Did that answer your question? Do let us know if you have any queries.

Hi Jatin,

May I ask you a question please? I have a same issue here.

Our AD is sitting in side firewall, that it has a inside domain internal.domain.com, while we have another outside Internet domain external.domain.com . Our ACS join in internal.domain.com

The outside domain does not have any AD server.

When I was using ACS 5.3, I can add a UPN suffix external.domain.com to combine inside internal.domain.com.

So inside AD can handle both any user wih UPN @external.domain.com and @internal.domain.com

But after we uprade to 5.4, the ACS refuse to send any user with @external.domain.com to inside domain controller. Because acs 5.4 is join in internal.domain.com only.

How can I let the ACS 5.4 still send the external domain name to internal domain control? or setup a default domain?

or do I need to downgrade 5.4 back to 5.3?

Much appreciated for any comments in advance.

Cheers,

Edward

Hi Edward,

If this was working fine with ACS 5.3 then it should work with ACS 5.4 as well.

The reason why I'm saying this because this condition applies to ACS 5.3 as well. "ACS  does not support user authentication in AD when a user name is supplied  with an alternative UPN suffix configured in OU level. The  authentication works fine if the UPN suffix is configured in domain level"  This was documented in all user guides from ACS 5.1 to 5.4.

We've filed a defect as well.

CSCud36340    ACS authentication is not working with alternative UPN from OU level

Now the questions are;

1.] Have you made any changes to AD structure as well. In case, do we have UPN suffix configured in OU level.

2.] Is the 2-way trust between these 2 domains are still there?

3.] Could you please provide nslookup external.domain.com from ACS CLI.

4.] Are you able to fetch external.domain.com groups and user attributes from ACS - Intentity store > AD1 settings > Directory groups

5.] We might need to look at adclient logs and packet capture.

~BR
Jatin Katyal

**Do rate helpful posts**

Hi Jatin,

Many thanks for your information. here are my feedback details:

1.] Have you made any changes to AD structure as well. In case, do we have UPN suffix configured in OU level.

A: I checked with Microsoft Server team, no changes have been done from their end. The UPN suffice configured in domain level.

     We have two ACS servers, one is in 5.3, the other is in 5.4, the 5.3 one is working fine, but the 5.4 keep rejecting by : 22056 Subject not found in the applicable identity store(s).

2.] Is the 2-way trust between these 2 domains are still there?

A: Since there are no AD controller in external domain, the external domain is just for Internet DNS. All our users are in the internal AD.

3.] Could you please provide nslookup external.domain.com from ACS CLI.

A. I put it inot the attachmen file, I mask the realy name and IP, if you need the original name and IP address, may I send it directly to you by email?

4.] Are you able to fetch external.domain.com groups and user attributes from ACS - Intentity store > AD1 settings > Directory groups

A: No, since there are no external domain controller.

     In our ACS 5.3, I aways fetch the internal domain instead. but user will use the @external domain. ACS 5.3 will send both @external.aut.ac.nz to internal AD. but in 5.4 I found that it just rejected to do so.

5.] We might need to look at adclient logs and packet capture.

A: How can I get the ADclient logs

Hi Jatin,

Here is the troubleshoot I did on acs 5.4 server:

acs2/admin# acs troubleshoot adcheck external.domain.com

This command is only for advanced troubleshooting and may incur a lot of network traff

Do you want to continue?  (yes/no) yes

OSCHK    : Verify that this is a supported OS                          : Pass

PATCH    : Linux patch check                                           : Pass

PERL     : Verify perl is present and is a good version                : Pass

SAMBA    : Inspecting Samba installation                               : Pass

SPACECHK : Check if there is enough disk space in /var /usr /tmp       : Pass

HOSTNAME : Verify hostname setting                                     : Pass

NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass

DNSPROBE : Probe DNS server 156.62.8.1                                 : Pass

DNSPROBE : Probe DNS server 156.62.1.12                                : Pass

DNSCHECK : Analyze basic health of DNS servers                         : Pass

WHATSSH  : Is this an SSH that DirectControl works well with           : Pass

SSH      : SSHD version and configuration                              : Note

         : You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.

         :

DOMNAME  : Check that the domain name is reasonable                    : Pass

ADDC     : Find domain controllers in DNS                              : Failed

         : Cannot find information for domain aut.ac.nz in DNS.

         : Most likely causes are:

         :  a) The domain name, aut.ac.nz, that you entered is wrong

         :  b) /etc/resolv.conf does not point to a DNS server that knows

         :     about the domain

         : Configured DNS servers are:

         :  156.62.1.12 (rangitoto.aut.ac.nz): OK

         :  156.62.8.1 (ns-mail.aut.ac.nz): OK

         :

         : If you cannot resolve this issue then get the name of a Domain

         : Controller for aut.ac.nz and rerun adcheck with the

         : -s option.

1 serious issue was encountered during check. This must be fixed before proceeding

Many thanks again,

Cheers,

Edward

Thanks Jatin for your answer

this help me in my scenary.

Regards