ACS 5.3 patch and AD Alternate UPN suffix issue

andrewswanson — Mon, 11 Mar 2019 02:09:34 GMT

hello

i'm using ACS 5.3.0.40.2 and its setup with an AD External Identity store for wireless PEAP MSCHAPv2. AD is configured with Alternate UPN suffixes so that for example:

22056 Subject not found in the applicable identity store(s).

I've checked the release notes for 5.3.0.40.5 and there are some changes/fixes for AD but nothing I can see to explain the behaviour above. Has anyone come across this before? I'm looking to upgrade to 5.3.0.40.5 soon but I really need the Alternate UPN suffixes to work.

mydomain.com is the AD domain name
an Alternate UPN suffix of another.com has been added to AD

A valid AD user can add either the @mydomain.com or the @another.com suffixes to their username and login successfully. This works fine with 5.3.0.40.2 but changes when I upgrade to 5.3.0.40.5 - users who use the @mydomain.com login ok but users using the Alternate UPN @another.com fail with the error:

thanks

andy

ps i've tried LEAP and PEAP/GTC as well but still get the same error when using the Alternate UPN suffix

Re: ACS 5.3 patch and AD Alternate UPN suffix issue

andrewswanson — Sat, 02 Jun 2012 12:20:25 GMT

My aplogies for previous post - seems to have messed up when I copied and pasted. Just to recap, AD and user details are:

Thanks

Andy

AD Domain: AD.MYDOMAIN.COM

Alternate UPN Suffix: ANOTHER.MYDOMAIN.COM

User

UPN: SOMEUSER@AD.MYDOMAIN.COM

cn: SOMEUSER

With ACS 5.3.0.40.2 the user can login with usernames SOMEUSER or SOMEUSER@AD.MYDOMAIN.COM or with the Alternate UPN suffix SOMEUSER@ANOTHER.MYDOMAIN.COM

With ACS 5.3.0.40.5 the user can login with usernames SOMEUSER or SOMEUSER@AD.MYDOMAIN.COM but not with the Alternate UPN suffix SOMEUSER@ANOTHER.MYDOMAIN.COM.

I''ve taken ACS adcleint debugs (when using the Alternate UPN suffix) from both ACS versions (see below). 5.3.0.40.2 works ok but 5.3.0.40.5 fails.From the debugs (line 3 highlighted in red), 5.3.0.40.5 is missing out name: SOMEUSER type=SAM domain=AD.MYDOMAIN.COM.

Anyone have any ideas how i get the Alternate UPN suffix working with 5.3.0.40.5 ?

Thanks

Andy

ACS 5.3.0.40.2 debug

...

Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DEBUG <25 ms-rpc="" user="" authentication=""> daemon.ipclient1 executing request 'MS-RPC user authentication' in thread 3009473440

Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DIAG <25 ms-rpc="" user="" authentication=""> daemon.ipclient1 I:doNetLogonSamLogon - user=SOMEUSER@ANOTHER.MYDOMAIN.COM

Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DEBUG <25 ms-rpc="" user="" authentication=""> base.adagent findObject ADNames: SOMEUSER@ANOTHER.MYDOMAIN.COM name: SOMEUSER@ANOTHER.MYDOMAIN.COM type=ALTUPN domain=AD.MYDOMAIN.COM name: SOMEUSER type=SAM domain=AD.MYDOMAIN.COM

Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DEBUG <25 ms-rpc="" user="" authentication=""> base.bind.cache search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(userPrincipalName=SOMEUSER@ANOTHER.MYDOMAIN.COM)), attrs 1c (cacheOps=7, GC=1)

Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DIAG <25 ms-rpc="" user="" authentication=""> base.bind.ldap ADSERVER.AD.MYDOMAIN.COM:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(userPrincipalName=SOMEUSER@ANOTHER.MYDOMAIN.COM))"

Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DEBUG <25 ms-rpc="" user="" authentication=""> base.cache Cache store ;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes Yes

Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DEBUG <25 ms-rpc="" user="" authentication=""> base.bind.cache search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=SOMEUSER)), attrs 2 (cacheOps=7, GC=0)

Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DIAG <25 ms-rpc="" user="" authentication=""> base.bind.ldap ADSERVER.AD.MYDOMAIN.COM:389 search base="DC=AD,DC=MYDOMAIN,DC=COM" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=SOMEUSER))"

...

ACS 5.3.0.40.5 debug

...

Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> daemon.ipclient1 executing request 'MS-RPC user authentication' in thread 2985442208

Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DIAG <27 ms-rpc="" user="" authentication=""> daemon.ipclient1 I:doNetLogonSamLogon - user=SOMEUSER@ANOTHER.MYDOMAIN.COM

Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.adagent findObject ADNames: SOMEUSER@ANOTHER.MYDOMAIN.COM name: SOMEUSER@ANOTHER.MYDOMAIN.COM type=ALTUPN domain=AD.MYDOMAIN.COM

Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(userPrincipalName=SOMEUSER@ANOTHER.MYDOMAIN.COM)), attrs 1c (cacheOps=7, GC=1)

Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.objecthelper age 61, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 7

Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.adagent findObject: NotFound:SOMEUSER@ANOTHER.MYDOMAIN.COM Category:user

Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.bind.cache making negative response for Person UserPrincipalName="SOMEUSER@ANOTHER.MYDOMAIN.COM" (GC=0)

Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.cache Cache store ;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=AD,DC=MYDOMAIN,DC=COM : update indexes Yes

Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.objecthelper 'SOMEUSER@ANOTHER.MYDOMAIN.COM' is not a canonical name

Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> util.except (cims::RPC) : Unable to find user SOMEUSER@ANOTHER.MYDOMAIN.COM: The specified user does not exist. (reference ../smb/rpcclient/rpcwrap.cpp:439 rc: -1073741724)

...

ACS 5.3 patch and AD Alternate UPN suffix issue

andrewswanson — Thu, 14 Jun 2012 12:22:21 GMT

opened a TAC for this and found the following:

With ACS5.3.0.40.2:
if search by userPrincipalName failed ACS stripped Alternative UPN suffix and tries to use samaccount name.

With ACS 5.3.0.40.5:
if search by userPrincipalName failed ACS DOES NOT STRIP Alternative UPN suffix

The method used in ACS 5.3.0.40.5 is the correct one from a security viewpoint.

To fully resolve this i'll have a look at either:

educating wireless users to use the correct upn
use ldap to authenticate users against AD (i think the acs ldap plugin can strip suffixes)

cheers

andy

topic Re: ACS 5.3 patch and AD Alternate UPN suffix issue in Network Access Control

ACS 5.3 patch and AD Alternate UPN suffix issue

Re: ACS 5.3 patch and AD Alternate UPN suffix issue

ACS 5.3 patch and AD Alternate UPN suffix issue