Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1102
Views
0
Helpful
2
Replies

ACS 5.2 will not enumerate 2003 AD groups

ghuey
Level 1
Level 1

‎08-05-2011 12:44 PM - edited ‎03-10-2019 06:16 PM

I have seen similar references to this issue, but no concrete solutions.  My new ACS appears to join my domain with little or no issues, however, when I go to list the groups nothing is ever listed.

Running ACS as a vm.

I have set the ntp server on the ACS server to match my domain.

I can ping all domain controllers/DNS servers.

nslookup resolves hostnames of my domain controllers

Please let me know what other information I can provide to troubleshoot this issue.

Thanks for everyone's help.

***Update***

I verified that a computer account for my ACS is in fact being created, however, I am receiving some Kerberos errors on my DC with the FSMO roles:

Event Type:          Error

Event Source:          KDC

Event Category:          None

Event ID:          26

Date:                    8/5/2011

Time:                    3:07:46 PM

User:                    N/A

Computer: <MY DC>

Description:

While processing an AS request for target service krbtgt, the account <ACS SERVER> did not  have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes were 17.  The accounts available etypes were 23  -133  -128  3  1.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Labels:
0 Helpful
2 Replies 2

Nicolas Darchis
Cisco Employee
Cisco Employee

‎08-07-2011 01:30 AM

I've seen a few similar issues.

It's always when there is some error with AD (e.g. some DCs are unreachable by ACS, the DNS doesn't have SRV records for the DCs ...).

At this point, I honestly suggest to open a TAC case due to the complexity of the troubleshooting required.

But you can already verify if SRV records are returned for your domain because that's apparently missing for a lot of customers I worked with.

0 Helpful

ghuey
Level 1
Level 1
In response to Nicolas Darchis

‎08-08-2011 06:20 AM

We resolved the issue.  I was actually looking at changing the Kerberos encryption etypes for my domain which I was pretty nervous about messing with, but the solution was much easier.

My boss had downloaded the original file and I assumed that it included the latest build revisions, but in fact there were several patches released since that build.

Simply applying the latest patch casued my groups to show up immediately.

So thank you for everyone's time and appologies for my ignorance on the cisco software side of things.

0 Helpful
Customers Also Viewed These Support Documents