Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2081
Views
0
Helpful
4
Replies

ACS 5.1 AD group enumeration

Go to solution
ttusher01
Level 1
Level 1

‎05-05-2010 08:25 AM - edited ‎03-10-2019 05:06 PM

I am trying to setup the ACS to authenticate users that are in certain AD groups.

If I go into the ACS cannot seem to enumerate AD groups correctly. Although the AD server shows as connected in the Identity stores (and it tests fine) if you go the the directory groups tab and hit "select" no groups will show up no matter what search string or base you specify. This is seemingly allowing anyone with an AD account to authorize on the switch even though they are not in the specified group.

I also get the following errors showing up in the monitor:

May 5,2010 3:14:26.683 PM
ERROR
AD Operation failure
CSCOacs_Internal_Operations_Diagnostics
33201
AdminInterface=GUI
AdminIPAddress=10.x.x.x
AdminSession=F7434BE137EBD195B586055A58875E3E
AdminName=ACSAdmin
DomainName=DC=mydomain
DC=com
ADOperationResult=No global catalog can be found for domain: mydomain.com

I can assure you that AD isnt broken for other things, and all the DNS underscore zones, etc are all there. No AD servers are down or offline, etc.

Any ideas?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎05-15-2010 10:59 PM


If AD is connected to the ACS, but you can’t retrieve the group directories from it and getting "ADOperationResult=No global catalog can be found for domain" found the let me inform you that this is an on-going issue and will be fixed in ACS 5.1 patch 3 that is not yet released. We are expecting the availability of this patch on CCO in the mid of June

CSCtf39158    Can't retrieve AD groups in single forest with multiple trees scenarios


Regds,

JK


Do rate helpful posts-

~Jatin

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎05-15-2010 10:59 PM


If AD is connected to the ACS, but you can’t retrieve the group directories from it and getting "ADOperationResult=No global catalog can be found for domain" found the let me inform you that this is an on-going issue and will be fixed in ACS 5.1 patch 3 that is not yet released. We are expecting the availability of this patch on CCO in the mid of June

CSCtf39158    Can't retrieve AD groups in single forest with multiple trees scenarios


Regds,

JK


Do rate helpful posts-

~Jatin
0 Helpful

Go to solution
ttusher01
Level 1
Level 1
In response to Jatin Katyal

‎05-19-2010 12:01 PM

This does fit my scenario as far as I can tell - though I am still working with TAC on it. Hopefully patch 3 comes early, as this is a show stopper for our implementation.

0 Helpful

Go to solution
ttusher01
Level 1
Level 1
In response to ttusher01

‎06-09-2010 07:49 AM

Patch 3 fixed this problem

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to ttusher01

‎06-09-2010 08:03 AM

I would appreciaciate if you mark this thread as RESOLVED so that others can take benefit out of it.

~Jatin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents