05-28-2012 05:24 AM - edited 03-10-2019 07:07 PM
Dear Support Team
We have ACS 5.x, integrated with AD and members are authenticated using either AD username or local username
configured on ACS.
is it possible that ACS checks Local database only when AD is unreachable, customer does not want ACS local database to be used as long as AD is available. it is to fulfill accounting requirements from their System department.
Thanks in Advance for your time.
Ahad
Solved! Go to Solution.
05-28-2012 01:05 PM
You are right about everything except the last part, Device Admin 1 and 2 are "Service Selection Rules" so they are going to be matched depending on their Conditions, if the authentication requests is mathing the Device Admin 1 rule then the ACS will stick with this service it doesn't matter if the DB is down or not, ACS is not going to fallback to the Device Admin 2.
The only option to use a second database in case the primary is down is with Identity Store Sequence, however this option will also use the second database if the primary DB cannot find the user.
Unfortunately there is not an option at the moment to accomplish this goal with the specific detail that you need.
Rate if it helps.
05-28-2012 11:33 AM
Hi there,
The ACS 5.x has two ways to contact the internal or external databases:
1. Using only one specific DB, this can be AD, internal, LDAP, RSA, etc. But the ACS will try to contact only one DB in the Access Policy Rule.
2. Using Identity Store Sequence option, this option allows you to use more than one DB and it will work like this: The ACS will try to use the DB top on the list, if the user doesn't exist on this DB the ACS will try to use the next DB in the list. If the communication with the DB located top on the list goes down the ACS will try to use the second DB in the list.
So unless using option 1, you cannot force the ACS to only use one specific DB, it all depends where the user that's trying to authenticate exists. For example if "aaauser" exists only on ACS internal DB then the ACS will search the user in AD (if this one DB is top of the list), the search will fail and the ACS will try to use internal AD.
Rate if it helps.
05-28-2012 12:19 PM
Hello Mauricio
Many Thanks for your response, i have understood your reply, so in order to achieve client requirement, is he following sequence justified ?
1: Create 2 Service selection Rule.
Service Selection Rule 1 -> it then assigns the access service "Device Admin 1"
'Device Admin' identity store just selects "AD1"
2: Service Selection Rule 2-> it then assigns the Access Service "Device Admin2"
Device Admin identity Store Selects "Local Database"
As such "Device Admin 1" & "Device Admin2" are exactly same except, their selection of database.
now Service Selection Rule 1 is on the top, therefore it will always be preferred, connection lands on service selection rule 1, now user has to use his AD username/password, if user does not exist there, authentication attempt will be denied, because there is only one store.
however
if AD is down, then it might be possible that "Service Selection Rule 1" will not be in effect and connection attempt will be landing on Service Selection Rue 2, which will use the local database.
it should work in this way.
Can i have your feedback plz.
Ahad
05-28-2012 01:05 PM
You are right about everything except the last part, Device Admin 1 and 2 are "Service Selection Rules" so they are going to be matched depending on their Conditions, if the authentication requests is mathing the Device Admin 1 rule then the ACS will stick with this service it doesn't matter if the DB is down or not, ACS is not going to fallback to the Device Admin 2.
The only option to use a second database in case the primary is down is with Identity Store Sequence, however this option will also use the second database if the primary DB cannot find the user.
Unfortunately there is not an option at the moment to accomplish this goal with the specific detail that you need.
Rate if it helps.
05-28-2012 01:11 PM
All the above is correct. One additional point
If you have the same / subset of users in internal database that you have in AD then can set the following option on the identity sequence:
Under advanced Options
If access to the current identity store failed |
Break Sequence |
Continue to next identity store in the sequence |
Therefore if AD is up
- if user is found in AD it will be authenticated and will not continue to next store in the sequence
If AD is down
- will continue to check the user in teh internal DB
This can be used to keep a subset of the accounts in the internal DB to be used in the case when AD is down. Note these wil have separate password policies etc
05-28-2012 01:11 PM
Hello Mauricio
Thanks for your time, same we can convey to the customer.
Ahad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide