ACS 4.2 multiple AD domain authentication

I have acs 4.2 for windows installed on a windows server 2003 box, because of a merger I need to now authenticate against 2 different domains, there is a bidirectional trust between the two domains and the dial-in permission has been set in ADUC but whenever I try to authenticate a user it says dial-in permissions needed in the acs failed authentication log. I think it's an AD issue but i can't know for sure as i'm not a windows guy, any suggestions?

Hi Jeremy,
The 2003 box where you have installed ACS, is this server part of both domains which you wanted the users to be autheticated?
Have you enabled the dial in permission on the ACS as well as per the screenshot below?
Regards
Najaf
Please rate when applicable or helpful !!!

Similar Messages

  • Cisco ACS 5.3 multiple AD domains

    Hello everyone
    I do have a quick question about Cisco ACS 5.3 and multi domain authentication. How is it exactly handled?
    Can I join more than one domain with the ACS server? Or do I still need to configure that bidirectional trust relationship between those AD forests (even with the ACS 5.3)?
    Thanks,
    Markus

    Markus,
    If you are using peap mschapv2 then you can not use LDAP.
    Here is the link when it comes authentication protocol and database support -
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/eap_pap_phase.html#wp1014889
    thanks,
    Tarik Admani
    *Please rate helpful posts*

  • In RSA Authentication Manager 7.1, how create multiple security domains

    Hi,
    RSA Authentication Manager 7.1 in configured with LDAP(Sun java system directory server); how create multiple security domains 7.1, is this security domains is releted to LDAP?
    thanks

    I think what you need to do is create an identity sequence with RSA as the selection in
    Authentication and Attribute Retrieval Search List and AD in Additional Attribute Retrieval Search List. Then select this sequence as the result in the identity policy for the service

  • LDAP supporting multiple DNS domains

    I have an environment with multiple DNS domains, and am configuring a Directory server (DS 6.3.1) to centralize various OS configuration maps including user authentication. None of the DNS domains have unique data, so I'd like to do something like storing all the real data in one suffix, then somehow have all clients look to that primary suffix. I am aware that the Solaris Native LDAP client wants to bind to a nisDomainObject that matches its DNS domain. I'm just having a hard time believing that I really need to manage all those individual suffixes when they don't have unique data requirements.
    Take as an example the following domains to be supported: foo.example.com, bar.example.com, dev.example.com, qa.example.com, prd.example.com (no hosts are actually in "example.com", they are all in subdomains). Again, all share common configuration data, same user IDs, etc - no unique maps are required.
    I created a suffix, "dc=example, dc=com", set it up with idsconfig. All is well there.
    [A] My first thought is to bind all Solaris clients, regardless of their DNS domain, to the baseDN of "dc=example, dc=com" in order to avoid having a separate suffix for each DNS domain. I tried to do this using "-a defaultSearchPath=dc=example,dc=com" with ldapclient init, but it failed with an error indicating it wants to see the nisDomainObject of its real DNS domain.
    The second though I had, which I don't believe is possible, is to find some sort of a LDAP equivalent of a symbolic link so that I could actually have an object for each DNS domain, but it would simply point back to "dc=example,dc=com". I can't find anything in the documentation which suggests this is possible, but I'd love to be wrong!
    [C] Perhaps this could be somehow done with a rats nest of SSDs, but that really seems unwieldy, right? I plan on using a fair amount of the available objects, so it would be many SSDs per suffix. Yuck.
    Can anyone comment on my above thoughts, or provide how they would go about supporting multiple DNS domains that have common configuration data?
    Thank you,
    Chris

    Ok, I answered my own question. Turns out it's pretty easy. Just use the "-a domainName=example.com" option with `ldapclient` then make sure that the FQDN of the LDAP server is available (or use its IP address). My problem was that the ldapclient overwriting nsswotch.conf was clobbering the SSL session because I used the FQDN which couldn't resolve.
    This leaves an interesting condition of having the output of "domainname" not match the DNS domain. I'm testing now to see if this causes any unexpected issues with our environmnet, but I suspect it's not a problem.

  • Lync 2013 certificate requirements for multiple SIP domains

    Hi All,
    I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
    around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
    appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
    Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
    Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
    Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
    Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
    Friendly URL option 3 from this page:
    http://technet.microsoft.com/en-us/library/gg398287.aspx
    Client auto-configuration:
    i.     
    Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
    ii.     
    Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
    iii.     
    Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
    HTTPS.
    If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
    How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
    Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
    to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
    Many thanks,

    Many thanks for the response.
    I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
    http://technet.microsoft.com/en-us/library/gg398287.aspx
    What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
    http://technet.microsoft.com/en-gb/library/hh690030.aspx
    Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
    to an address of director.contoso.net is not supported over HTTPS.
    In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
    rule for port 80 (HTTP).
    For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
    domain.”
    I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
    As per the below article:
    http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
    “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
    create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
    This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
    the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
    ===================
    1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
    2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
    fall under the XXX umbrella but are very much run as individual entities.
    Question:
    Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
    Thanks.

  • ACS 4.2.1 - PEAP Machine Authentication - Hostname different from PC account name in AD

    Hello!
    I don't really know, whether this issue has been asked before.
    I have to configure PEAP Authentication with ACS 4.2.1 for Windows against Active Directory.
    ACS ist Member of AD Domain xyz.domainname. The PC account is located in an OU of xyz.domainname.
    Hosts get via DHCP a hostname as dhcp.domainname. This also is the name the machine uses for AAA request.
    User authentication works fine, because the user account also is hosted in xyz.domainname.
    The host authentication fails, because dhcp.domainname is a DNS domain only but no Windows AD subdomain.
    Does anybody knows a solution for this special constellation?
    Is it possible to strip or rewrite the domain suffix in any way during the authentication process?

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Hello Jean,
    I am guessing that you are using 802.1x wireless.
    This is a expected behaving because the AD force the computer to change his password every month and if the computer is not on the domain at that moment the computer won't take that change.
    This is a Microsoft issue and unfortunately Cisco does not have any workaround for that.
    Please see links below that explain this situation.
    http://support.microsoft.com/kb/216393/en-us
    http://support.microsoft.com/kb/904943
    Hope this helps
    Erdelgad
    Cisco CSE

  • ACS 4.0 to NT Domain with NTLMv2 problem.

    I am trying to authenticate users from a VPN Concentrator (3030) to our NT Domain. We are not running AD yet but we are required to use NTLMv2 authentication on the Domain.
    I want to use ACS4.0 to authenticate Radius w/Expiry from the VPN concentrator and let ACS handle the NTLMv2 part.
    In ACS I have defined my Domain in the External Users Database, I have defined the Unknown User Policy to use the Windows Database, and I have defined the Group Mapping to point to the default group.
    When I run the Authentication test from the VPN setup screen I get a failed request.
    In the CSAuth log I am getting:
    AUTH 02/16/2006 15:13:42 E 0376 1572 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
    AUTH 02/16/2006 15:13:42 E 0376 1572 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
    With NTLMv2 turned off and running ACS 3.2 this setup is working (My production network) My only reason for upgrading to ACS4.0 was the NTLMv2 portion.
    Does anyone have any advise? thanks!

    Please make sure you read this Field Notice:
    http://www-tac.cisco.com/Support_Library/field_alerts/fn62167.html
    Note that, despite the Windows URL mentioning only 2003 server, the 2000 server also supports NTLMv2. Therefore, the following scenarios apply:
    - DC on Win 2003 SP1 - don't require any hotfix since it's included in SP1
    - DC on Win 2000 SP4 - don't require any hotfix since it's included in SP4
    - DC on Win 2003 - require hotfix KB893318

  • Configuring Multiple LDAP Domains

    I am having trouble configuring multiple ldap domains for declarative security and form-based authentication.
    I have setup another instance of Directory Server on my local machine, on a different port. I want to be able to talk to this alternate directory server for form-based authentication and roles.
    I have tried to do this by following the instructions at http://docs.iplanet.com/docs/manuals/ias/60/sp3/admin/adbasica.htm#21662, but I've had no luck. Below are screenshots of my configuration. (I've attached a word document in case you don't have a HTML-enabled mail reader).

    My screenshots were wrong in the e-mail below, but correct in the attached word doc.
    ----- Original Message -----
    From: Matt Raible
    Newsgroups: iplanet.ias.general
    Sent: Wednesday, August 22, 2001 7:05 AM
    Subject: Configuring Multiple LDAP Domains
    I am having trouble configuring multiple ldap domains for declarative security and form-based authentication with iPlanet Application Server 6.0, SP3.
    I have setup another instance of Directory Server on my local machine, on a different port. I want to be able to talk to this alternate directory server for form-based authentication and roles.
    I have tried to do this by following the instructions at http://docs.iplanet.com/docs/manuals/ias/60/sp3/admin/adbasica.htm#21662, but I've had no luck. Below are screenshots of my configuration. (I've attached a word document in case you don't have a HTML-enabled mail reader).

  • Domain authentication with mac address restrictions

    I am in a branch office and I have one WLC 5508 and one ACS 4.2 with three WLANs:
    WLAN1 with SSID1: for company computers and laptops
    WLAN2 with SSID2: for ipads and tablets
    WLAN3 with SSID3:  for guests
    I am asked to configure WLAN2 as “WLAN2: Provides the Wi-Fi connectivity to ipads and tablets, with back end security using domain authentication with mac address restrictions.

    You would need to create a seperate policy and be able to have a seperation between the two policies... It's kind of hard to explain, but you would have for example:
    Policy 1:
    Wireless user on this SSID WLAN1
    AD on this AD Group (Machine)
    Policy 2:
    Wireless user on this SSID WLAN 2
    AD on this AD Group (USer)
    Thanks,
    Scott
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • Multiple DNS Domain support in Single instance of Portal

    Can BEA portal support multiple DNS domains in a single instance of BEA Portal.
    For example can I setup portal to respond as bothe www.xxx.com and www.yyy.com
    and keep those urls as trhough the entire portal?

    Hi,
    thanks for your quick response. You mean we should run only one copy of the package I mentioned and seperate the plants and machines by logic implemented in the package? Well, I think this is critical in case of deploying a new version, since all machines at all sites won't have the system available at the same time. At the moment we do not have things in the system that are needed to go on with production, but we have planned to implement some things that will be indispensable and in this stage we need a clear seperation of the plants to minimize the risk of a simultaneous stand at all plants.
    Thanks for your suggestion and best regards,
    Matthias

  • CUPS 8.6 - Supporting Multiple SIP Domains on a per-user basis

    Working on a CUPS 8.6 PoC with a customer who currently is running a deployed OCS environment. 
    Users all sign into a single domain internally but have multiple SMTP domains for email as this customer has many different companies they have aquired.
    OCS  is able to support and route multiple SIP domains by specifing the SIP address under AD User settings such that two users both signed into the same OCS server can send IM's to each other even though they have different SIP addresses.  sip:[email protected] , sip:[email protected]
    CUPS on the other hand does not seem to allow this on a per-user basis.  It places every user in the sip domain that the server is a member of.
    The Jabber client allows you to specify a domain but I am not how this is used as the actual user account in CUPS is only ever the one domain and if you try and specify a different domain in the Jabber Connection Settings, it will not allow you to login.
    It is not a big deal for internal communications if everyone is on the same domain, but where it is important is for future B2B IM.  Users need to be able to give out THEIR IM address with THEIR respective domain.
    Does anyone else know for a fact that I will only be able to have one domain per CUP cluster?
    Any thoughts on this design?

    Not sure on the design perspective but as for CUPS Domain, we can only have single domain per cluster. As you have already found out that for any user licensed for CUPS, their IM address would be userid@CUPSDomain
    CUPS does have funtionality of federating with foreign domains such as AOL/GoogleTalk/WebEx Connect.

  • How to delete multiple data domains with single step ?

    how to delete multiple data domains with single step ?

    You can go to your Endeca-Server domain home e.g.($WEBLOGIC-HOME$/user_projects/domains/endeca_server_domain/EndecaServer/bin)
    run
    [HOST]$ ./endeca-cmd.sh list-dd
    default is enabled.
    GettingStarted is enabled.
    endeca is enabled.
    BikeStoreTest is enabled.
    create a new file from the output just with the domains that you want to delete and then create a loop
    [HOST]$ vi delete-dd.list
    default
    GettingStarted
    endeca
    BikeStoreTest
    [HOST]$ for i in $(cat delete-dd.list); do; ./endeca-cmd.sh delete-dd $i; done
    Remember that this can not be undone, unless you have a backup.

  • HP LaserJet M5035 MFP - Domain authentication - Mac OS 10.6.3

    Hi,
    I am using HP LaserJet M5035 MFP and there were many discussions about this. However, I am facing a new problem that I am using a domain authentication. So the smb syntax:
    smb://username:password@workgroup/server/sharename
    does not work with me.
    I tried to use the syntax:
    smb://domain/username:password@domain/server/sharename
    but it is a wrong syntax. I do not know how to provide my domain account in the smb syntax. I would appreciate if you can show me how to use the domain authentication in smb.
    Thank you.
    An.

    Hi Mirre,
    Welcome to the HP Forums.
    I see that you are having issues scanning on the 10.6. You have no scan function in the HP Director software.
    I will be happy to help you.
    I have provided a document for how to scan with Apple software to see if you have the same results.
    How to Scan: OS X v10.7.
    Disregard the title.
    Select Scan without HP software. Select Method three.
    If you didn't run through the fax software during the initial install it won't allow you to scan. (even if you aren't using the fax you have to run it)
    If your not sure go ahead and run the fax setup assistant.
    Close all applications.
    On the Apple menu bar click Go, applications, Hewlett Packard, device utility, open the HP setup assistant and run it.
    You should also have one listed as HP Scan to try and run it.
    On the Apple menu bar click Go, applications, Hewlett Packard, open the HP Scan and try to scan.
    Now try and scan again.
    Please provide in detail the results if you are still having issues.
    How is the printer connected? (USB/Ethernet)
    Were you able to scan from Apple's software?
    Did you run the setup assistant and were you able to scan?
    What is the full name and product number of your printer? How Do I Find My Model Number or Product Number?
    Is this the Laserjet Pro M1536?
    Thank you for posting on the HP Forums.
    Have a great day.
    Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
    Click the “Kudos Thumbs Up" on the right to say “Thanks” for helping!
    Gemini02
    I work on behalf of HP

  • Windows domain authentication on Oracle Secure Global Desktop

    Hello,
    I made an upgrade of my oracle secure global desktop 4.62 version to 5.1 version.
    The problem is, I was using Windows Domain Authentication in 4.62 and this kind of authentication is not available in the 5.1 version.
    So now, my users cannot log in the application.
    Do you have a solution ?
    Thanks

    What are you authenticating to specifically?  An AD server?  Are you using any of the supported authentication mechanisms now supported?
    http://docs.oracle.com/cd/E41492_01/E41495/html/sgd-authentication.html#system-authentication-mechanisms-table

  • Website hosted in particular windows server prompting continuous domain authentication

    Hi
    There are 2 domains A & B .In domain A, there are few websites hosted in 4 windows servers identical in software and hardware configurations ....mean to say in IIS Managers , all the settings are same.I am not aware of IIS technically. but all the settings
    visually are the same.
    The problem 2 days before happened the Domain B users (except 2 users)are continuously prompted for the domain authentication when they try to access this website through the URL which they always use when the URL hits one particular server out of these
    4 windows 2008 R2 servers
    The sharepoint site admin cut a ticket to Windows team with the comment : Check this BAD Windows server
    Error posted is :
    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          3/14/2015 8:14:04 AM
    Event ID:      4625
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      xxxxxx
    Description:
    An account failed to log on.
    Subject:
                    Security ID:                         NULL SID
                    Account Name:                 -
                    Account Domain:                             -
                    Logon ID:                             0x0
    Logon Type:                                       3
    Account For Which Logon Failed:
                    Security ID:                         NULL SID
    Account Name:
                    Account Domain:                             xxxxxxxx
    Failure Information:
    Failure Reason:                                The user has not been granted the requested logon type at this machine.
                    Status:                                  0xc000015b
                    Sub Status:                         0x0
    Process Information:
                    Caller Process ID:             0x0
                    Caller Process Name:     -
    Network Information:
                    Workstation Name:        xxxxxxxxxxxxxxx
                    Source Network Address:            xxx.xxx.xxx.xxx
                    Source Port:                       53827
    Detailed Authentication Information:
                    Logon Process:                  NtLmSsp
                    Authentication Package:               NTLM
                    Transited Services:          -
                    Package Name (NTLM only):       -
                    Key Length:                        0
    This event is generated when a logon request fails. It is generated on the computer where access was attempted.
    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or
    Services.exe.
    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
    The Process Information fields indicate which account and process on the system requested the logon.
    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
    The authentication information fields provide detailed information about this specific logon request.
                    - Transited services indicate which intermediate services have participated in this logon request.
                    - Package name indicates which sub-protocol was used among the NTLM protocols.
                    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    If the problem existed in this particular server, how those exceptional 2 users are having the access.I agree they are the sharepoint admins...
    How and where to check the investigation?
    Thanks & Regards S.Swaminathan Live & let others live!!!

    Hi,
    >>The problem 2 days before happened the Domain B users (except 2 users)are continuously prompted for the domain authentication
    Based on the description, we can check the following article to see if it's helpful.
    Troubleshooting: I Keep Getting Prompted for a User Name and Password
    https://msdn.microsoft.com/en-us/library/cc750194.aspx
    Besides, for this question, in order to get better help, we can ask for suggestions in the following two forums.
    IIS Forum
    http://forums.iis.net/
    SharePoint Forum
    https://social.technet.microsoft.com/Forums/office/en-US/home?category=sharepoint
    Best regards,
    Frank Shen
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Maybe you are looking for