cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1683
Views
0
Helpful
3
Replies

ACS 3.2 authenticating to AD fails 'LookupAccountSidA Failed'

admin_2
Level 3
Level 3

The failed log has the error 'External DB Account Restriction'. I have the Permit dial in permsion enabled which was the only thing i could find on that one. In the auth.log i get the following (see below) there is a line that states 'Windows Authentication Succesful' followed by a line 'LookupAccountSidA failed' followed by 'User 'TESTAD\testguy1' was not authenticated'. I have not been able to figure out what the second call is that failed. LookupAccountSidA and why it says succesful then failed.

AUTH 09/09/2003 12:07:31 I 0425 1180 AuthenProcessResponse: process response for 'TESTAD\testguy1' against Windows NT/2000

AUTH 09/09/2003 12:07:31 I 0360 1180 External DB [NTAuthenDLL.dll]: Starting MSCHAP authentication for user [TESTAD\testguy1]

AUTH 09/09/2003 12:07:31 I 0360 1180 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user testguy1

AUTH 09/09/2003 12:07:31 I 0360 1180 External DB [NTAuthenDLL.dll]: Windows authentication SUCCESSFUL (by PDC)

AUTH 09/09/2003 12:07:31 E 0360 1180 External DB [NTAuthenDLL.dll]: LookupAccountSidA failed

AUTH 09/09/2003 12:07:31 I 1591 1180 Unknown User 'TESTAD\testguy1' was not authenticated

AUTH 09/09/2003 12:07:31 I 5081 1180 Done RQ1027, client 6, status -2046

AUTH 09/09/2003 12:07:31 I 5094 1180 Worker 6 processing message 43.

AUTH 09/09/2003 12:07:31 I 5081 1180 Start RQ1027, client 6 (127.0.0.1)

AUTH 09/09/2003 12:07:31 I 0425 1180 AuthenProcessResponse: process response for 'TESTAD\testguy1' against Windows NT/2000

AUTH 09/09/2003 12:07:31 I 5081 1180 Done RQ1027, client 6, status -1058

3 Replies 3

gfullage
Cisco Employee
Cisco Employee

My guess is you're running SP4 on this machine, which is not supported by ACS (only up to SP3) and will give you this error. Downgrade to SP3 and it should work fine.

Let me know if you're not running SP4 as we'll have to look elsewhere, but I've seen this a couple of times already and it was due to SP4 and downgrading resolved the problem.

Not applicable

both the ACS and AD are running SP3. I installed all the latest critical updates before starting my testing do you have any idea what fix in sp4 causes the problems?

Thank,

Mark

Not applicable

The problem was an permissions issue with the ACS servcie account, I didn't troubleshoot it completly. Makeing the ACS server a DC (it was a domain member server) solved the problem. I assume the issue has to do with the permissions given in the 'Local Security Policy', 'Domain COntroler Security Policy', or 'Domain Security Policy'.