Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
599
Views
0
Helpful
2
Replies

Cisco ACS 5.3 authentication with AD 2008 server fails

anil.kumark
Level 1
Level 1

‎01-17-2019 08:07 PM

current Forest and Domain Functional Levels were upgraded from 2003 to 2008 after which we have issues with ACS. We are getting authentication failures "22056 Subject not found in the applicable identity store(s)"

 

1.       Test the AD connections: Users and Identity Stores > External Identity Stores > Active Directory > Test connection Connection succeeded
2.       Connectivity status:  Users and Identity Stores > External Identity Stores > Active Directory > look for connectivity status, does it show connected? Status:CONNECTED

3.       Compare the clock on ACS("show timezone" and "show clock") and the DC sync. The clocks are out of sync by less than 20 seconds it shouldn’t affect kerberos

4. Tried re-joining AD but no luck.

5. Tried changing the identity sequence but no luck.

 

Thanks

Anil

Labels:
0 Helpful
2 Replies 2

Francesco Molino
VIP Alumni
VIP Alumni

‎01-17-2019 08:54 PM

Hi

In the failed log, what is the format of the username?
Is it the same you're testing? If not, test manually with the exact username show in the log.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎01-17-2019 09:40 PM

 

Check below information (let us know if that usefull and works) ?

Problem: 22056 Subject not found in the applicable identity store(s)

AD users do not get authenticated with ACS version 5.x and receive this error message: 22056 Subject not found in the applicable identity store(s).

Solution

This error message occurs when the ACS failed to find the user in the first listed database that is configured in the Identity store sequence. This is an informational message and does not affect the performance of the ACS. The way that ACS 5.x performs the authentication for internal or external users is different than the previous 4.x version. With the 5.x version, there is an option called Identity Store Sequence to define the sequence of user databases to be authenticated. For more information, refer to Configuring Identity Store Sequences.

If you receive this error when you are using the ACS to authenticate requests against a Child Domain, then you have to add a UPN suffix or NETBIOS prefix to the username. For more information, refer to the Notes in the Microsoft AD section.

 

 

https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html#p6

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents