Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1193
Views
5
Helpful
5
Replies

ACS 5.1 connecting to AD

Go to solution
StevieOliver_2
Level 1
Level 1

‎01-12-2011 03:06 AM - edited ‎03-10-2019 05:42 PM

Hi

I'm trying to connect my VMware ACS 5.1 to my Domain to test domain authentication.

I've been having problems when I test the connection to Active Directory with a "cannot resolve address" errors.

From ACS console I can ping the name on the DC and like wise from the DC to the ACS.

When I do a capture of the DNS transaction it seems to prepend _ldap_.tcp (or _ldap._tcp) to the domain name

which the DNS server responds to as unknown.

No doubt this is a Win2003 DNS issue but has anyone seen this before and resolved it ?

The DC is the only one and is also my DNS server.

Thanks, Stephen.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee
In response to StevieOliver_2

‎01-12-2011 06:02 AM

Thanks Stephen, glad that it worked out somehow...

If you'd still like us to try making some sense out of black magic ;-) feel free to attach the logs collected while you recreated the issue, before it started working.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee

‎01-12-2011 03:29 AM

Hi Stephen,

Can ACS really resolve the address of the domain you are configuring?

You could verify this through the command line with

nslookup

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Go to solution
StevieOliver_2
Level 1
Level 1
In response to Federico Ziliotto

‎01-12-2011 03:37 AM

Fede

The ACS can resolve the domain.  I have done this on the ACS console

nslookup domainname.local where I replace domainname with my domain

And it responds with the DC address correctly.

Stephen.

0 Helpful

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee
In response to StevieOliver_2

‎01-12-2011 05:15 AM

Thank you Stephen,

Apologies if I ask this one at a time, but would it be possible to also perform the inverse lookup for the IP address of the DC?

nslookup

In this way, we should verify whether PTR records exist for the queried names on the DNS server: it's a common scenario in AD deployments and it's normal practice to configure these manually, because the AD wizard will not do it automatically, nor will auto registration.

Could you please confirm that also PTR records on the DNS server are created for the IP of the DC?

http://technet.microsoft.com/en-us/library/cc722542.aspx

If none of these steps would further help, we may need to take a looks at the ACS logs:

1. Please log in to the ACS GUI and enable the DEBUG logging level for the module "AAA Diagnostics", under

System Administration > Configuration > Log Configuration > Logging Categories > Global

2. Also, please log in to the ACS command line and enable the following debugs:

admin# acs-config

Escape character is CNTL/D.

Username:

Password:

acsadmin(config-acs)# debug-adclient enable

acsadmin(config-acs)# debug-log runtime debug

3. Please recreate the issue and then collect the ACS support bundle from the Monitoring & Report Viewer, under

Troubleshooting > ACS Support Bundle

Please be sure of collecting the support bundle while checking the following options:

Include full configuration database = Unchecked

Include debug logs = All

Include local logs = All

Include core files = All

Include monitoring and reporting logs (all categories checked) = Include files from the last 1 day

Also, please communicate me the time stamp when the issue is observed, so that I can track it faster in the logs.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Go to solution
StevieOliver_2
Level 1
Level 1
In response to Federico Ziliotto

‎01-12-2011 05:57 AM

Fede

Very strange thing happened.

I was able to do the reverse lookups.  I had previously configured these for the ACS and DC manually.

I was following your instructions for the log collecting.  As I was doing it I thought I'd try a test LDAP bind to the DC to see what happened and it worked 1st time.  So I set up the log collecting and went to the AD page and did a test connect again and it worked.  I hadn't changed anything on my DC or on the ACS.  The only difference is I am using Firefox this time and previously it was IE 8.

I can't understand what the difference is this time but it's working now.

Many thanks for the detailed input to the problem.

Stephen.

0 Helpful

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee
In response to StevieOliver_2

‎01-12-2011 06:02 AM

Thanks Stephen, glad that it worked out somehow...

If you'd still like us to try making some sense out of black magic ;-) feel free to attach the logs collected while you recreated the issue, before it started working.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful
Customers Also Viewed These Support Documents