topic Hi Wilson, in Network Access Control

ACS 5.8 unable to retrieve user group attributes

noticketnomas — Mon, 11 Mar 2019 06:57:10 GMT

I recently upgraded my ACS from 5.6 to 5.8 with the latest patch installed. Since then, it's been unable to retrieve user group attributes from Windows AD, which effective breaks all my authorization policies.

-The ACS-AD connector account belongs in both the "domain admins" and "domain users" group.

-I have verified the AD connector account have sufficient permissions to read group attributes.

-The ACS can retrieve group attributes from "domain admin" users, but not from the other groups.

I have included a screenshot of the error log. Is anyone else running into a similar issue or know how to fix it? Thanks.

Hi Wilson,

Jatin Katyal — Wed, 27 Jul 2016 05:58:26 GMT

Hi Wilson,

Please turn the ad_agent to DEBUG level and then look for this error message in the "show acs-logs filename ACSADAgent.log | in LW_ERROR_TOKEN_GROUPS_INSUFFICIENT_PERMISSIONS

You can also share the AD agent logs with me.

Let me know.

Regards,

Jatin

~ Do rate helpful posts

Thanks, Jatin. Please let me

noticketnomas — Thu, 28 Jul 2016 03:17:37 GMT

Thanks, Jatin. Please let me know if I did this correctly.

1. went into acs-config. ran "debug-adclient enable"

2. show logging application ACSADAgent.log = no debug output

3. show logging application ad_agent.log = a lot of debug output. However, I don't see any error related to token groups. I do see the following error when I manually query a domain user from the ACS:

27/07/2016 23:02:51,VERBOSE,139695545640704,Error code: 40506 (symbol: LW_ERROR_NO_CRED),NtlmTransactAcquireCredentialsHandle()

,lsass/client/ntlm/clientipc.c:299

27/07/2016 23:02:51,VERBOSE,139695545640704,Error code: 40506 (symbol: LW_ERROR_NO_CRED),NtlmClientAcquireCredentialsHandle(),l

sass/client/ntlm/acquirecreds.c:84

27/07/2016 23:02:51,VERBOSE,139695545640704,Error code: 40506 (symbol: LW_ERROR_NO_CRED),NtlmServerAcquireCredentialsHandle(),l

sass/server/ntlm/acquirecreds.c:103

27/07/2016 23:02:51,VERBOSE,139695545640704,Error code: 40506 (symbol: LW_ERROR_NO_CRED),NtlmTransactAcquireCredentialsHandle()

,lsass/client/ntlm/clientipc.c:299

27/07/2016 23:02:51,VERBOSE,139695545640704,Error code: 40506 (symbol: LW_ERROR_NO_CRED),NtlmClientAcquireCredentialsHandle(),l

sass/client/ntlm/acquirecreds.c:84

27/07/2016 23:02:51,VERBOSE,139695545640704,Error code: 40506 (symbol: LW_ERROR_NO_CRED),ntlm_gss_init_sec_context(),lsass/inte

rop/gssntlm/gssntlm.c:891

27/07/2016 23:02:51,VERBOSE,139695514171136,Error code: 40506 (symbol: LW_ERROR_NO_CRED),NtlmServerAcquireCredentialsHandle(),l

sass/server/ntlm/acquirecreds.c:103

27/07/2016 23:02:51,VERBOSE,139695514171136,Error code: 40506 (symbol: LW_ERROR_NO_CRED),NtlmTransactAcquireCredentialsHandle()

,lsass/client/ntlm/clientipc.c:299

27/07/2016 23:02:51,VERBOSE,139695514171136,Error code: 40506 (symbol: LW_ERROR_NO_CRED),NtlmClientAcquireCredentialsHandle(),l

sass/client/ntlm/acquirecreds.c:84

27/07/2016 23:02:51,VERBOSE,139695514171136,Error code: 40506 (symbol: LW_ERROR_NO_CRED),NtlmServerAcquireCredentialsHandle(),l

sass/server/ntlm/acquirecreds.c:103

update: from my last query, I was finally able to see the token groups error, though it's not consistently showing up. let me try and generate the error again.

update 2: before you ask - yes, I ran the dsacls command for the ACS connector machine account in AD, but that did not appear to help with the issue.

Glad that added the last 2

Jatin Katyal — Thu, 28 Jul 2016 15:19:26 GMT

Glad that added the last 2 updates. Can you explain how you ran the dsacls command on the DC.

~ Jatin

Do rate helpful posts.

This is what I used:

noticketnomas — Thu, 15 Dec 2016 22:33:57 GMT

This is what I used:

dsacls "OU=(company users),DC=(company domain),DC=local" /I:T /G (company domain)\(ACS account):RP;tokenGroups