Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12081
Views
74
Helpful
34
Replies

ACS 5.3 and AD domain trust

Go to solution
kamarale
Level 1
Level 1

‎07-26-2012 12:49 PM - edited ‎03-10-2019 07:20 PM

Hello ,I´m having this problem:

I have 2 AD domains y 2 different forrests (i.e domain1.com and domain2.com) and they were configured to trust each other (two-way trust).

In the AD enviroment it works great.

The problem is that in ACS wich is intergrated with domain1.com y can´t see the groups of the other domain domain2.com.

If I look for them under Directory Groups they don´t appear and if i put them manually in Group Name (with sintax domain2.com/Users/GroupX) and then I add it with Add^ button I am able to add them and to use them in policies but they don´t work (I get errors and nothing is authenticated).

I´m using ACS 5.3.0.40.5 version and Windows 2003 server enterprise edition.

I´ve read this post

https://supportforums.cisco.com/thread/2064843

but I couldn´t make it work.

If someone knows how I can get this working I will really appreciate it.

Thanks in advance.

Regards.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Tarik Admani

‎07-30-2012 08:58 PM

Let me know if there is anything else I can help you and how everything is going.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

34 Replies 34

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎07-26-2012 10:49 PM

Please use this guide for reference when configuring trusts between the forests. It seems that authenticaiton works fine when using transitive trusts but SID filtering may be in the picture since you can query for groups. Please do some research regarding the effects of disabling sid filtering, but for the most part this seems to be what you are facing.

http://technet.microsoft.com/en-us/library/cc755427%28v=ws.10%29.aspx

Thanks,

Tarik Admani
*Please rate helpful posts*

Go to solution
kamarale
Level 1
Level 1
In response to Tarik Admani

‎07-30-2012 09:06 AM

Hello,thanks for the reply.

I had configured a forest trust type,and that did not work. So I  changed the trust type to external trust and it started to work  perfectly.

Is there a limitation with the ACS that does not support forest trust??

Thanks.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to kamarale

‎07-30-2012 09:09 AM

Yes the reason is that the ACS uses kerberos instead of NTLM for authentication. With the forest trusts only NTLM is supported, with an external trust you can use kerberos.

Thanks,

Tarik Admani
*Please rate helpful posts*

Go to solution
kamarale
Level 1
Level 1
In response to Tarik Admani

‎07-30-2012 09:13 AM

Thanks for the quick replay.

Where does Cisco say that? Do you have some link?

Regards.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to kamarale

‎07-30-2012 09:41 AM

No problem you are welcome,

I havent seen this mentioned in the Cisco documentation, its something I have come across while working on trusts types and what the ACS uses for authentication.

Tarik Admani
*Please rate helpful posts*

Go to solution
kamarale
Level 1
Level 1
In response to Tarik Admani

‎07-30-2012 10:56 AM

One more question, the two domains are going to have different hours(they are on separate countries).

How do I do with this? Should I point the two domain controllers to the same NTP and in each DC set the correct time zone?

Thanks.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to kamarale

‎07-30-2012 11:36 AM

As long as you point to a trusted ntp source which gives you the accurate GMT source, then the ACS and the domain controllers will use their timezone setting to offset this value locally. Kerberos should use the GMT value as its basis for its operability

For more information - http://social.technet.microsoft.com/Forums/ta/winserverNIS/thread/5231d52d-cf78-4685-b1a2-c39dcb767427

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Tarik Admani

‎07-30-2012 08:58 PM

Let me know if there is anything else I can help you and how everything is going.

Thanks,

Tarik Admani
*Please rate helpful posts*

Go to solution
kamarale
Level 1
Level 1
In response to Tarik Admani

‎07-31-2012 05:56 AM

Thank you very much for your support.

0 Helpful

Go to solution
mohankumarm
Level 1
Level 1
In response to Tarik Admani

‎09-03-2012 02:19 AM

Dear all,

Hope you can help me with an issue i am facing on migration from Cisco ACS 4.1.24 to Cisco 5.3.0.40

and testing Radius authentication for vpn client users.

The authentication method used is external Active Directory and for some users authenticating to the external AD via ACS, the following message is obtained:

"15039 Selected Authorization Profile is DenyAcces", which results in Auth failure.

Other users on the same AD group seem to work fine and there are no changes performed on the AD for any of the  concerned users.

Looking at the detail report for the user, confirms that no attributes  are returned to the Radius(under the other attributes field) from the  external server. The Radius also returns the following messages:

"24412 User not  found in Active Directory"

"22056 Subject not found in the applicable  identity store(s)"

Within the ACS Identity sequence in the ID store, the sequence is set to match on AD first and then Internal user.         The Identity for the default network profile(for Radius users) is configured to General sequence. The same user/s seem to work fine when swithced to ACS4.

We are also looking at possible NTP sync issue with the ACS/AD or any NTLM/Kerberos auth issues or any issues related to applying the latest ACS patch to the box.

Any help will be appreciated.

Thanks and Regards.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to mohankumarm

‎09-03-2012 02:33 AM

Hi,

You will need to troubleshoot this a little deeper, I dont think that ntp is an issue because you would see errors in the AD configuration page if it shows disconnected.

However, please install the latest patch, there were some AD issues with the 5.3 code and have been resolved in the most recent patches. Please try again afterwards.

Also while you are in the AD settings page there is a tab for "Directory Attributes" please type in the user account that isnt found in the authentication report and see if you can pull any attributes in the page. If you get the error then try you user account and see if it pulls the attribute.

Then we can start to see what the problem is there.

Thanks,

Tarik Admani
*Please rate helpful posts*

Go to solution
mohankumarm
Level 1
Level 1
In response to Tarik Admani

‎09-03-2012 02:45 AM

Thanks very much for the quick response. When i try to enter the failed user and select the attributes, it prompts me to select a number of them, which means the attributes are being returned for the failed user? some of the attribs are 1)CN 2) DN 3) member of...etc

Best Regards.

0 Helpful

Go to solution
mohankumarm
Level 1
Level 1
In response to mohankumarm

‎09-03-2012 03:02 AM

Just to continue with my previous message, When i try an unknown user on the Directory attribute, it comes up           "No data to Display" screen.

Thanks and Regards,

Mohan

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to mohankumarm

‎09-03-2012 11:27 AM

Can you please copy and paste the output from the ACS report. Also please try installing the latest patch and see if that resolves your issue.

Thanks,

Tarik Admani
*Please rate helpful posts*

Customers Also Viewed These Support Documents