Tarik,

thanks for your answer, I tried that out. Unfortunately, it did not yield the expected result.

The Access-Service I'm using has "Single result selection" selected for Identity Policy. There, I selected an Identity Store Sequence called ONG-AD as the identity store (which itself has two identity stores configured - AD1 & Internal Users in this sequence). The Identity Store Sequence "ONG-AD" has "Continue to next identity store in the sequence" configured in the advanced options as you described.

When I test the setup now, there is no difference - the Internal User may authenticate, although the AD1 is perfectly reachable and you can also authenticate with external users there.

The detailed log in ACS 5.3 shows:

I assume that this has to be solved rather with rule-based result selection (in the Identity Store configuration of the access service) instead of Identity Store Sequences. I'll try that and let you know.

Regards,

Florian

You are fighting my same battle.  Just curious, are you creating the local user ACS accounts with the same username as their AD accounts?  If that is the case then you are doomed, but if not then it should work fine.

Also, how are you testing AD connection failure within ACS?

I have just gone through an almost identical issue so I am curious if you discover anything new.

In my case, we want to have one common fallback-user. This user+pass is "well-known" to the internal IT-staff and should be used (only) if there is a servere malfunction in the AAA-system, preventing IT-staff to login into devices. I think configuring separate fallback-users for everyone is a little bit cumbersome, because of the administrative overhead. On the other hand, it's better for security, because there is no "general" password. Why should you be doomed when you do it like that? I think it should be possible too.

The point is: fallback-user should work *only* when there is a AAA-malfunction - not always. Otherwise this fallback-user would be too much a security-threat of its own. I think I solved it now by *not* using Identity Store Sequences any more, as they do not seem to provide the functionality. Instead, I re-configured the Identity Policy on ACS to a rule-based one. First line points to AD (external database). Second line points to Internal Users. As long as there is no "process failure" (external database not reachable), ACS should never proceed to line 2. So, the fallback-user can't be used in this case - as expected. This has to be configured in the "Advanced Options" of the first rule in the Identity Policy.

Regarding testing: Good question. I don't have a solution!

Ok, I think it finally clicked what you are trying to accomplish and it looks you found a solution.

Regarding my doomed statement.  My issue was that my users (ie boss) wanted to have both AD and local accounts which would behave simliar to your fallback scenario.  They were used to the old ACS 3.2 method where a user account was created, THEN you sepcified to authenticate the account against the internal ACS database or AD.

Long story short, if you create local accounts that use the same exact username as your AD then ACS will NEVER authenticate against the internal datastore if there is an active connection to AD.  So if the passwords are different, authentication fails because it is reading the AD password since it already found the name and will never check the password of the internal user.  I understand the limitation as my users are saying they want ACS to read their minds on whichever account they feel like using at the time, so I am not losing any sleep over the fact that I cannot exacly duplicated the functionality of the older version.

As far as testing, ACS needs a simple Connect/Disconnect option for the AD section simply for this purpose.  Last time I checked it looks like you have wipe out your existing AD info and potentialy lose all your group settings if you want to replicate AD failure now.  Could be totally wrong on this conclusion.