Re: Failed to enumerate windows groups

hopecompany · ‎05-12-2010

Folks,

We are running two domain controllers within our environment and we have set up a ACS with version 4.0 for user authentication. Assumpt that one domain is named as A.com (Windows 2003 server) and another as B.com (Windows 2008 server). ACS now is a member of domain A.com and these 2 domains are configured to trust each other.

We have no issue Enumerating windows groups on domain A.com. Unfortunately when we attempt to enumerate windows groups on domain B.com, we are receiving an error indicating "failed to enumerate windows groups. if you are using active directory consult installation guide for information".

I did capture traffic between ACS and domain B.com and figured out that status_Access_denied error took place When ACS attempted to authenticate to domain B.com through protocol SAMR.

Is there anything we can do to resolved this issue? Your suggestion will be most appreciated.

Thank you!

Jatin Katyal · ‎05-13-2010

Cao,

Make sure that the remote domain name (B.com) you specified in the database group mapping screen is the NETBIOS name, not the AD domain name. If you enter "cisco.com" as the domain name, it will fail.

If this is already OK, then you have a permissions issues. The ACS services (running on A.com member server) must be running as a user that can read all user/group properties on the target domain. Normally this user should be a part Domain Admin group.

In the below listed link please focus on the Step 2 Add CISCO workstation.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/installation/guide/windows/postin.html#wp1041304

Step 2 Add CISCO workstation

In the local domain, and in each trusted domain and child domain that ACS will use to authenticate users, ensure that:

•A computer account named CISCO exists.

•All users that Windows will authenticate have permission to log in to the computer named CISCO.

Rgds,

JK

Do rate helpful posts-

~Jatin