Solved: Authenticate users in other Windows domain

remco.gussen · ‎02-03-2008

Hi

I'm trying to authenticate users in another Windows domain. The correct Remote Agent version is installed on domain controller. Enterprise Admin "runs" the service.

I discovered that group nesting is not working in version 3.3.3. Is that correct ?

I also created a Universal and Domain local group. In that group i put some users from the other, trusted domain.

Authentication will not work: Error on ACS: External DB account restriction.

I also tried to make a group mapping directly in the trusted domain. When I click on "Add Group Mapping", this is the error: "Failed to enumerate windows groups..

How can I solve these problems ?

Thanks

Remco

mj11 · ‎02-04-2008

Hi Remco

Looking at the release notes, under Known Problems in Cisco Secure ACS for Windows Server 3.3

CSCei01730

EAP-TLS authentication to the trusted DC doesnt succeeded

Authentication succeeded only when The EAP-TLS client authenticate to the DC which connected directly to the ACS, but when the user is in the Trusted DC (only in the trusted DC) which connected to the first DC, the authentication didn't succeed and the Fail Attempts message was: "External DB account Restriction."

Same message occurred whether enabling the domain stripping in Windows external database settings or not.

CSCee13658

Failed attempts report statement is not clear enough

When user validation fails for any reason (external server down, wrong SSL certificate, or key mismatch with NAS), the csv failed attempts report states that the authentication failure code is 'external db account restriction' or 'CS password invalid'.

Workaround: This problem is cosmetic. No workaround.

Regards MJ

View solution in original post

mj11 · ‎02-04-2008