Solved: ACS 5.3 and AD domain trust - Page 3

kamarale · ‎07-26-2012

Hello ,I´m having this problem:

I have 2 AD domains y 2 different forrests (i.e domain1.com and domain2.com) and they were configured to trust each other (two-way trust).

In the AD enviroment it works great.

The problem is that in ACS wich is intergrated with domain1.com y can´t see the groups of the other domain domain2.com.

If I look for them under Directory Groups they don´t appear and if i put them manually in Group Name (with sintax domain2.com/Users/GroupX) and then I add it with Add^ button I am able to add them and to use them in policies but they don´t work (I get errors and nothing is authenticated).

I´m using ACS 5.3.0.40.5 version and Windows 2003 server enterprise edition.

I´ve read this post

https://supportforums.cisco.com/thread/2064843

but I couldn´t make it work.

If someone knows how I can get this working I will really appreciate it.

Thanks in advance.

Regards.

mohankumarm · ‎09-26-2012

We have deleted the backup files and replock files in the local disk repository and switched on Incremental backup as well. When we tried to do a full back, it was failing..So we have just restarted the VM ACS and we will test tonight when the Incremental backup takes place. Also ensured that the time for the scheduled backups and Incremental backups does not overlap. Hopefully it should work this time around without any errors.

Regards,

Mohan

mohankumarm · ‎09-19-2012

Hi Tarikh,

I think theKerberos Authentication is being planned/tested to seamlessly authenticate idevices ( no username/password) to Sharepoint servers running on Windows server i think..but as you have pointed out, kerberos does not authenticate the ipads and therefore it has to be the EAP-TLS then. But also wondering, as Kerberos is pretty much similar to SSL,apart from the additional trust authority between the client and server, can you use Kerberos to authenticate using certificates like you do in EAP-TLS?

I will check if the scheduled backups of ACS configs is happening at the same time as the incremental backups. I am not sure if they Incremental backup is enabled in the first place( in the Monitoring section) and what is the time difference between the full view backup and the incremental backup..will check and revert.

Thanks again for all your help and its always a great pleasure to discuss and learn from yourself.

Best Regards,

Mohan

Tarik Admani · ‎09-19-2012

Mohan,

For you t o perform kerberos authentication you will need network access. You can not get that if your network has dot1x authentication. You will not be able to connect to the Kdc. Also Kerberos is not a supported authentication type and there is no eap type associated with Kerberos.

I am more than happy to help in anyway, but please remember to rate any or all information you find helpful.

Thanks,

Tarik Admani

Sent from Cisco Technical Support iPad App

Amjad Abdullah · ‎09-11-2012

Tarik Admani wrote:

I just published a doc that will help you with the debugging:

https://supportforums.cisco.com/docs/DOC-26787

Please rate it if you find it helpful.

thanks,

Tarik Admani
*Please rate helpful posts*

Rated.

I just enjoy reading the discussion you are involved in Tarik.

I can learn very much by just reading your answers.

Keep it up my friend.

Amjad

Rating useful replies is more useful than saying "Thank you"

Mikayil Qasimov · ‎07-16-2013

Dear Alexis-besada,

I configured as you said, but in my option it's not working. can you explain with detail how did you do it?

I configured 2 AD(domain A and domain B) and between them External Trust. I added domain B group in directory group. When I want to authenticate user which is located in Domain B group. It showed "22056 Subject not found in the applicable identity store(s) ". I tried with UPN suffix @domainb and netbios domainb/user the same error. Please give me suggestions.