ACS 3.1 authenticating vs a Win2K domain migration to Active Directory

flopes · ‎03-15-2005

Folks,

My customer is currently running ACS 3.1 against a Win2K domain controller external database. They are in the process of migrating to active directory. We put up a secondary ACS 3.1 server to authenticate against the AD domain controller and when setting up the external database configuration, I try add the group mapping to the AD domain and I get an error,

"Failed to Enumerate Windows Group. If you are using Active Directory please consult the installation instructions." I don't know if this is what's keeping my login attempts from authenticating against the AD domain? Has anyone run into this type of issue in the past?

Thanks in Advance.

didyap · ‎03-21-2005

Ensure that any trusts that will be followed are 2-way.One-way trusts are problematic for ACS.

kris55s · ‎03-24-2005

Check the NTLM version for Active Directory. ACS will only work with NTLM v1. Anything higher you will receive the error. We just went through the AD migration and are required to run a higher NTLM version. I was receiving the same error when testing ACS Radius authentication with an AD account. Last time I checked, Cisco is working on making ACS compatible with higher NTLM. We had to stand up a Microsoft IAS server for Radius authentication due to this incompatability. Or will need to enter usernames etc. in the local ACS database if you want to continue using ACS for authentication. Hope this helps.

flopes · ‎03-24-2005

Thanks for the help. I've put up a Windows2003 Server with IAS running for Radius authentication and am now working on getting the proper permissions for this server to function. Thanks again for the advice.