If you are using AD, you should configure ACS to authenticate against the Windows Database rather than Generic LDAP. The following is a quote from the help given on the External User Database screen on the ACS regarding the Generic LDAP setting: 'While Active Directory is based on LDAP, use a Windows database configuration for authenticating users with Active Directory.' Hope this helps.