Core issue
This problem occurs due to the presence of Cisco bug ID CSCef34765.
When Cisco Secure Access Control Server (ACS) for Microsoft Windows version 3.3 has two Lightweight Directory Access Protocol (LDAP) external databases (DBs) listed in this DB order:
Authentication works fine if the user belongs to LDAP-1. But, if you belong to LDAP-2, ACS does not start to query LDAP-2:
The AUTH.log shows this output:
AUTH IAttempting authentication for Unknown User 'XX'
AUTH IExternal DB [DServDll.dll]: Starting PAP AuthUser
AUTH IExternal DB [DServDll.dll]: Comparing domain name "yy" user name XX' case insensitive
AUTH IExternal DB [DServDll.dll]: Domain qualifier section did not match.
AUTH IExternal DB [DServDll.dll]:External DS User XX@ZZ PW [----]
failed authentication: fffff7fc
Resolution
For a workaround, first check if there is more than one database included in the Selected Databases list on the Unknown User Policy page.
If yes, then change the order of the databases in that list so that the Windows database is not first.
This bug is fixed in Cisco Secure ACS for Windows version 3.3.2.
In order to download Cisco Secure ACS for Windows version 3.3.2, use the TAC Service Request Tool in order to open a case with Cisco Technical Support.