05-05-2010 08:25 AM - edited 03-10-2019 05:06 PM
I am trying to setup the ACS to authenticate users that are in certain AD groups.
If I go into the ACS cannot seem to enumerate AD groups correctly. Although the AD server shows as connected in the Identity stores (and it tests fine) if you go the the directory groups tab and hit "select" no groups will show up no matter what search string or base you specify. This is seemingly allowing anyone with an AD account to authorize on the switch even though they are not in the specified group.
I also get the following errors showing up in the monitor:
May 5,2010 3:14:26.683 PM | ERROR | AD Operation failure | CSCOacs_Internal_Operations_Diagnostics | 33201 | AdminInterface=GUI AdminIPAddress=10.x.x.x AdminSession=F7434BE137EBD195B586055A58875E3E AdminName=ACSAdmin DomainName=DC=mydomain DC=com ADOperationResult=No global catalog can be found for domain: mydomain.com |
I can assure you that AD isnt broken for other things, and all the DNS underscore zones, etc are all there. No AD servers are down or offline, etc.
Any ideas?
Solved! Go to Solution.
05-15-2010 10:59 PM
If AD is connected to the ACS, but you can’t retrieve the group directories from it and getting "ADOperationResult=No global catalog can be found for domain" found the let me inform you that this is an on-going issue and will be fixed in ACS 5.1 patch 3 that is not yet released. We are expecting the availability of this patch on CCO in the mid of June
CSCtf39158 Can't retrieve AD groups in single forest with multiple trees scenarios
Regds,
JK
Do rate helpful posts-
05-15-2010 10:59 PM
If AD is connected to the ACS, but you can’t retrieve the group directories from it and getting "ADOperationResult=No global catalog can be found for domain" found the let me inform you that this is an on-going issue and will be fixed in ACS 5.1 patch 3 that is not yet released. We are expecting the availability of this patch on CCO in the mid of June
CSCtf39158 Can't retrieve AD groups in single forest with multiple trees scenarios
Regds,
JK
Do rate helpful posts-
05-19-2010 12:01 PM
This does fit my scenario as far as I can tell - though I am still working with TAC on it. Hopefully patch 3 comes early, as this is a show stopper for our implementation.
06-09-2010 07:49 AM
Patch 3 fixed this problem
06-09-2010 08:03 AM
I would appreciaciate if you mark this thread as RESOLVED so that others can take benefit out of it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: