I had to set up AD SSO with group policies, login scripts and roaming profiles on a remote file server.  If you your interested email me offline I will forward you the white board image of the whole process drawn out.  Lots of packet sniffing and I still don't think I am 100% there. -j

----

-----Original Message-----
From: Cisco Clean Access Users and Administrators [mailto:[log in to unmask]] On Behalf Of Stempien, Dave
Sent: Tuesday, May 20, 2008 12:48 PM
To: [log in to unmask]
Subject: Re: AD SSO - required open ports?

Not that I am aware of...

On 5/20/08 12:42 PM, "Jay Patel" <[log in to unmask]> wrote:

> It truly is a beast.  Are you using roaming profiles?
>
> ----
> -----Original Message-----
> From: Cisco Clean Access Users and Administrators
> [mailto:[log in to unmask]] On Behalf Of Stempien, Dave
> Sent: Tuesday, May 20, 2008 12:29 PM
> To: [log in to unmask]
> Subject: AD SSO - required open ports?
>
> Does anyone have a definitive list of the ports required to be open in the
> unauthenticated role for AD SSO to work?  I've opened the following ports to
> our DCs per the suggestion of the Cisco documentation:
>
> TCP 88 - Kerberos
> TCP 135 - RPC
> TCP 389 - LDAP
> TCP 1025 - RPC
> TCP 1026 - RPC
>
> After doing some sniffing, I discovered that our DCs are also using UDP for
> kerberos and LDAP, so I opened the following:
>
> UDP 88 - UDP-Kerberos
> UDP 389 - UDP-LDAP
>
> Also, per a previous suggestion by Cisco TAC, I also opened:
>
> TCP 445 - SMB
>
> Finally, ICMP and DNS is also allowed.
>
> Currently, my test machine won't even completely log into the domain let
> alone perform SSO.  It's stuck at "Applying computer settings..."  If I
> completely disable my unauthenticated policy (except for ICMP and DNS), I
> can log into my test machine using cached credentials.
>
> Has anyone else beaten this beast and care to share your experiences?
>
> Thanks!
>
> --
> Dave Stempien, Network Security Engineer
> University of Rochester Medical Center
> Information Systems Division
> (585) 784-2427