09-12-2011 06:22 AM - edited 03-10-2019 06:23 PM
Hi
I am trying to join my ACS 5.1 to my AD. In the External Identity Stores > Active Directory I have put in the AD administrator details and hit the test button and the test succeeds.
However, when I try to save changes it fails with an eror saying it can't connect to the LDAP server.
Error while configuring Active Directory:Error while configuring Active Directory:Unexpected LDAP Error Can't contact LDAP server due to unexpected configuration or network error.Please try the --verbose option or run 'adinfo --diag' to diagnose the problem.Join to domain 'Mydomain.local', zone 'null' failed.
Anyone seen this before. ?
I have done this lots of times and never had any issue once the test connection succeeds.
I've checked the time and timezones on both ACS and AD and they are the same.
Thanks, Stephen.
09-12-2011 08:58 AM
Stephen,
Have you had these two connected before or is this the first time you are adding the AD to the ACS?
Rober E Roulhac Jr
09-12-2011 09:13 AM
I had these devices connected before and then I changed IP addresses of the DC and ACS.
I can't understand why the test connection is successful then it fails to save the config.
DNS works fine from the DC and ACS. They can both resolve each other's new IP ok.
Thanks, Stephen.
09-12-2011 01:19 PM
Looks like bug
I'm going to upgrade to the latest 5.2 when I can.
Stephen.
09-13-2011 06:37 AM
Stephen,
Have you made changes tin the DNS server to resolve the new ip address of the DC to the DC Domain name?
Have you made sure the DC Domian Name that you have configured in the ACS is the same as the DC Domain Name that you have configured the DC server to have?
The ACS finds the DC by DNS lookup. If you have changed the IP addresses although they might be able to ping one another due to the underlying network being configured correctly, if you have not gone in and changed the ip addressing in the DNS server to match the domain name of the DC to the new IP address this could also possibly cause the ACS to be able to ping the DC (which is why the test succeeds), but not be able to actually send or recieve actual data traffic from the DC.
I would check that as well.
Robert E Roulhac Jr
09-13-2011 02:03 PM
Upgraded to the very latest 5.2 patch and still the same.
The DNS would seem fine. I can ping the ACS and AD from each other by name.
The only possible clue I can see in a Wireshark capture is a couple of Kerberos errors.
KRB5KDC_ERR_ETYPE_NOSUPP
KRB5KRB_APP_ERR_SKEW
The second one seems to indicate a time difference between ACS and AD but as far as I can see they are both the same.
Don't know if this is relevant but it is the only clue I can find.
Stephen
09-14-2011 06:02 AM
Fixed
I configured my DC as a timeserver and pointed ACS to the DC and it connected to the DC.
At least I've got the ACS upgraded to the latest version as a result of this.
Stephen.
09-14-2011 06:37 AM
Stephen,
I am glad you figured it out and do apologize for not being more responsive. If there is anything else i could help with in the future let me know.
Robert E Roulhac Jr
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide