111.1

The above failure can be resolved by creating a dedicated user account for SPNEGO in the backend Active Directory Server and adding the SPN to this user via ktpass.exe (this will generate the keytab). This keytab file can be re-imported to the PPS Active Directory authentication server for successful SPNEGO SSO authentication.

Note: The SPNEGO SSO feature is available only in Pulse Policy Secure that run 4.2X or later.