cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
641
Views
0
Helpful
1
Replies

Cisco 5.3 Cluster - Domain Notation only Required when using Secondary ACS Server

tcroziercisco
Level 1
Level 1

Overview:  Cisco 5.3 cluster, with primary server and secondary servers at separate datacenters.   For remote vpn authentication through Cisco ASA, using radius authentication and Active Directory security groups.

The primary and secondary ACS servers are members (connected) to the root domain of our AD forest.

Issue:  During testing, I am experiencing different results as it relates to the use of the requirement of domain notation during login.  When testing against the primary acs server, I am able to pass authentication for users in the root domain and child domains with or without domain notation.  When testing against the secondary ACS server, domain notation is required for child domains.

Since each server is running the same version, 5.3.0.40, and are connected to the same domain, which happens to the be the root domain of the forest, I would expect the same results from testing.  I did confirm that they are synchronized properly.

Example: 

- The forest name and root domain is  X and the acs servers are members of x.

- Child domains are y and z

When I test authentication against the primary, I can login with a user from x,y, or z using domain notation (domain\username)  or without domain notation (username)

When I test against the secondary ACS server, I can login using domain notation for x,y,z.  But when I test with domain notation, it only works when the user is from the root domain X.  So users from y and z must use domain notation.

The logs show the error as:

22056 Subject not found in the applicable identity store(s)

1 Reply 1

tcroziercisco
Level 1
Level 1

More info:  during the installation of the secondary unit, it was renamed and then reconnected to the root domain.