Yes indeed.

The AD Agent from both DC's works fine to me also... I think because they are made for Microsoft environment.

With CDA it's another problem because I suppose that is a Linux kernel.

Hi guys,

On Windows 2008 R2 only, the Cisco CDA requires the user to have an additional permission on the following registry key:

–HKLM\Software\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

–HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6} (only if this key exists)

This permission is not given to members of the Domain Admins by default, and must be added explicitly.

You can refer to the user guide for more information:

http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda_wrkng.html#wp1054050

I hope this helps resolves your issue,

Erez

Hi Shabat,

Sorry for my late answer.

I tried to modify the registry's as you said but I'm getting the error "Unable to save permission changes on

{76A64158-CB41-11D1-8B02-00600806D9B6}. Access is denied."

I forgot to mention that our DC's has Win 2008 R2 x64 SP1.

.

Regarding the privileges, the admin account has full access, but the permissions cannot be changed..

I don't know how to solve it.

Thanks in advance.

Regards,

Simon

Hi Simon,

You will need a Domain Admin account to add the permisson.

If you are indeed using a Domain Admin account, and still get the "Access is denied" message, you will need to take ownership of the registery key(s). You can do this by clicking the Advanced button in the Permissions tab - this will open a new window, in that window go to the "Owner" tab, and change the owner to the Domain Administrators group, or your current administrator account.

After taking ownership, you should be able to change the permissions successfully (without getting an "Access is denied" message).

Please let me know how it goes.

Thanks,

Erez

Hy Erez,

Thanks for reply.

So...

     1. My user it's the  domain admin

     2. The ownership of the registry is already my domain admin.

     But still not working.

Hi Simon,

Can you please double check the owner of the following key(s) explicitly? (i.e right click the key, click permissions and then advanced)

HKLM\Software\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6} (only if this key exists)

By default the owner is "TrustedInstaller", and should be changed to Domain Admins.

If you are still getting an "Access is denied" message, please feel free to contact me and I'll guide you through it.

Thanks,

Erez

Hi Erez,

Finally works. Thank a lot.

But... I still have a question.

In this moment our DC's provides info's regarding the identity users to the main Cisco ASA and Irnport WSA S170 through Cisco AD Agent.

What I must do in order that ASA and WSA will comunicate with Cisco CDA instead of Cisco AD Agent to receive the updates?

Thanks again.

Regards,

Simon.

Hi Erez,

I solved the problem also with connection between AD to ASA and WSA.

Thanks a again for help.

Regards,

Simon

I have questions about the additional permissions you mentioned before. Our cda user is defined as domain admin and we changed the owner of the keys from TrustedInstaller to "Domain Admins".

What additional permissions are needed to get it working. We still have the problem that we get the "Access is denied". The same user used with the AD Agent works fine.

Thanks for helping in adv.

Walter

Sent from Cisco Technical Support iPad App

Hy Walter,

All what I've done was to make stept by step what Erez told me to do. And it's working fine.

Only one thing... I'm didn't create a CDA Admin inserted on Domains Admins I'm using only the Domain administrator to let CDA connect to DC's.

Did you made also what Erez told me about in the message on Jun 14, 2012 1:21 PM                             (in response to Simon Ludovic)?

*** By default the owner is "TrustedInstaller", and should be changed to Domain Admins. *** cf. Erez... both registry must be changed.

Thanks.

Hi Simon,

We did change both registry entries.

The problem we have, that we don't know what additional permissions are needed. Can you provide an example or even better a printscreen of your permission settings? Thanks!

Walter

Sent from Cisco Technical Support iPad App

Hy Walter,

Give me some minutes and I will provide some printscreens.

Thanks.

So...

Please find attached a print screen from one DC and one registry (as example).

This settings I made on both DC's and on bot registry which Erez specified.

I would like to say that my DC's has Windows 2008 R2 SP1 x64.

Hope that this image helps you.