01-17-2019 08:07 PM
current Forest and Domain Functional Levels were upgraded from 2003 to 2008 after which we have issues with ACS. We are getting authentication failures "22056 Subject not found in the applicable identity store(s)"
1. Test the AD connections: Users and Identity Stores > External Identity Stores > Active Directory > Test connection Connection succeeded
2. Connectivity status: Users and Identity Stores > External Identity Stores > Active Directory > look for connectivity status, does it show connected? Status:CONNECTED
3. Compare the clock on ACS("show timezone" and "show clock") and the DC sync. The clocks are out of sync by less than 20 seconds it shouldn’t affect kerberos
4. Tried re-joining AD but no luck.
5. Tried changing the identity sequence but no luck.
Thanks
Anil
01-17-2019 08:54 PM
01-17-2019 09:40 PM
Check below information (let us know if that usefull and works) ?
AD users do not get authenticated with ACS version 5.x and receive this error message: 22056 Subject not found in the applicable identity store(s).
This error message occurs when the ACS failed to find the user in the first listed database that is configured in the Identity store sequence. This is an informational message and does not affect the performance of the ACS. The way that ACS 5.x performs the authentication for internal or external users is different than the previous 4.x version. With the 5.x version, there is an option called Identity Store Sequence to define the sequence of user databases to be authenticated. For more information, refer to Configuring Identity Store Sequences.
If you receive this error when you are using the ACS to authenticate requests against a Child Domain, then you have to add a UPN suffix or NETBIOS prefix to the username. For more information, refer to the Notes in the Microsoft AD section.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide