08-13-2012 12:25 PM - edited 03-10-2019 07:25 PM
I am trying to upgrade from a production ACS 4.2 installation that utilizes the Windows server that the ACS is installed on as the underlying authentication mechanism to ACS 5.2 that now joins to the domain. I have read several posts and haven't yet found a solution to my problem.
So, we have a domain/forest of Domain X and this is where the ACS server is bound. We have another domain/forest of Domain Y. We have a two=way transitive trust between the two domains. Users can authenticate just fine if they specify the domain name. However, if they leave off the domain, then only users in Domain X can authenticate.
So, the following works to authenticate:
Domain X\username
Domain Y\username
username - if a Domain X username
What doesn't work to authenticate is:
username - if a Domain Y username
How can I tell ACS to authenticate users to a specific list of domains, perhaps in a certain order or perhaps to a default domain. We have many more users in Domain Y. So, if I needed to set a default domain, I could set it to Domain Y and tell the Domain X users to be sure to place the domain in front. Alternatively, it seems I could move the AD binding to Domain Y. However, while the trust is there, the Domain Y is at a different University and I would prefer to keep the ACS server bound to Domain X.
When I try to search for the Directory Groups, I only get groups from Domain X. I cannot even manually type the groups for Domain Y. It accepts them, but they do not work. Inevitably, it results in an error of 22056 Subject not found in the applicable identity store(s). if I leave off the Domain Y.
Any help is appreciated. If more information is needed to assist, please let me know what you need.
Thanks!
Jodie
Solved! Go to Solution.
08-13-2012 12:29 PM
Jodie,
Are the samaccountname unique across the entire forest? This seems to be a trust type related issue and I have seen this crop up in recent times, here is a article that might help you identify the trust type in order to make this work:
https://supportforums.cisco.com/thread/2162234
Thanks,
Tarik Admani
*Please rate helpful posts*
08-25-2012 11:31 PM
The authentication request will still go though but ACS will reject the request based on the authorization policy that you define on ACS. It is policy based and you can add external groups from AD as a deciding factor if a user gets access or not. Please let me know if you need help setting this up.
(sorry for the late reply, i though i got to this when you posted it before)
Tarik Admani
*Please rate helpful posts*
08-13-2012 12:29 PM
Jodie,
Are the samaccountname unique across the entire forest? This seems to be a trust type related issue and I have seen this crop up in recent times, here is a article that might help you identify the trust type in order to make this work:
https://supportforums.cisco.com/thread/2162234
Thanks,
Tarik Admani
*Please rate helpful posts*
08-13-2012 01:36 PM
Thanks for the reply Tarik. It turns out we have a forest trust and not an external trust which is needed in this case. So, I will have to look at binding ACS to the Domain Y.
Thanks!
Jodie
08-13-2012 02:24 PM
Hi Tarik,
So, I tried binding the ACS server to Domain Y and now I am able to authenticate users in Domain Y without them having to enter Domain Y\username. However, I now cannot authenticate users in Domain X even with Domain X\username. Any thoughts?
I do not know the answer to your question about samaccountnames being unique across the entire forest. What I know and what is frustrating is that ACS 4.2 works. I realize why it does - because it depends on the underlying Windows OS and NTLM authentication and not kerberos (which I believe is what this is). But, there should be a way to authenticate both domains under the new ACS. I don't have the ability to change the trust type from a forest trust to an external trust.
Any ideas?
Thanks!
Jodie
08-13-2012 02:27 PM
I understand your frustrations and you can not use ACS to join both domains, I know that you do not have the privs to change the domain but someone in your org will have to understand that this is needed for ACS to authenticate all users.
I assume if users are entering their username and password that they are authenticating through a vpn connection? If so do you have the password management feature turned on?
Or if this is for inside your org are you authenticating users via dot1x?
Thanks,
Tarik Admani
*Please rate helpful posts*
08-22-2012 07:58 AM
So, I am working on getting that two-way external trust setup. I think they understand why it is needed. But, of course, we have to go through the politics of actually getting it approved.
As for the VPN connection, this is for dot1x authentication on our wireless network primarily. But, the same ACS server authenticates our Juniper SSL VPN users as well.
One question that came from the other domain side is whether selective authentication can be used on this external trust? Do we know?
Thanks!
Jodie
08-22-2012 09:34 AM
Please explain the selective authentication? However I will explain the selective authentication that I think you are talking about.
If a client uses dot1x authentication then you can set the policy so that is uses AD
If a client is coming through a vpn connection you can use an LDAP instance or a radius proxy, or an RSA token database...etc.
All this requires is that you configure your network devices properly so that you can set these conditions in the service selection rules for this to occur. You can also configure identity store sequences so you can check all the database in any order that you want, if you feel that you dont need the additional overhead in segementing devices in seperate network device groups.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-24-2012 06:01 AM
Actually, the way it was explained to me is that selective authentication would be used to allow or disallow authentication based on a group/OU. So, if you are not in a certain group/OU, then you cannot even try to authenticate.
Thanks!
Jodie
08-25-2012 11:31 PM
The authentication request will still go though but ACS will reject the request based on the authorization policy that you define on ACS. It is policy based and you can add external groups from AD as a deciding factor if a user gets access or not. Please let me know if you need help setting this up.
(sorry for the late reply, i though i got to this when you posted it before)
Tarik Admani
*Please rate helpful posts*
08-28-2012 05:44 AM
No worries Tarik. I thought I had also replied and then checked and it wasn't there. Maybe the site messed up.
Anyway, thanks for the information. I will let you know if I need assistance in setting this up. Is there a document that you would recommend reading that would assist me on this front?
Thanks!
Jodie
09-24-2012 09:52 AM
Tarik,
As of Friday, we now have a two-way external trust between our two domains. So, I joined the ACS server to the Domain Y. I can now authenticate users for Domain Y with DomainY\username or just username. However, when I try to authenticate users as DomainX\username, it tells me error 22056 Subject not found in the applicable identity store(s).
Now, under Network Resources>External Identity Stores>Active Directory, I went into the Directory Groups tab and I added a Group of DomainX/Users/Domain Users. Is there something else I am supposed to do or what else can I do to troubleshoot this. Any idea?
As always, thanks!
Jodie
09-24-2012 10:03 AM
Jodie,
Can you try authenticating the user with username@domain.com, and also just username?
If you perform a dns query for domainx does it resolve?
Thanks,
Tarik Admani
*Please rate helpful posts*
09-24-2012 11:48 AM
I can logon to the ACS CLI and ping/nslookup the FQDN of domain x just fine. It doesn't authenticate the username@domainx either. I tried @FQDN and @domainx.
09-24-2012 12:02 PM
Jodie,
Can you follow this guide to get the relevant debugs and post the event at the time of the authentication:
https://supportforums.cisco.com/docs/DOC-26787
Thanks,
Tarik Admani
*Please rate helpful posts*
09-24-2012 06:03 PM
Jodie,
Just so I understand which domain is ACS joined to (MASTER.LSUHSC.EDU)? I would like to know a little bit more about your trust, do you mind private messaging me details on this. If you need this resolved fast you can open a TAC case and have them take a look.
Also are you using a service account to join ACS to the domain, or are you using and administrator's account?
Also did you try rebooting the ACS after the trust was established?
Thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide