ACS 5.1 AD join fails

StevieOliver_2 · ‎09-12-2011

Hi

I am trying to join my ACS 5.1 to my AD. In the External Identity Stores > Active Directory I have put in the AD administrator details and hit the test button and the test succeeds.

However, when I try to save changes it fails with an eror saying it can't connect to the LDAP server.

Error while configuring Active Directory:Error while configuring Active Directory:Unexpected LDAP Error Can't contact LDAP server due to unexpected configuration or network error.Please try the --verbose option or run 'adinfo --diag' to diagnose the problem.Join to domain 'Mydomain.local', zone 'null' failed.

Anyone seen this before. ?

I have done this lots of times and never had any issue once the test connection succeeds.

I've checked the time and timezones on both ACS and AD and they are the same.

Thanks, Stephen.

rroulhac · ‎09-12-2011

Stephen,

Have you had these two connected before or is this the first time you are adding the AD to the ACS?

Rober E Roulhac Jr

StevieOliver_2 · ‎09-12-2011

I had these devices connected before and then I changed IP addresses of the DC and ACS.

I can't understand why the test connection is successful then it fails to save the config.

DNS works fine from the DC and ACS. They can both resolve each other's new IP ok.

Thanks, Stephen.

StevieOliver_2 · ‎09-12-2011

Looks like bug

CSCtg49699

I'm going to upgrade to the latest 5.2 when I can.

Stephen.

rroulhac · ‎09-13-2011

Stephen,

Have you made changes tin the DNS server to resolve the new ip address of the DC to the DC Domain name?

Have you made sure the DC Domian Name that you have configured in the ACS is the same as the DC Domain Name that you have configured the DC server to have?

The ACS finds the DC by DNS lookup. If you have changed the IP addresses although they might be able to ping one another due to the underlying network being configured correctly, if you have not gone in and changed the ip addressing in the DNS server to match the domain name of the DC to the new IP address this could also possibly cause the ACS to be able to ping the DC (which is why the test succeeds), but not be able to actually send or recieve actual data traffic from the DC.

I would check that as well.

Robert E Roulhac Jr

StevieOliver_2 · ‎09-13-2011

Upgraded to the very latest 5.2 patch and still the same.

The DNS would seem fine. I can ping the ACS and AD from each other by name.

The only possible clue I can see in a Wireshark capture is a couple of Kerberos errors.

KRB5KDC_ERR_ETYPE_NOSUPP

KRB5KRB_APP_ERR_SKEW

The second one seems to indicate a time difference between ACS and AD but as far as I can see they are both the same.

Don't know if this is relevant but it is the only clue I can find.

Stephen

StevieOliver_2 · ‎09-14-2011

Fixed

I configured my DC as a timeserver and pointed ACS to the DC and it connected to the DC.

At least I've got the ACS upgraded to the latest version as a result of this.

Stephen.

rroulhac · ‎09-14-2011

Stephen,

I am glad you figured it out and do apologize for not being more responsive. If there is anything else i could help with in the future let me know.

Robert E Roulhac Jr

rroulhac@cisco.com