Hi Wilson,

noticketnomas · ‎07-26-2016

I recently upgraded my ACS from 5.6 to 5.8 with the latest patch installed. Since then, it's been unable to retrieve user group attributes from Windows AD, which effective breaks all my authorization policies.

-The ACS-AD connector account belongs in both the "domain admins" and "domain users" group.

-I have verified the AD connector account have sufficient permissions to read group attributes.

-The ACS can retrieve group attributes from "domain admin" users, but not from the other groups.

I have included a screenshot of the error log. Is anyone else running into a similar issue or know how to fix it? Thanks.

Jatin Katyal · ‎07-26-2016

Hi Wilson,

Please turn the ad_agent to DEBUG level and then look for this error message in the "show acs-logs filename ACSADAgent.log | in LW_ERROR_TOKEN_GROUPS_INSUFFICIENT_PERMISSIONS

You can also share the AD agent logs with me.

Let me know.

Regards,

Jatin

~ Do rate helpful posts

~Jatin

noticketnomas · ‎07-27-2016

Thanks, Jatin. Please let me know if I did this correctly.

1. went into acs-config. ran "debug-adclient enable"

2. show logging application ACSADAgent.log = no debug output

3. show logging application ad_agent.log = a lot of debug output. However, I don't see any error related to token groups. I do see the following error when I manually query a domain user from the ACS:

27/07/2016 23:02:51,VERBOSE,139695545640704,Error code: 40506 (symbol: LW_ERROR_NO_CRED),NtlmTransactAcquireCredentialsHandle()

,lsass/client/ntlm/clientipc.c:299

27/07/2016 23:02:51,VERBOSE,139695545640704,Error code: 40506 (symbol: LW_ERROR_NO_CRED),NtlmClientAcquireCredentialsHandle(),l

sass/client/ntlm/acquirecreds.c:84

27/07/2016 23:02:51,VERBOSE,139695545640704,Error code: 40506 (symbol: LW_ERROR_NO_CRED),NtlmServerAcquireCredentialsHandle(),l

sass/server/ntlm/acquirecreds.c:103

27/07/2016 23:02:51,VERBOSE,139695545640704,Error code: 40506 (symbol: LW_ERROR_NO_CRED),NtlmTransactAcquireCredentialsHandle()

,lsass/client/ntlm/clientipc.c:299

27/07/2016 23:02:51,VERBOSE,139695545640704,Error code: 40506 (symbol: LW_ERROR_NO_CRED),NtlmClientAcquireCredentialsHandle(),l

sass/client/ntlm/acquirecreds.c:84

27/07/2016 23:02:51,VERBOSE,139695545640704,Error code: 40506 (symbol: LW_ERROR_NO_CRED),ntlm_gss_init_sec_context(),lsass/inte

rop/gssntlm/gssntlm.c:891

27/07/2016 23:02:51,VERBOSE,139695514171136,Error code: 40506 (symbol: LW_ERROR_NO_CRED),NtlmServerAcquireCredentialsHandle(),l

sass/server/ntlm/acquirecreds.c:103

27/07/2016 23:02:51,VERBOSE,139695514171136,Error code: 40506 (symbol: LW_ERROR_NO_CRED),NtlmTransactAcquireCredentialsHandle()

,lsass/client/ntlm/clientipc.c:299

27/07/2016 23:02:51,VERBOSE,139695514171136,Error code: 40506 (symbol: LW_ERROR_NO_CRED),NtlmClientAcquireCredentialsHandle(),l

sass/client/ntlm/acquirecreds.c:84

27/07/2016 23:02:51,VERBOSE,139695514171136,Error code: 40506 (symbol: LW_ERROR_NO_CRED),NtlmServerAcquireCredentialsHandle(),l

sass/server/ntlm/acquirecreds.c:103

update: from my last query, I was finally able to see the token groups error, though it's not consistently showing up. let me try and generate the error again.

update 2: before you ask - yes, I ran the dsacls command for the ACS connector machine account in AD, but that did not appear to help with the issue.

Jatin Katyal · ‎07-28-2016

Glad that added the last 2 updates. Can you explain how you ran the dsacls command on the DC.

~ Jatin

Do rate helpful posts.

~Jatin

noticketnomas · ‎12-15-2016

This is what I used:

dsacls "OU=(company users),DC=(company domain),DC=local" /I:T /G (company domain)\(ACS account):RP;tokenGroups

ACS 5.8 unable to retrieve user group attributes