So - We have the same error. I have still open a TAC Case (C730737) about this problem. I will send you the whole Case content. Perhaps it will help you:
Problem Description: Situation:
We have a ACS Server to authenticate the RAS Users.
I configured the ACS to authenticate unknown users by the 'Windows NT/2000' Database (Unknown User Policy). The ACS is a member server in a Windows 2000 Domain called 'giaintra.net'. The Users are in a Windows NT Domain called 'MM'. There is a two way trust between this domains.
I configured the 'Windows NT/2000 User Database' in the ACS to verify the 'Grant dialin permission' setting and also configure the Domain List with all needed domains (MM, giaintra.net).
Problem:
The authentication allways fails for user that are not in the ACS database. In the 'Failed Attempts' Log the Authentication Failure Code is 'Unknown'
investigations:
I capture the network traffic from and to the ACS Server and see, that there is no traffic to any Domaincontroller. So I turn the ACS logging to the maximum and check the csauth service log file for any debug messages beginning with [External DB]. The following messages were logged:
****************************************************************
AUTH 05/23/2002 15:56:30 I 4562 1676 Attempting authentication for Unknown User 'MM\giadmu'
AUTH 05/23/2002 15:56:30 I 0266 1676 External DB [NTAuthenDLL.dll]: Starting authentication for user [MM\giadmu]
AUTH 05/23/2002 15:56:30 I 0266 1676 External DB [NTAuthenDLL.dll]: Attempting NT/2000 authentication
AUTH 05/23/2002 15:56:30 E 0266 1676 External DB [NTAuthenDLL.dll]: NT/2000 authentication FAILED (error 1300L)
AUTH 05/23/2002 15:56:30 I 1311 1676 Unknown User 'MM\giadmu' was not authenticated
****************************************************************
Please contact customer via email: daniel.mueller@gia.ch
Email: daniel.mueller@gia.ch
Phone: 41-62-789-71-71
Urls shown to the user :
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/prodlit/exatu_wp.htm
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/usergd26/userdb.htm
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/usergd26/unknown.htm
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/prodlit/ldcsa_wp.htm
http://www.cisco.com/warp/customer/480/csntsdi.html
*** NOTES LOG 23-MAY-2002 07:58:54 PST, ciscodotcom, Action Type: Action ***
Notes logged DANIEL MUELLER (giadmu) daniel.mueller@gia.ch
CC list updated by DANIEL MUELLER (giadmu) daniel.mueller@gia.ch:
OLD:
NEW: giaaaj@gia.ch,
*** EMAIL OUT 23-MAY-2002 08:25:03 PST, kpintus, Action Type: Email Out ***
Send to: [daniel.mueller@gia.ch]
Daniel,
Good afternoon. My name is Kirk with Cisco Systems and I will be assisting you with this case.
It sounds to me like the problem is that ACS is installed on a Member Server. If this was installed on a Domain Controller you probably wouldnt have this issue. If you follow the instructions below, it should fix the problem. The 1300L error you are getting is defined here:
Code Name Description -------1300L ERROR_NOT_ALL_ASSIGNED
Indicates not all privileges referenced are assigned to the caller. This allows, for example, all privileges to be disabled without having to know exactly which privileges are assigned.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q155012
Try these instructions below and let me know how that goes and if I can be of further assistance.
*****************************************************************************
First ensure that any trusts that will be followed are 2-way.
One-way trusts are problematic for ACS.
- On the domain controller serving the ACS server:
-- Create a user
-- Make the user a member of Domain Admins group.
-- Make the user a member of Administrators group.
- Log onto ACS server.
-- Add the domain user to the local Administrators group.
-- Assign special rights with following instructions:
-- If ACS server is NT:
--- Run the User Manager program.
--- Choose "User Rights" from the "Policies" menu.
--- Check "Show Advanced User Rights."
--- Find "Act as part of the operating system" in the list.
--- Click "Add."
--- Choose the domain from the "List Names From" box.
--- Click "Show Users."
--- Double-click the user created earlier to add it.
--- Click OK.
--- Find "Log on as a Service" in the list.
--- Click "Add."
--- Choose the domain from the "List Names From" box.
--- Click "Show Users."
--- Double-click the user created earlier to add it.
--- Click OK.
-- If ACS server is Windows 2000:
--- Open "Administrative Tools" from the control panel.
--- Open "Local Security Policy."
--- Open "Local Policies."
--- Open "User Rights Assignment."
--- Double-click on "Act as part of the operating system."
--- Click "Add."
--- Choose the domain from the "Look in" box.
--- Double-click the user created earlier to add it.
--- Click OK.
--- Double-click on "Log on as a service."
--- Click "Add."
--- Choose the domain from the "Look in" box.
--- Double-click the user created earlier to add it.
--- Click OK.
- Set the ACS services to run as the created user.
-- If ACS server is NT:
--- Open "Services" from the control panel.
--- Click the CSADMIN entry once.
--- Click "Startup."
--- Click "This Account" and then the "..." button.
--- Choose the domain, double-click the user created earlier.
--- Click "Add," then "OK," then "OK" again.
--- Repeat for the rest of the CS services.
--- Stop and then start CSADMIN.
-- If ACS server is Windows 2000:
--- Open "Services" from "Administrative Tools."
--- Double-click the CSADMIN entry.
--- Click the "Log On" tab.
--- Click "This Account" and then the "Browse" button.
--- Choose the domain, double-click the user created earlier.
--- Click "OK."
--- Repeat for the rest of the CS services.
--- Stop and then start CSADMIN.
- Open the ACS GUI.
- Click on System Config.
- Click on Service Control.
- Click "Restart."
Thanks,
Kirk Pintus
Tech Support
SLC TAC-Security
Cisco Systems Inc.
M-F 7-3:00pm MST
801-736-3939 x55455
kpintus@cisco.com <>kpintus@cisco.com>
*** STATUS CHANGE 23-MAY-2002 08:25:03 PST, kpintus, Action Type: ***
*** NOTES LOG 24-MAY-2002 10:09:18 PST, kpintus, Action Type: Action ***
email from customer:
Hi Kirk
I implemented the task you described below and now I can logon with the
accounts from the Domain 'MM'. But I still can't logon with a account in the
Domain 'giaintra.net'. The debug messages in the csauth Logfile is:
**************************************
AUTH 05/24/2002 09:19:59 I 4562 1684 Attempting authentication for Unknown
User 'GIAINTRA.NET\giadmu'
AUTH 05/24/2002 09:19:59 I 0266 1684 External DB [NTAuthenDLL.dll]: Starting
authentication for user [GIAINTRA.NET\giadmu]
AUTH 05/24/2002 09:19:59 I 0266 1684 External DB [NTAuthenDLL.dll]:
Attempting NT/2000 authentication
AUTH 05/24/2002 09:19:59 I 0266 1684 External DB [NTAuthenDLL.dll]: NT/2000
authentication SUCCESSFUL (by GIAT056)
AUTH 05/24/2002 09:19:59 E 0266 1684 External DB [NTAuthenDLL.dll]: Local
account domain fallback not permitted
AUTH 05/24/2002 09:19:59 I 1311 1684 Unknown User 'GIAINTRA.NET\giadmu' was
not authenticated
**************************************
Do you have any idea about that?
Regards,
Dani
*** STATUS CHANGE 24-MAY-2002 10:09:19 PST, kpintus, Action Type: ***
*** EMAIL OUT 24-MAY-2002 10:35:19 PST, kpintus, Action Type: Email Out ***
Send to: [daniel.mueller@gia.ch]
Hi Daniel,
From the debugs it looks possibily like a permission issue. Which domain did you create the user on from the instructions before? You will need to create the user on the domain the ACS box is in. If that does not work for you, maybe try turning on security auditing/failure auditing for everything on the domain controller and send me the results from that.
Lets try that and see what happens. I will go over this with the team lead as well, and see what he thinks about this issue.
Cheers,
Kirk
*** NOTES LOG 28-MAY-2002 08:46:30 PST, kpintus, Action Type: Action ***
Hi Kirk
The user accounts were migrated from the 'MM' domain (Win NT) to the
'giaintra.net' domain (Win2000). To test the functionality of the acs I have
two user accounts:
- 'giadmu' in the Win NT domain MM
- 'giadmu' in the new Win2000 Domain ' giaintra.net' (this is the migrated
user from the MM Domain)
The acs is a windows 2000 member server in the 'giaintra.net' domain. I can
not install the acs on a domaincontroller, because of our internal security
regulations.
For the user account in the MM Domain all works properly after I implemented
your instructions. But for the user account in the 'giaintra.net' domain the
authentication still fails. First I try to logon with 'giaintra.net\giadmu'
(dot net extension for the domain). In this case the csauth services logs
the following:
****************************************************************************
*************************
AUTH 05/27/2002 10:22:04 I 4562 1752 Attempting authentication for Unknown
User 'GIAINTRA.NET\giadmu'
AUTH 05/27/2002 10:22:04 I 0266 1752 External DB [NTAuthenDLL.dll]: Starting
authentication for user [GIAINTRA.NET\giadmu]
AUTH 05/27/2002 10:22:04 I 0266 1752 External DB [NTAuthenDLL.dll]:
Attempting NT/2000 authentication
AUTH 05/27/2002 10:22:04 I 0266 1752 External DB [NTAuthenDLL.dll]: NT/2000
authentication SUCCESSFUL (by GIAT057)
AUTH 05/27/2002 10:22:04 E 0266 1752 External DB [NTAuthenDLL.dll]: Local
account domain fallback not permitted
AUTH 05/27/2002 10:22:04 I 1311 1752 Unknown User 'GIAINTRA.NET\giadmu' was
not authenticated
****************************************************************************
*************************
Then I try to logon with giaintra\giadmu and the csauth service logs this:
****************************************************************************
*************************
AUTH 05/27/2002 10:19:07 I 4562 1776 Attempting authentication for Unknown
User 'GIAINTRA\giadmu'
AUTH 05/27/2002 10:19:07 I 1172 1776 ReadSupplierRegistry: Windows NT/2000
loaded
AUTH 05/27/2002 10:19:07 I 0266 1776 External DB [NTAuthenDLL.dll]: Starting
authentication for user [GIAINTRA\giadmu]
AUTH 05/27/2002 10:19:07 I 0266 1776 External DB [NTAuthenDLL.dll]:
Attempting NT/2000 authentication
AUTH 05/27/2002 10:19:07 I 0266 1776 External DB [NTAuthenDLL.dll]: NT/2000
authentication SUCCESSFUL (by GIAT057)
AUTH 05/27/2002 10:19:07 I 0266 1776 External DB [NTAuthenDLL.dll]:
Obtaining RAS information for user giadmu from GIAT057
AUTH 05/27/2002 10:19:07 E 0266 1776 External DB [NTAuthenDLL.dll]:
RasAdminUserGetInfo returned error 0x5
AUTH 05/27/2002 10:19:07 E 0266 1776 External DB [NTAuthenDLL.dll]: Failed
to get RAS information for user giadmu from GIAT057
AUTH 05/27/2002 10:19:07 I 1311 1776 Unknown User 'GIAINTRA\giadmu' was not
authenticated
****************************************************************************
*************************
I also turn on auditing for
- account logon events
- account management
- object access
on the domaincontroller of the 'giaintra.net' domain. But in the event
viewer I just see, that the account logon from the acs server was
succesfully. The following message appears in the event viewer:
****************************************************************************
*************************
Account Used for Logon by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Account Name:
giadmu
Workstation:
CISCO
****************************************************************************
*************************
regards
Dani
*** NOTES LOG 03-JUN-2002 10:04:22 PST, kpintus, Action Type: Action ***
Hi Kirk
As I told you in a mail before the csauth log file log the following
message:
RasAdminUserGetInfo returned error 0x5
The error code 0x5 is the code for a 'permission denied' error.
See the ErrorText.exe in the LS-Tool Collection on <http://www.losoft.de/>
I also search for the API Call 'RasAdminUserGetInfo' and found the following
article.
<http://msdn.microsoft.com/library/en-us/rras/rasadm_5e9b.asp>
There is a remark, that the 'RasAdminUserGetInfo' function is replaced by
the 'MprAdminUserGetInfo' function in Windows 2000. Is it possible, that the
'Grant Dialin setting' can't work because the acs server call a old API
function? In this case the acs 3.0 can't work in a Windows 2000 environment
(puh - big bug).
In further I make some tests with different combinations of Registry Key and
the 'Grant Dialin Perm' setting:
RegKey dialinPerm MM\giadmu (Win NT) GIAINTRA\giadmu
(W2K)
---------------------------------------------------------------------------
1 not set ok nok
1 set ok nok
0 not set ok ok
0 set ok nok
For the 'GIAINTRA\giadmu' account the last case is against your statement in
the mail before (If you set it to 0 then you can check Grant dial in perms).
I set the registry key to 0 and check the 'Grant Dialin Permission' but
can't logon with the Win2000 account GIAINTRA\giadmu.
On the W2K Domaincontroller (GIAT057) I audit 'logon events'. Allways when I
would logon with the GIAINTRA\giadmu account the Domaincontroller log the
following three events:
*********************************************************************
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 31.05.2002
Time: 18:11:33
User: NT AUTHORITY\SYSTEM
Computer: GIAT057
Description:
Account Used for Logon by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Account Name:
giadmu
Workstation:
CISCO
*********************************************************************
Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 31.05.2002
Time: 18:11:33
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: GIAT057
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: CN=Server,CN=System
New Handle ID: -
Operation ID: {0,125580714}
Process ID: 304
Primary User Name: GIAT057$
Primary Domain: GIAINTRA
Primary Logon ID: (0x0,0x3E7)
Client User Name: ANONYMOUS LOGON
Client Domain: NT AUTHORITY
Client Logon ID: (0x0,0x77C35A2)
Accesses MAX_ALLOWED
Privileges -
Properties:
**********************************************************************
Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 31.05.2002
Time: 18:11:33
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: GIAT057
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: CN=Server,CN=System
New Handle ID: -
Operation ID: {0,125580717}
Process ID: 304
Primary User Name: GIAT057$
Primary Domain: GIAINTRA
Primary Logon ID: (0x0,0x3E7)
Client User Name: ANONYMOUS LOGON
Client Domain: NT AUTHORITY
Client Logon ID: (0x0,0x77C35A2)
Accesses MAX_ALLOWED
Privileges -
Properties:
*********************************************************************
The first event is a successfull message, but the following two events are
failure messages (anonymous logon)?! Hope you can help me?
regards
Dani
