ACS appliance 4.1 - machine authentification from trusted Domain failed

Similar Messages

• Getting Error The trust relationship between the primary domain and the trusted domain failed in SharePoint 2010

  Hi,
  SharePoint 2010 Backup has been taken from production and restored through Semantic Tool in one of the server.The wepapplication of which the backup was taken is working fine.
  But the problem is that the SharePoint is not working correctly.We cannot create any new webapplication ,cannot navigate to the ServiceApplications.aspx page it shows error.Even the Search and UserProfile Services of the existing Web Application is not working.Checking
  the SharePoint Logs I found out the below exception
  11/30/2011 12:14:53.78  WebAnalyticsService.exe (0x06D4)         0x2D24 SharePoint Foundation          Database                     
   8u1d High     Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15' 
  11/30/2011 12:14:53.78  WebAnalyticsService.exe (0x06D4)         0x2D24 SharePoint Foundation          Topology                     
   2myf Medium   Enabling the configuration filesystem and memory caches. 
  11/30/2011 12:14:53.79  WebAnalyticsService.exe (0x06D4)         0x12AC SharePoint Foundation          Database                     
   8u1d High     Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15' 
  11/30/2011 12:14:53.79  WebAnalyticsService.exe (0x06D4)         0x12AC SharePoint Foundation          Topology                     
   2myf Medium   Enabling the configuration filesystem and memory caches. 
  11/30/2011 12:14:55.54  mssearch.exe (0x0864)                    0x2B24 SharePoint Server Search       Propagation Manager          
   fo2s Medium   [3b3-c-0 An] aborting all propagation tasks and propagation-owned transactions after waiting 300 seconds (0 indexes)  [indexpropagator.cxx:1607]  d:\office\source\search\native\ytrip\tripoli\propagation\indexpropagator.cxx 
  11/30/2011 12:14:55.99  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
   75dz High     The SPPersistedObject with
  Name User Profile Service Application, Id 9577a6aa-33ec-498e-b198-56651b53bf27, Parent 13e1ef7d-40c2-4bcb-906c-a080866ca9bd failed to initialize with the following error: System.SystemException: The trust relationship between the primary domain and the trusted
  domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection
  sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()    
  at Microsoft.SharePoint.Administration.SPAcl`1.Add(String princip... 
  11/30/2011 12:14:55.99* OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
   75dz High     ...alName, String displayName, Byte[] securityIdentifier, T grantRightsMask, T denyRightsMask)     at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)    
  at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider
  persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state) 
  11/30/2011 12:14:56.00  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
   8xqx High     Exception in RefreshCache. Exception message :The trust relationship between the primary domain and the trusted domain failed.   
  11/30/2011 12:14:56.00  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Timer                        
   2n2p Monitorable The following error occured while trying to initialize the timer: System.SystemException: The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection
  sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type
  targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, Byte[] securityIdentifier, T grantRightsMask,
  T denyRightsMask)     at Microsoft.SharePoint.Administrati... 
  11/30/2011 12:14:56.00* OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Timer                        
   2n2p Monitorable ...on.SPAcl`1..ctor(String persistedAcl)     at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()    
  at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(Guid
  id, Guid parentId, Guid type, String name, SPObjectStatus status, Byte[] versionBuffer, String xml)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(SqlDataReader dr)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.RefreshCache(Int64
  currentVe...
  Please guide me on the above issue ,this will be of great help
  Thanks.

  I have same error. Verified for trust , ports , cleaned up cache.. nothing has helped. 
  The problem is caused by User profile Synch Service:
  UserProfileProperty_WCFLogging :: ProfilePropertyService.GetProfileProperties Exception: System.SystemException:
  The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids,
  Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type
  targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, SPIdentifierType identifierType, Byte[]
  identifier, T grantRightsMask, T denyRigh...        
  08/23/2014 13:00:20.96*        w3wp.exe (0x2204)                      
          0x293C        SharePoint Portal Server              User Profiles                
          eh0u        Unexpected        ...tsMask)     at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)    
  at Microsoft.Office.Server.Administration.UserProfileApplication.get_SerializedAdministratorAcl()     at Microsoft.Office.Server.Administration.UserProfileApplication.GetProperties()     at Microsoft.Office.Server.UserProfiles.ProfilePropertyService.GetProfileProperties()
  Please let me know if you any solution found for this?
  Regards,
  Kunal  

• Acs 4.2 PEAP machine authentification wireless

  Hi,
  here at work, we have acs 4.2 as our radius server, and 2 wlc 4404 with a wism2 for our wireless network. we have 2 SSID network, lets call them SSID A and B. A have a more restricted access to server than B.
  PEAP machine authentification is authorize on both network, to let our users laptop connect before the user login, this enable us to have our computer gpo deploy before the user logon, or have network access to authenticate a user to our directory if he had not logon previously on the laptop.
  Users from group A can't logon to SSID B, they can only logon to SSID A, but we have some clever users from group A who have change they wireless setting to only send machine authentification (this can be done in the advance setting of a wireless network in windows 7) to connect to SSID B
  We can't force the wireless config by GPO because we don't have an ad 2008 domain, we are still in 2003 soo we can't change the gpo for windows 7 wireless setting (I'm a network guy, I'll have to check more on this to be sure...)
  I can't force user to require machine authentification and user authentification because we have a lot of ipad and iphone, and other mobile device that connect using only their user credentials.
  Is there a way I could configure this without having to disable machine authentification for SSID B?
  thank you

  hi thank you for the quick answer,
  however we don't have machine access restriction, in the windows eap setting we only have enable PEAP machine authentification.
  this is ok because we want our notebook to be able to have access to the wifi (for gpo) before the user logon and we want any user to be able to use their own device. we are a educationnal institute, we don't want to force the teachers and student to only use the equipement we provide we want to give them more power over their choice of equipement.
  SSID A is the student network, and SSID B is the teachers network.
  the problem we have is some student use their active directory joined computer to get access to the SSID B. If they use their user credentials they won't have access. and as user bring their own device we can't force an peap machine authentification because students and teachers are allowed to BYOD.
  is there a way to restrict machine  (let's say in an OU) access to an SSID?

• Full mailbox access from trusted domain

  I have an issue with users unable to login to OWA or ActiveSync using trusted domain credentials. I have two forests, FOREST A and FOREST B. I have a 2-way forest trust between them. I have migrated users from FOREST A to FOREST B, but their mailboxes need
  to stay in FOREST A for the time being.
  I have added Full Mailbox access for their FOREST B accounts, as well as Send As permission.
  Outlook accesses their mailboxes no problem, with no security credential prompts. Sending is also fine. However, OWA and ActiveSync will not accept their FOREST B login credentials, I get the following error:
  The Active Directory resource couldn't be accessed. This may be because the Active Directory object doesn't exist or the object has become corrupted,
  or because you don't have the correct permissions.
  I have a single Exchange 2010 SP2 server in FOREST A. All roles are on this server.
  Why would Outlook clients work but OWA and ActiveSync are failing? Things I have checked:
  DNS suffixes for trusted and trusting domain are set on the Exchange Server
  Trust is in place and functional
  Outlook clients work fine using FOREST B accounts
  Changed OWA authentication options between UPN / Domain\User / logon name only - no options worked
  Checked time sync between DC's and Exchange
  Any ideas?? Thanks.

  HiBobby4300,
  Great checklist from Martin.
  Please try following links to set the msExchMasterAccountSID attribute in the Active Directory Account Forest, for your reference:
  http://www.msexchange.org/articles-tutorials/exchange-server-2003/management-administration/Understanding-External-Associated-Account-Windows-Server-2003-Exchange-2003.html
  Additional, the best way is to configure linked mailboxes. This is a mailbox associated with an external account. More details about
  Create a Linked Mailbox, please refer to:
  http://technet.microsoft.com/en-us/library/bb123524(v=exchg.141).aspx
  Best regards,
  Allen Wang

• ISE 1.1 - 24492 Machine authentication against AD has failed

  We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
  Authentication Summary
  Logged At:
  March 11,2015 7:00:13.374 AM
  RADIUS Status:
  RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
  NAS Failure:
  Username:
  [email protected]
  MAC/IP Address:
  00:26:82:F1:E6:32
  Network Device:
  WLC : 192.168.1.225 :  
  Allowed Protocol:
  TDS-PEAP-TLS
  Identity Store:
  AD1
  Authorization Profiles:
  SGA Security Group:
  Authentication Protocol :
  EAP-TLS
   Authentication Result
  RadiusPacketType=Drop
   AuthenticationResult=Error
   Related Events
   Authentication Details
  Logged At:
  March 11,2015 7:00:13.374 AM
  Occurred At:
  March 11,2015 7:00:13.374 AM
  Server:
  ISE-TDS
  Authentication Method:
  dot1x
  EAP Authentication Method :
  EAP-TLS
  EAP Tunnel Method :
  Username:
  [email protected]
  RADIUS Username :
  host/LENOVO-PC.tdsouth.com
  Calling Station ID:
  00:26:82:F1:E6:32
  Framed IP Address:
  Use Case:
  Network Device:
  WLC
  Network Device Groups:
  Device Type#All Device Types,Location#All Locations
  NAS IP Address:
  192.168.1.225
  NAS Identifier:
  WLC-TDS
  NAS Port:
  4
  NAS Port ID:
  NAS Port Type:
  Wireless - IEEE 802.11
  Allowed Protocol:
  TDS-PEAP-TLS
  Service Type:
  Framed
  Identity Store:
  AD1
  Authorization Profiles:
  Active Directory Domain:
  tdsouth.com
  Identity Group:
  Allowed Protocol Selection Matched Rule:
  TDS-WLAN-DOT1X-EAP-TLS
  Identity Policy Matched Rule:
  Default
  Selected Identity Stores:
  Authorization Policy Matched Rule:
  SGA Security Group:
  AAA Session ID:
  ISE-TDS/215430381/40
  Audit Session ID:
  c0a801e10000007f54ffe828
  Tunnel Details:
  Cisco-AVPairs:
  audit-session-id=c0a801e10000007f54ffe828
  Other Attributes:
  ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
  Posture Status:
  EPS Status:
   Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12806  Prepared TLS ServerHello message
  12807  Prepared TLS Certificate message
  12809  Prepared TLS CertificateRequest message
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12571  ISE will continue to CRL verification if it is configured for specific CA
  12571  ISE will continue to CRL verification if it is configured for specific CA
  12811  Extracted TLS Certificate message containing client certificate
  12812  Extracted TLS ClientKeyExchange message
  12813  Extracted TLS CertificateVerify message
  12804  Extracted TLS Finished message
  12801  Prepared TLS ChangeCipherSpec message
  12802  Prepared TLS Finished message
  12816  TLS handshake succeeded
  12509  EAP-TLS full handshake finished successfully
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  Evaluating Identity Policy
  15006  Matched Default Rule
  24433  Looking up machine/host in Active Directory - [email protected]
  24492  Machine authentication against Active Directory has failed
  22059  The advanced option that is configured for process failure is used
  22062  The 'Drop' advanced option is configured in case of a failed authentication request
  But the user can authenticated by EAP-TLS
  AAA Protocol > RADIUS Authentication Detail
  RADIUS Audit Session ID : 
  c0a801e10000007f54ffe828
  AAA session ID : 
  ISE-TDS/215430381/59
  Date : 
  March     11,2015
  Generated on March 11, 2015 2:48:43 PM ICT
  Actions
  Troubleshoot Authentication 
  View Diagnostic MessagesAudit Network Device Configuration 
  View Network Device Configuration 
  View Server Configuration Changes
  Authentication Summary
  Logged At:
  March 11,2015 7:27:32.475 AM
  RADIUS Status:
  Authentication succeeded
  NAS Failure:
  Username:
  [email protected]
  MAC/IP Address:
  00:26:82:F1:E6:32
  Network Device:
  WLC : 192.168.1.225 :  
  Allowed Protocol:
  TDS-PEAP-TLS
  Identity Store:
  AD1
  Authorization Profiles:
  TDS-WLAN-PERMIT-ALL
  SGA Security Group:
  Authentication Protocol :
  EAP-TLS
   Authentication Result
  [email protected]
   State=ReauthSession:c0a801e10000007f54ffe828
   Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
   Termination-Action=RADIUS-Request
   cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
   MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
   MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
   Airespace-Wlan-Id=1
   Related Events
   Authentication Details
  Logged At:
  March 11,2015 7:27:32.475 AM
  Occurred At:
  March 11,2015 7:27:32.474 AM
  Server:
  ISE-TDS
  Authentication Method:
  dot1x
  EAP Authentication Method :
  EAP-TLS
  EAP Tunnel Method :
  Username:
  [email protected]
  RADIUS Username :
  [email protected]
  Calling Station ID:
  00:26:82:F1:E6:32
  Framed IP Address:
  Use Case:
  Network Device:
  WLC
  Network Device Groups:
  Device Type#All Device Types,Location#All Locations
  NAS IP Address:
  192.168.1.225
  NAS Identifier:
  WLC-TDS
  NAS Port:
  4
  NAS Port ID:
  NAS Port Type:
  Wireless - IEEE 802.11
  Allowed Protocol:

  Hello,
  I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
  Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network.

• Migrating from Windows to the ACS appliance

  I'm in the process of migrating ACS from Windows to an appliance. I did a recovery and I chose to restore the DBs and the system config. However, I'm getting emails from the appliance with the name of the old windows machine where ACS was running. I guess this a result of restoring the system config. Does anyone know how to configure the emails to be sent with the current appliance name? And it is not possible, how can I restore the appliance to factory defaults so I can do the recovery again only for the DBs? Many thanks,

  well ... the easy way out is to re-image the ACS appliance and then replicate between the Windows server and the appliance . This will replicate all your settings from the windows ACS to appliance except the external database configuration that you need to manually configure.
  Note : for replication both the ACS for windows and the appliance should be on the same version .

• ACS appliance setup help

  Network environment:
  - Windows 2003 with enterprise CA
  - Cisco ACS appliance 4.1.1.23
  - Cisco 1240 AG series APs
  Wireless clients:
  - Windows XP SP2
  Brief steps taken:
  - Installed Enterprise CA
  - Created copy of web server certificate with option “Mark keys as exportable” enabled. Certificate published.
  - Created global group in AD that contains test user and a single laptop that is a member of domain - for auto enrolment.
  - Generated certificate request from ACS (1024 key length).
  - Submitted server request from ftp server - Submit a certificate request using base 64…
  - Submitted CA certificate request from ftp server - Retrieve CA certificate or revocation list /base 64 encoded.
  - CA & server certificates installed in to ACS appliance (Domain certificate authority approved within ACS)
  Brief cofig of ACS appliance
  Global config
  - PEAP -Selected “Allow EAP-MSCHAPv2”.
  - LEAP - Allow LEAP (For Aironet only)
  - Selected “Allow MS-CHAP Version 1 & 2 authentication
  - Added AAA client (AP) with shared secret with authentication using “Radius (Cisco Aironet)
  - Under External user DB//DB config/windows database, “Enable PEAP machine authentication” selected.
  1240 series AP config
  - Under Server Manager, ACS IP with shared secret entered as a Radius server.
  - Selected EAP authentication.
  - Under SSID Manager selected open Authentication with EAP & selected network EAP.
  - Under Encryption Manager selected WEP Encryption & mandatory.
  - Selected key 1 and entered 128 bit key
  Client (windows XP SP2 domain member) config
  - Connected to Enterprise CA web site, base64 encoding/download CA certificate
  and installed it in local computer store.
  - Under Network authentication selected open with WEP EAP type “protected EAP (PEAP)
  - Authenticate as a computer selected
  - Selected my CA under “Trusted Certification Authorities
  - Authentication method (EAP-MSCHAP V2)
  Errors:
  Automatic certificate enrollment to local system failed to contact the AD. The specified domain does not exist or cannot be contacted.
  Or
  Computer doesn't have correct certificate
  Used 43486, 64067, 71929
  Any suggestions very much apretiated.

  ACS Agent is installed on two DC's as well and they are detected by ACS.
  Thanks

• LDAP authentication in AD (users from other trusted domain)

  Hi
  I have two domain: my - DOMAINA.LOCAL and other trusted - DOMAINB.LOCAL
  I use LDAP authentication in AD for authentication users (AnyConnect).
  Now, I need to authenticate few users from other trusted domain (DOMAINB.LOCAL).
  I do not want direct connect with the domain contoller in the trusted domain.
  My domain controller (DOMAINA.LOCAL), can authenticate users from other trusted domain (if I use username "DOMAINB\userindomainb"), if I try to connect by RDP client to some server (for example, to my domain controller).
  But if I try to test aaa-server authentication from ASA
  I get error.
  I think, I must use username like "DOMAINB\userindomainb" but this not work.
  Help me please.
  Thanks!
  My config:
  aaa-server ADA protocol ldap
  aaa-server ADA (inside) host 10.0.0.1
   ldap-base-dn dc=domaina, dc=local
   ldap-scope subtree
   ldap-naming-attribute sAMAccountName
   ldap-login-password *****
   ldap-login-dn cn=Cisco ASA, ou=ServiceAccounts, ou=Services, dc=domaina, dc=local
   server-type microsoft

  Hello!
  I see in console (debug LDAP):
  Request for [email protected] returned code (10) Referral
  Does ASA support authentication via LDAP referrals?
  I read old thread:
  https://supportforums.cisco.com/discussion/11132591/cisco-asa-and-ldap-authentification
  And see: CSCsj32153  Symptom:the ASA/PIX doesn't currently support LDAP Referall searches. 
  But I use:
  Cisco Adaptive Security Appliance Software Version 9.2(3)
  Device Manager Version 7.3(3)
  Compiled on Mon 15-Dec-14 05:10 PST by builders
  System image file is "disk0:/asa923-smp-k8.bin"
  Thanks!

• ACS forwarding from untrusted domain 0x80090325 SEC_E_UNTRUSTED_ROOT

  I have SCOM 2012 R2 Update Rollup 4 installed with 2 management servers running WS12R2 in a single management group in my main AD domain. One of the management servers is also an ACS collector. I have an untrusted AD domain, with a SCOM gateway server in
  it, and I used the gateway to install a SCOM agent on a domain controller in that domain. Now I am trying to configure an ACS forwarder on that untrusted domain controller to talk to the ACS collector back on the management server.
  However, when I restart the
  Microsoft Monitoring Agent Audit Forwarding service on that domain controller, I get this error in its
  Event Viewer > Apps and Services > Operations Manager:
  1/23/2015 5:08:01 PM Source AdtAgent Event ID 4369 Forwarder unsuccessfully tried to connect to the following collector(s):
  <acsCollectorFQDN>:51909, status: 0x80090325 (TCP connect), source:registry addresses tried: <IP>:51909. If the list of collectors is blank, then AdtAgent was unable to locate a collector. Common reasons for this message are: The machinef(s)
  listed is not online. AdtServer is not running on the machine(s) listed. AdtServer on the machine(s) listed is not listening on the specified port. TCP connectivity to the AdtServer machine is blocked by firewall, IPSec, or other filtering mechanism AdtServer
  on the machine(s) listed actively refused the connection (due to policy or current activity load). For detailed failure information, enable trace logging using the TraceFlags registry key and examine the AdtAgent.log in the \temp subdirectory of the Windows
  directory.
  I followed these two articles in order to set up the ACS forwarder on the DC in the untrusted domain: "How to configure security events collection by using Audit Collection Services from computers in untrusted environment?" {1/3/12}https://gefufna.wordpress.com/2012/01/03/how-to-configure-security-events-collection-by-using-audit-collection-services-from-computers-in-untrusted-environment/ "Forwarder
  is unable to connect to collector Event id 4369 in forwarder event view" {5/5/14}
  http://jimmy-scom.blogspot.com/2014/05/forwarder-is-unable-to-connect-to.html
  EXTRA INFO Here are the detailed steps that I took (sorry for all this, but there are an awful number of steps!):
  1) I confirmed that the agent for the DC shows as Healthy in OM Console > Monitoring > Operations Manager > Agent Details > Agent Health State > Agent State (right) pane.
  2) On the ACS collector, I stopped
  Operations Manager Audit Collection Service, then from Admin cmd prompt I did this:
  c:> cd \windows\system32\security\adtserver
  c:> adtserver –c
  } 1 certificates found for server authentication usage.
  Enter the number of the certificate you want AdtServer to use for authenticating to AdtAgent or 0 to quit without saving: 1
  Certificate 1 selected. Attempting to save thumbprint to registry ...
  success.
  Then I started
  Operations Manager Audit Collection Service.
  3) On the DC in the untrusted domain, from Admin cmd prompt I did this:
  c:> cd c:\windows\system32
  c:> adtagent -c
  } No  Issued To                   Issued By                   Expires   
  Thumbprint
   1: <untrustedDCfqdn> <untrustedDomainCA>             2015-11-30 02:44:58    <thumbprint>
  2 certificates found for client authentication usage.
  Enter the number of the certificate you want AdtAgent to use for authenticating to AdtServer or 0 to quit without saving: > 1
  } Certificate 1 selected. Attempting to save thumbprint to registry… success.
  4) On the DC in the untrusted domain, I opened mmc > Certificates > Local Computer > Personal > Certificates > I exported the certificate from step 3 to a DER encoded binary X.509 (.CER) file.
  5) I also looked at the Certification Path for the certificate, and figured out which certificate is its Root CA certificate. I copied that certificate to a DER encoded binary X.509 (.CER) file.
  6) I copied the first .CER file to a computer in my main domain, which is at 2012 R2 level. From AD Users and Computers, I created a "dummy" computer object using the NetBios name of the DC back on the untrusted domain. I right clicked the computer
  object > Named Mappings > I added the .CER file, and left "Use Subject for alternate identity" checked. I unchecked "Use Issuer for alternate security identity".
  7) I copied the Root CA certificate .CER file over to the SCOM management server that doubles as my ACS collector, and from there I did mmc > Certificates > Local Computer > Trusted Root Certificates > Certificates > I imported the Root
  CA certificate.
  8) I also went to my CA server on my main domain, I ran pkiview.msc > right clicked “Enterprise PKI” > Manage AD Containers > NTAuthCertificates tab > and I imported the Root CA certificate there as well.
  9) I ran telnet from the DC on the untrusted domain, and confirmed that port 51909 is open from there to the ACS collector on the main domain.
  10) I enabled audit collection fot the DC on the untrusted domain. I did this from OM Console > Monitoring > Operations Manager > Agent Details > Agent Health State > Agent State (second column in middle pane) > I selected the Healthy <untrustedDCfqdn>
  > I clicked Enable Audit Collection.
  Then under "Task Parameters" > i clicked [Override] > for New Value I specified <ACScollectorFQDN>. For task credentials I specified Other account, and specified a domain admin account in the untrusted domain. The result was "The
  task completed successfully. Enable Audit Collection, status:Success".
  11) On the ACS collector, I restarted Operations Manager Audit Collection Service. On the DC in the untrusted domain I restarted Microsoft Monitoring Agent Audit Forwarding service.
  12) Result was this error on the DC in the untrusted domain, in its
  Event Viewer > Apps and Services > Operations Manager
  1/23/2015 5:08:01 PM Source AdtAgent Event ID 4369 Forwarder unsuccessfully tried to connect to the following collector(s):
  <acsCollectorFQDN>:51909, status: 0x80090325 (TCP connect), source:registry addresses tried: 10.1.1.91:51909. If the list of collectors is blank, then AdtAgent was unable to locate a collector. Common reasons for this message are: The machinef(s)
  listed is not online. AdtServer is not running on the machine(s) listed. AdtServer on the machine(s) listed is not listening on the specified port. TCP connectivity to the AdtServer machine is blocked by firewall, IPSec, or other filtering mechanism AdtServer
  on the machine(s) listed actively refused the connection (due to policy or current activity load). For detailed failure information, enable trace logging using the TraceFlags registry key and examine the AdtAgent.log in the \temp subdirectory of the Windows
  directory.
  13) On the DC in the untrusted domain I created DWORD reg value
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdtAgent\Parameters\TraceFlags and set it to 524420 decimal. The resulting c:\windows\temp\AdtAgent.log file only confirmed that I'm getting 0x80090325 errors.
  After all this, why am I getting 0x80090325, which translates to SEC_E_UNTRUSTED_ROOT ??? Did I do something wrong in steps 5, 7 and 8? Thanks for reading all the way through :)
  Marko

  Thanks Yan Li, you gave me an idea. I got the ACS forwarder in the untrusted domain to work (!), by analyzing the setup on the SCOM gateway that I set up in the untrusted domain. I issued the ACS forwarder a certificate from the domain that SCOM is in, INSTEAD
  of configuring the ACS forwarder to use the certificate that it already had from its own domain.
  So the new procedure is: do steps 1 and 2, then instead of step 3 I did this…
  2B) I issued a certificate from the AD domain containing SCOM to the domain controller in the untrusted domain that is my ACS forwarder. I did this from the AD Certificate Services web site, and asked it to use certificate template that I created for the
  SCOM gateway server in the untrusted domain.
  2C) The new certificate appeared in the Personal store of the domain controller. I exported it, then ran the MomCertImport utility so that I would not get an error in the next step (per
  http://www.systemcentercentral.com/scom-deployment-across-multiple-networks/)
  3) On the domain controller in the untrusted domain, I re-ran "adtserver -c", and selected the new certificate.
  3B) I then ran “MomCertImport /Remove”, since I already have a SCOM gateway in the untrusted domain.
  Then I proceeded with steps 4, skipped 5, did 6, skip 7-8, did 9-11, result was this on the DC in the untrusted domain, in its Event Viewer > Apps and Services > Operations Manager
  2/3/2015 12:20:01 PM Source AdtAgent Event ID 4368 Forwarder successfully connected to the following collector:
  <ACScollectorFQDN>:51909, status: 0x0 (success), source: registry
  addresses tried: <IPaddress>:51909
  ACS forwarding works now! I will confirm by repeating the procedure for another domain controller in the untrusted forest.
  Marko

• No access to serial console in ACS appliance 111

  We have 2 Cisco ACS appliances running version ...
  Cisco Secure ACS 3.2.2.5
  Appliance Management Software 3.2.2.5
  Appliance Base Image 3.2.2.1
  The fact is that after initial setup, we have never used the console mainly because in a production environment we manage them through the Web Admin application. Now we have decided to upgrade both appliances to the latest version (3.3.3) and when we tried to connect to the serial console (115200,N,8,1, no flow control) we don't get any response from none of both ACS. It's quiet strange but we have found no way to make them work. We have tried several things I expose to you in case you can give us any hint:
  1. We have rebooted the appliance and we can see through the console all the start-up process but when it finally finishes the start-up, we see no login prompt.
  2. We have also shutdown the appliance properly and power it off and on again. Same results. The appliances boot normal but still we don't have console access.
  3. We have tried boot the appliance with the recovery CD-ROM and the console works fine. I can reset the Admin password, but when it restart from its own system ( I mean without the recovery CD_ROM), I can see all the starting messages but when it finish the start-up process ... no console access.
  4. Finally I have connected a monitor and a keyboard to the appliance ( I know Cisco dosn not recommned it but when in trouble....) and I see the full start-up process and it includes the base Windows 2000 server operating system startup. When Windows finishes loading, we get a lock screen in which the appliance informs you that it have started correctly and that we could access it for management through the serial console port or through the web console. 10 seconds later I see a pop up window stating that on or more services have not started correctly and that we shoulkd check the Event viewer, something we wished we could do but as you you, this is a secured system and I don't know if there is a back door method to verify windows services in this appliance.
  Any help would be appreciated, as the problem is identical in both the appliances and upgrading them without access to the admin console is difficult and risky.
  Kind regards.

  Hi
  I had similair problem being locked out of console after initial configuration wizard.
  I think there is a bug within the console session in that if you input a hostname of more than 15 characters, it locks up the ACS service when the server reboots. If you keep your hostname to less than 15 characters, the server reboots and you get console access. If you then access the GUI, you will see that 15 characters is the maximum, and you cannot enetr any more than this. This is not the case with the console, where you can enter more than 15 without getting an error message.
  I rescued the server by doing F8 and rebooting server with last known good configuration. from there, you can reset the hostname to something valid. You can check to see which CS services are running through console session, and start any services that may not be running..
  deliverance1> start CSAgent
  Starting service: CSAgent..
  CSAgent is starting
  CSAgent is running
  Regards
  Ian

• ACS appliance External Auth to NT 4.0

  Hi
  I am installing the ACS appliance to do external database authentication to NT 4.0 PDC. It appears with the appliance you have to install a remote agent to make this work. It is my understanding this agent must run on a win2k box. Does the agent have to be installed on the PDC or can it go on any windows server box?
  Is there a work around if you do not have a win2k server. This network is still NT4 with now win2k boxes
  Thanks

  The remote agent was not tested on NT4 and probably wouldn't even install properly. Even if it did work, you would be very limited in the support you'd get if you had strange problems because it is an unsupported configuration.
  It doesn't have to go on a PDC, but things just seem to work better if it is on a DC of some sort. At the very least it needs to be on a member server, but as I said, I'd recommend putting it on a BDC from experience.
  The release notes/install guide for it is here:
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/raig/index.htm

• Apply patch to acs Appliance

  I was wondering if someone can help me to upgrade my ACS Appliance with patch 4.1.1.23.4-SW. It was simple to apply this one in a normal server 2000. The ACS appliance I think is different because that we can access by normal terminal, keyboard and mouse.
  Some were I read that is necessary a tomcat server?
  Please help
  adi

  Hi,
  ACS v4.1.1.23 patch 5 is available so go for this new patch.
  You should have a pc which can access ACS through web interface. Keep the patch file on the PC.
  Follow the steps below on the PC:
  [1] Extract zipped file
  [2] Look for ?autorun.exe? file and double click on it
  [3] It will start a tomcat server on your desktop and you?ll see a web page asking for ACS
  SE ip address :
  Provide in the ACS SE ip address and press ?Install?
  [4] It will prompt for ACS admin username and password as shown below :
  Provide in the username and password and login.
  [5] Then it bring up ACS GUI, then go to
  System Configuration > Appliance Upgrade Status > Download,
  Then we?ll get a screen where it will ask for ip address of Install Server :
  Provide in ip address of system from where we are applying this patch, in our case our
  desktop ip address, then click connect.
  [6] It will show us following screen :
  Click on ?Download Now?
  Then it?ll show us this screen :
  Press ?Refresh? Till we see following screen :
  [7] Now press ?Apply Upgrade?. Then it?ll ask for confirmation :
  Press ?Upgrade?, then we?ll get information regarding the patch.
  Click ?Yes?.
  It?ll take few minutes to apply that patch on appliance.
  Then it?ll show us a confirmation message :
  Press ?Done?, then system will reboot.
  To confirm that patch has been applied successfully, goto
  System Configuration > Appliance Upgrade Status
  After everything is fine stop the tomcat server by clicking on ?stop distribution server? or
  if you want to apply this patch on some more appliance click on ?Install Next?
  Hope this helps.
  ~Rohit

• ACS Appliance configuration issue.

  When I attempt to configure the ACS IP address I am getting the following error:
  "Error; Failed to get NIC configuration: <null> <FFFFFFFF>"
  The device is connected to a working ethernet port and the the physical layers have been eliminated. Aside from starting from scratch, can anyone suggest a way out of this problem?

  you need to reimage the ACS appliance.

• ACS Windows vs ACS Appliance

  I have ACS 3.3 running on Win2k and am looking to upgrade. Would it be a better idea to get the ACS appliance instead? What are the pros/cons?

  Hi
  Personally I wouldnt choose an appliance over software. Cost aside they are harder to integrate (esp if you use AD), harder to diagnose and patch.
  From experience I know ACS sometimes needs a little TLC to keep it working. ACS v3/v4 was not designed as appliance software. This has been retro-fitted with all the issues that go with it.
  ACS v5 is supposed to be appliance from day 1 so maybe that'll be ok!
  This is my own personal view, Im sure there are a lot of happy appliance owners out there.
  Main differences
  1) Appliance cant talk direct to AD. You need to install an agent somewhere (possibly requiring a dedicated windows server.. ouch what happened to lower TCO!)
  2) No native ODBC, RSA (done via RADIUS instead)
  3) Logging. CSVs hard coded to rollover at 10MB. Requires log agent or extraxi csvsync to collect logs.
  If you like to be "hands on" stick with s/w

• ACS Appliance Upgrade

  I obtained the 3.3 release from Cisco. I'm currently running v3.2. When I go to System Configuration -> Appliance Upgrade Status -> Download -> Connect -> Download Now, it returns "No Distribution in Appliance". I can see the 3.3.3.11 in the software install table. but it returns the error above when trying to transfer the file. I'm running Apache / Windows XP SP2. Anyone seen this before?

  Hi,
  Without Distribution server, normally you need to load the new image into the current ACS appliance itself before execute the upgrade process. The new image can be transferred via serial or ACS web-based 'system upgrade' option.
  If I am not mistaken, the error you're getting was due to unavailability of distribution server.
  If you stuck with the image transfer, try to use CLI/console mode.
  Typicall upgrade method has 3 steps:
  1. Load new image (download from Cisco or using CD) onto a distribution server.
  2. Load the upgrade image onto the Cisco Secure ACS Appliance from the distribution server. Do it either from within the HTML interface, or from the serial console. The Cisco Secure ACS Appliance will verify the transferred files to ensure that they have not been corrupted.
  3. Apply the Cisco Secure ACS Appliance system upgrade. You can do this either from within the HTML interface, or from the serial console.
  Refer to the following url for complete upgrade processes & options:
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps5338/products_installation_guide_chapter09186a0080203004.html#wp1044616
  Rgds,
  AK