ACS Authentication, multiple domains

torabian28 · ‎09-27-2007

Hi all,

I have the following problem

I have a Win 2003 domain (A) and a trust established with another Win

2003 domain (B). Domain A is the one with the CiscoSecure software.

We have many trusts with other domains (mostly Win 2000) and have

configured the mappings by using CiscoSecure.

But when trying to "add mappings" for this new 2003 Domain (B), I

continually am getting "failed to enumerate Windows groups. If you are

using Active Directory consult the installation guide for information."

I am not able to see domain B's users and groups from within the Cisco

Secure software.

However, if I use Active Directory Users and Computers from Domain A,

and "connect to domain" and choose Domain B, I am able to view all

users and groups just fine.

Do you know if there is a problem with configuring two 2003 domains in

this software? Do you have any other areas that I should investigate?

Some local policy on Domain B?

vkapoor5 · ‎10-04-2007

If ACS is installed on a DC of DOM1 and DOM1 has trust relationship to a remote domain DOM2

1) ACS Services (on DOM1 DC) run under a DOM1 Domain User (and Local Machine Administrator) - "acsacct"

2) This account (acsacct) has "Act as part of the OS" permission in Domain Security Policy and Domain Controller Security Policy

3) On DOM2 (The Remote Domain) , we Delegated Control to the acsacct User to the Custom Task of "Group Objects" and "User Objects".

Nexus Dashboard: acs コマンドについて (version 3.x)