are you staying on the same system? if you bypass the NLB, does it work?

what does your user access log show?

are you trying to do SSO as well?

Yes, I stayed at same environment, if it points to either one of the host, it is working fine. And it is working fine as well then without SSLVPN.

How to check the user log, as i'm just a beginner of SA.

Yes, I applied SSO already.

how I start to troubleshoot?

Regards,

Lawpak

I find a minor ERR24617

2012-06-21 14:47:37 - XXXXX-SA-01 - [202.XX.XX.XX] XXXXXXX\kat.law(XXXXX Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - Fetch Kerberos TGS for user kat.law, TGT user kat.law, realm HK.XXXXX.COM, host crm_vpn.hk.aedas.com failed: Fetch TGS fetch error: Server not found in Kerberos database

Does it related?

regards,

Lawpak

Hi Lawpak,

Does CRM access working if you disable the SSO.

I believe that you are using Kerbroes SSO, "Server not found in Kerberos database" can come if the KDC(Key Distribution Center) could not translate the SPN (Server Principal Name) from the KDC request into an account in the Active Directory. This generally happens due to multiple SPN created for the service on domain controller.

Please use the below KB to reolves the issue:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17804&cat=ssl_vpn&actp=LIST&smlogin=true

Also instead of using kerbroes SSO can you try using NTLM if possible

Hope this helps.

NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Regards,
Kannan

---

lawpak wrote:

I find a minor ERR24617

 

2012-06-21 14:47:37 - XXXXX-SA-01 - [202.XX.XX.XX] XXXXXXX\kat.law(XXXXX Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - Fetch Kerberos TGS for user kat.law, TGT user kat.law, realm HK.XXXXX.COM, host crm_vpn.hk.aedas.com failed: Fetch TGS fetch error: Server not found in Kerberos database

  

Does it related?

 

regards,

Lawpak

---

yes, that means that crm_vpn.hk.aedas.com does not exist as a server in your environment that the user has access to for KDC intermediation.

officially, Microsoft does not support SSO with KDC using load balancing as each server needs to be listed. I have heard of it working as long as an alias exists for that server in the AD database.

Hi Kannan,

I tried the command "setspn -x" on my DCs, but the result look like there is no "-x" option, the result is listed on below:

(My AD version is 2003)

And i have tested it without SSO also, it still keeps prompt me to input login ID and password.

regards,

lawpak

-------------------------------------

setspn -x

Usage: setspn [switches data] computername   Where "computername" can be the name or domain\name

  Switches:    -R = reset HOST ServicePrincipalName     Usage:   setspn -R computername    -A = add arbitrary SPN     Usage:   setspn -A SPN computername    -D = delete arbitrary SPN     Usage:   setspn -D SPN computername    -L = list registered SPNs     Usage:   setspn [-L] computername Examples: setspn -R daserver1    It will register SPN "HOST/daserver1" and "HOST/{DNS of daserver1}" setspn -A http/daserver daserver1    It will register SPN "http/daserver" for computer "daserver1" setspn -D http/daserver daserver1    It will delete SPN "http/daserver" for computer "daserver1"

-------------------------------------

are you using servert 2003 or 2008?

our DC is windows 2003 and AD version is 2003 as well.

regards,

lawpak