Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1306
Views
0
Helpful
3
Replies

ACS 5.3 join to domain issue

Christos Stefaneskou
Level 1
Level 1

‎05-21-2013 03:28 AM - edited ‎03-10-2019 08:27 PM

Hello,

I facing a strange problem with ACS 5.3.0.40.9.

I'm trying to join the ACS to domain without success.The test connection works properly "Connection test to <domain> succeeded" but when i'm trying to save the config i get the error "wrong domain".

These machine was previous in a lab environment and the connection to AD was working fine.Now i'm trying to install it in production environment.

Maybe ACS has cashed information about AD,i cleared "ad-agent-clear-cache" but I'm not able to clear the AD config through CLI,

ACS5(config-acs)# ad-agent-reset-configuration

Performing reset of AD agent configuration , AD agent will be restarted. continue (y/n)? 

Unable to restart AD agent. Define AD configuration or check current AD configuration settings

Any thoughts?

Chris.

Labels:
0 Helpful
3 Replies 3

Jatin Katyal
Cisco Employee
Cisco Employee

‎05-21-2013 05:03 PM

What is the AD setup? Can you please describe how is the AD setup?

What is your domain name? Are you able to execute nslookup for the same from ACS CLI?

Do you see all services running : show application status acs

Please provide me the following debugs from acs-config.

(a)acsadmin(config-acs)# debug-adclient enable

(b) acsadmin(config-acs)# debug-log runtime-idstores level debug

(c) acsadmin(config-acs)# debug-log mgmt-bl level debug

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful

Christos Stefaneskou
Level 1
Level 1
In response to Jatin Katyal

‎05-22-2013 12:34 AM

Problem solved,i created a new AD user for ACS with administrator rights.

This is strange because it isn't necessary to be administrator.

Thanks for your response.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Christos Stefaneskou

‎05-22-2013 01:33 AM

Glad to know. However we don't need admin rights.

From the user guide:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1171071

Predefined user in AD. AD account required for domain access in ACS should have either of the following:

•Add workstations to domain user right in corresponding domain.

•Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is precreated (created before joining ACS machine to the domain).

We recommend that you disable the lockout policy for the ACS account and configure the AD infrastructure to send alerts to the admin if a wrong password is used for that account. This is because if you enter a wrong password, ACS will not create or modify its machine account when it is necessary and therefore possibly deny all authentications.

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful
Customers Also Viewed These Support Documents