cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1574
Views
0
Helpful
13
Replies

Cisco ACS 5.2 Active Directory Trust Relationship

Mikayil Qasimov
Level 1
Level 1

Hello Dears,

I have Cisco ACS 5.2 server and 2 DC with two different domain name. Cisco ACS is connected to DC1(xxx.xdomain.com), and working well. Between these DC(ydomain.com) have two-way Trust Relationship.

How I can authenticate DC2 users in Cisco ACS? Please help

13 Replies 13

Jatin Katyal
Cisco Employee
Cisco Employee

You have to add a UPN suffix or NETBIOS prefix to  the username when authenticating to a domain that the ACS is not joined  to, including the child domains.

ACS does not support user authentication in AD  when a user name is supplied with an alternative UPN suffix configured  in OU level. The authentication works fine if the UPN suffix is  configured in domain level.

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1053213

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Dear Jatin,

Thanks for quick reply. Can you explain it in detail?
For example: ACS is connect to xxx.domain.com and in directory we can add the groups like xxx.domain.com/groups/IT . How I should add another group which is located in other Domain?
About UPN suffix, in which domain I should add suffix and how?
Thanks beforehand

Sent from Cisco Technical Support iPad App

If ACS is connected to DC1(xxx.xdomain.com) and you are also able to select groups from trsuted domain i.e. DC2 (ydomain.com) from the ACS by going to Users and Identity Stores > External Identity Stores > Active Directory > Directory Groups.  

It should work fine for users who are in DC2 (ydomain.com) if they are connecting/authenticating with the UPN format user@ydomain.com or

Netbios user\ydomain.com.

If you have a condition created under access-policies and seleceted an AD group from the DC2 (ydomain.com) domain and it's not matching that authorization rule then it might not be coming in other attributes.

In order to achieve the best results with ACS and AD, you should have ACS 5.3 patch 4 or above.

There are few defects where ACS fails to fetch user information from the trusted domain and that has been fixed in ACS 5.3 patch 3.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Thanks again Jatin.

I tried authentication with UPN and Netbios but unseccessfully. I'm using 5.2 ACS if I will upgrade it to 5.3 with patch 4 or above, is't will work normally with trusted domain?

What is the domain functional level across the domains?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

It is possible there is some ports blocked to the trusted domains. A packet capture would be very helpful to see what was being blocked to trusted domains.

Is your active directory configured with trusted domain as an alternate UPN under Active directory Domains and Trust. We could give a try if all ports are open and we are running atleast win2003 functional level.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Did you get a chance to check the above suggested pointers?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Mikayil Qasimov
Level 1
Level 1

Nobody knows hot to fix it?  Everywhere everybody says that add UPN suffix or it's about UPN. But nobody can show some example.

Jatin Katyal
Cisco Employee
Cisco Employee

We've not seen the adagent logs yet so can't say what exactly the problem is. In most of the cases, I have seen issue with 2 way external trust. Also, upgrading to acs 5.3 latest patch would be worth.


Sent from Cisco Technical Support Android App

~Jatin

Hi,

Are you domains in the same forest or are they in separate forests? See this guide for kerberos authentication in a multi-forest scenario. You may need further research in your trust type since two-way trusts may not allow kerberos (that is what ACS uses to authenticate against the domains).

http://technet.microsoft.com/en-us/library/cc772808%28v=ws.10%29.aspx

http://setspn.blogspot.com/2009/09/ad-external-trusts-and-kerberos.html

thanks,

Tarik Admani
*Please rate helpful posts*

Hi Jatin,

First of all, I installed acs 5.3 with package 5.3.0.40.

2 AD are Windows server 2008. Between them before it was forest trusted but didn't work after I changed it to external trust the same result, now it's External Trust. I check trust for me it works,in AD2 I gave administrator privilage for user which is located in AD1, after this I can connect with RDP to AD2  with that user. Added UPN under active directories. I can send images to your email if you will send me your email address with private messages.

Mikayil Qasimov
Level 1
Level 1

Hi again Dears,

I installed ACS 5.3 with patch 4.7. Now I can authenticate users whch is located in Domain B. But only Netbios domainb\user, I can't authenticate with UPN suffix user@domainb.com. Trust is a forest and two-way authentication. Do you know what is the reason?

Mikayil,

Were you able to find my post useful, I dont think the trust type you have supports kerberos authentication.

See if this article is of any use -

http://technet.microsoft.com/en-us/library/cc784334%28v=ws.10%29.aspx

Thanks

Tarik Admani
*Please rate helpful posts*

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: