Re: External DB account Restriction error

raju · ‎09-23-2004

Hello,

We have an Cisco ACS v 3.2 which is integrated with two AD domains say ABC (Windows 2000 ADC) and XYZ (Windows 2003 ADC) and there is a Trust Relationship between them. Users belongs to ABC domain can able to connect through ACS-TACACS+ whereas users belongs XYZ domain can't .Users from XYZ domain are getting the error "External DB account Restriction error " . Group assignments in ACS are same for ABC & XYZ domains.I tried with domainname\username format also , but no luck.

What could be the problem?.

Thanks in advance ,

Raju

drolemc · ‎09-30-2004

I could find two bugs in 3.2 which talk about the error message "External DB account restriction". The first is CSCef02972 - 'External DB account restriction errors stop authenticating users' and the other is CSCeb79925 - 'Wrong log message when client rejects PEAP certificate'. You could have a look at these bugs to figure out if you might possibly be running into one of these.

pvanvuuren · ‎11-04-2004

We finally figured it out ! We were using ACS ver 3.2.2 and had the same problem. WE upgraded to ver 3.3.1(16) and it still said "External DB Acount restriction". It worked with \DEFAULT domain mapped to an ACS group, but we saw this as a security risk. Eventualy we got it working with an unnested AD usergroup. And then we changed the \DEFAULT domain mapped to . So the resultion for us is that only unnested AD groups work, and nested doesn't.

We found a similar problem with the application "SURFCONTROL" which also logs only user activity in unnested groups.

Let us know....

P

c-wilkins · ‎09-30-2004

We were having the same problem. I started capturing packets from our ACS server and discovered that on the second domain it was appending the DNS suffix of the domain that the ACS server is a member of. So you might want to check that you have the suffix of both domains defined in the "Append these DNS suffixes" of the TCP/IP properties on your ACS server.

marcbutler · ‎11-03-2004

Hi

I am having exactly the same issue. I have tried the above suggestion to go into TCP/IP properties and add the suffixes of each domain on the ACS, but to no avail. Perhaps I have done it incorrectly. Could someone clarify based on the following scenario?

There are two domains, Domain A and Domain B. The ACS sits in Domain A and is a Domain controller for that domain. All user accounts are located in domain B.

Could you detail out the steps required to make this work, if anyone has got it working?

Many thanks

Marc

raju · ‎11-04-2004

Marc,

Here is the solution and it works in our environ

If ACS sits in domain A and user is part of domain A and he can simply put his login id and password provided you have group mappings .

If a user from domain B wants to login , then he has to put domainB\username and his password .

As for as Group mappings , you can use same Groups in ACS for both the Domains . Make sure that you can able to ping the domain controllers in Domain A & Domain B from ACS server particularly the domian controller(s ) which are holding Global Catlog (GC) function. I'm sure that there will be DNS servers in both the domains and make sure domains are reachable . If not , you can add in host file of ACS server which we have done sothat it can send the requests to corresponding domain when it receives .

Hope it helps!

marcbutler · ‎11-06-2004

Many thanks

I will give this a go when I get back to the office.

Rgds

Marc