Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
386
Views
0
Helpful
1
Replies

Integrate in ACS to AD

John
Level 1
Level 1

‎06-07-2017 07:37 PM - edited ‎03-11-2019 12:46 AM

Hi Team, 

Right now the account we used to integrate in ACS to AD is super admin and they want to lower down the privilege account.

 

Below are the questions:

 

1. Minimun requirements of Joining AD to ACS
2. Exact delegate Account to Integrate
3. What are the effects if we will change the privilege? Will it disconnect the AD?
4. Lessen the privilege

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-07-2017 08:21 PM

The account requirements are as follows:

Table 1 Required Account Permissions for Active Directory

Join Operations

Leave Operations

ACS Machine Accounts

For the account that is used to perform the join operation, the following permissions are required:

Search Active Directory (to see if an ACS machine account already exists)

Create ACS machine account to domain (if the machine account does not already exist)

Set attributes on the new machine account (for example, ACS machine account password, SPN, dnsHostname)

It is not mandatory to be a domain administrator to perform a join operation.

For the account that is used to perform the leave operation, the following permissions are required:

Search Active Directory (to see if a ACS machine account already exists)

Remove ACS machine account from domain

If you perform a force leave (leave without the password), it will not remove the machine account from the domain.

For the newly created ACS machine account that is used to communicate to the Active Directory connection, the following permissions are required:

Ability to change own password

Read the user/machine objects corresponding to users/machines being authenticated

Query some parts of the Active Directory to learn about required information (for example, trusted domains, alternative UPN suffixes and so on.)

Ability to read tokenGroups attribute

You can precreate the machine account in Active Directory, and if the SAM name matches the ACS appliance hostname, it should be located during the join operation and re-used.

If multiple join operations are performed, multiple machine accounts are maintained inside ACS, one for each join operation.

Source:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/ACS-ADIntegration/guide/Active_Directory_Integration_in_ACS_5-8.html#pgfId-411176

As long as the above permissions are retained, it should not harm the existing integration to change the account from a domain admin account to a lesser privileged one.

0 Helpful
Customers Also Viewed These Support Documents