ACS External User Databases - Empty NT Group List

Similar Messages

• ACS 4.2.1.15 External User Database 'Authen DLL '

  Having CSACSE-1113-K9 with ACS 4.2.15.
  I want to confiure windows user database under extrenal user database but i get an error  (attached) 'An error has occured while processing the Authen DLL Configure pagebecasue an error occured....'
  External User Database----->database configuration --->Windows Database------>Configure.
  I tried to stop the services and start agian but the same issue.
  Th eappliance is secondary (backup) ACS. On the primary it is working fine.
  Any help would be appreciated.
  Regards,
  BJ

  Hi Abdul,
    Can you check if the remote agent on the windows server box is running the same 4.2.1.15 version as well.
  Like if  ACS -4.2.1.15   then make sure that remote agent is also 4.2.1.15
  or
  if ACS is running 4.2.1.15 patch 2 then remote agent should also be 4.2.1.15 patch 2
  Let me know if the version is same and if not then install the remote agent correctly and try again.

• Unable to select SOME external users in person or group column in SharePoint O365

  Here's a head scratcher.
  We have an O365 SharePoint(G3) instance.
  Sent external users invites to join the site from the SharePoint Group that the external user will be placed.
  External users accepted invitations and now have access to the site with the correct permissions.
  Permissions assigned to SharePoint Group.
  Some external users can be selected for "Assigned to" field (person or group column type).
  Some external users canNOT be selected for "Assigned to" field (person or group column type).
  When typing external users name that canNOT be selected, the error message "No results found" appears.
  Went to Site Settings > Site Permisisons > Check Permissions and typed in external users name that canNOT be selected, the error message "No results found" appears.
  I have no idea why this would happen for some external users and not others.
  External users that can be selected and those that canNOT be selected are in the same SharePoint Group and have the same permissions.
  Could this be due to how the external user set up their account?
  Help me please. This is driving my crazy.
  Thanks in advance.
  Tamara
  The Stumped SharePointer
  Tamara Bredemus SharePoint Minion...working up to Maven

  Hi Miikka,
  can you try cleaning up the user information list via powershell and reconfigure the userprofile sync.  following url contains the powershell script for user information clean up
  http://blog.fpweb.net/how-to-clean-up-sharepoint-user-information-list-with-powershell/#.VPrbn_mUeSo
  Regards  Roy Joyson
  Please remember to mark your question as "answered"/"Vote helpful" if this solves/helps your problem.
  Roy Joyson

• Intergrating ACS with user database in windows DC

  Please,
  I just installed and configured ACS on window 2003 server on my network. The next task is to integrate the user database in my DC with the ACS. I need you to tell me in steps what else that need to be done.The documentaion is not specific.
  (I heard about 'remote agent' please what is this,and is it required?)

  I think you can map your DC groups to ACS group
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/qg.html#wp940538
  M.

• User Management In Ecommerce based on external user database

  We have the scenario that requires that people in our membership database be charged based on a separate discounted price list.
  For this we need to periodically sync the membership database into the web tools database. 
  In addition we are using a consolidate business partner on the B1 to receive all orders from the ecommerce net point system.
  Question is:
  1.  Is there a technique to create users automatically and update their price list profile via SQL or something
  2.  What is the best method of allowing someone to see a different price list based on perhaps the theme or catalog or domain name.
  Mike

  Hi Mike,
  Sounds like you are in for some development.  There is no magic bullet here.
  1.  I can think of a couple ways to approach this, both will probably be about the same amount of work.  If the schema of your membership db is not to far off from Webtools (for instance, if you don't have to turn a "name" field into "first name", "middle name", "last name"), then it might be easiest to approach the problem using SQL.
  However, if you are comfortable with .NET, you can whip up a little app to synch the data.  In this case you would need to familiarize yourself with the netpoint.api, specifically the netpoint.api.account namespace, and use this to update the Webtools database.  If you plan on make a lot of customizations like this, I would suggest this route, since you will eventually need to learn the webtools api.
  2.  This is a difficult question.  The simple answer is, you specifiy the pricelist for an account (business partner).  This is very simple, just set the UsersAccount.PriceListCode; refering to step one, this can be done in SQL or by using the netpoint.api.account.NPAccount object.  However, I am not sure this is going to work for you.  If all users on the account will have the same pricelist, you are OK.  But if the users on the same account required different pricelists, then there is a problem.
  Last, you can NOT set a pricelist by theme.  (it would be a nice feature).  So if the users needed something like this, you would need to devise a workaround.
  There are ways to do it by messing with the cookie....

• Cisco ACS 4.2 one user in multiple local groups

  Currently i have group mapping like this
  ACS Groups           Window Groups
      Grp-A-B             Grp-1 and Grp-2
      Grp-A                        Grp-1
      Grp-B                        Grp-2
  For example currently one user test1 is part of both groups 1 and 2 in windows and is mapped to Grp-A-B in ACS. Is it possible if i delete the Grp-A-B mapping in ACS and can see the user test1 speratley in both groups ( Grp-A and Grp-B) in ACS?            

  Salam Muhammad,
  If you have a local user in ACS, that user can not be a member of two groups at the same time.
  The same concept applies to the external users. They can not be mapped to two different groups at the same time.
  If you remove the Grp-A-B configuration, the user test1 will be mapped to the first group in the list because ACS 4.2 process the goup mapping in order:
  '''snip'''
  Group Mapping Order
  ACS always maps users to a single ACS group; yet a user can belong to more than one group set mapping. For example, a user named John could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If ACS group set mappings exist for both these combinations, ACS has to determine to which group John should be assigned.
  ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user who is authenticated by an external user database is assigned to an ACS group, ACS starts at the top of the list of group mappings for that database. ACS sequentially checks the user group memberships in the external user database against each group mapping in the list. When finding the first group set mapping that matches the external user database group memberships of the user, ACS assigns the user to the ACS group of that group mapping and terminates the mapping process.
  '''snip'''
  Reference:http://goo.gl/cvc474
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• User authentication in Cisco ACS by adding external RADIUS database

  Hi,
  I would like to configure the below setup:
  End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
  Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in
  ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
  Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?
  Any help on this would be really grateful to me.
  Thanks and Regards,
  Rahul.

  Thanks Ajay,
  As you said nothing needs to be done on ASA side, if we are using an external user database for authentication.
  Im a newbie to ACS and this is the first time i'm trying to perform a two factor authenticaton in Cisco ACS using external user database.
  By two factor authentication i mean, username + password serves as first factor (validated by RADIUS server), username + security code (validated by RADIUS server) serves as second factor.So, during user authentication i enter only username in username field and in "password" field i enter both "password + security code". Our RADIUS server has already been configured with AD as user store, so we dont have to specify AD details in ACS. I have done the following in ACS to perform this two factor authentication.
  -> In external user databases, i have added a external RADIUS token server.
  -> In unknown user policy , i have added the external data base that i configured in ACS into the selected databases list.
  -> under network configuration, i have added the Cisco ASA as AAA client (authenticate using RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)).
  Just to check whether user authentication is successful, i launched the ACS webVPN using https://IP:2002, it asked me to enter username and password. So, i entered username and in password field i entered "password + security code". But, the page throws an error saying "login failed...Try again".I cant find any logs in external RADIUS server.
  Here is what i found in "Failed attempts" logs under Reports and activities.
  Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,Network Access Profile Name,Authen-Failure-Code,Author-Failure-Code,Author-Data,NAS-Port,NAS-IP-Address,Filter Information,PEAP/EAP-FAST-Clear-Name,EAP Type,EAP Type Name,Reason,Access Device,Network Device Group
  02/28/2012,00:31:52,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
  02/28/2012,00:41:33,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
  02/28/2012,00:42:18,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
  Filtering is not applied.
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  Network Access Profile Name
  Authen-Failure-Code
  Author-Failure-Code
  Author-Data
  NAS-Port
  NAS-IP-Address
  Filter Information
  PEAP/EAP-FAST-Clear-Name
  EAP Type
  EAP Type Name
  Reason
  Access Device
  Network Device Group
  02/28/2012
  00:42:18
  Unknown NAS
  (Unknown)
  10.204.124.71
  02/28/2012
  00:41:33
  Unknown NAS
  (Unknown)
  10.204.124.71
  02/28/2012
  00:31:52
  Unknown NAS
  Am i missing any thing in configuration side with respect to ACS?
  Thanks

• User in a windows group - mapping to acs group appears not be working

  I have a user in a windows group, this windows group is mapped to an ACS group but when the user logs in it appears as default group in ACS.
  Any suggestion?

  Hello, I recently implemented this very thing, actually integrated it with Authentication Proxy. Here are some settings to check:
  1. External User Databases - Database Configuration - Windows Database - Configure
  Make sure your domain is listed on moved to the Domain List section
  2. External User Databases - Database Group Mappings - Windows Database - - Add Manual Mapping
  Make sure you have the right AD group mapped to the internal ACS group, you can even set users* if you want to include all users.
  3. External User Databses - Unknown User Policy
  Check the "Check the following external user databases" radio dial and move Windows Database to Selected Databases
  Check “The database in which the user profile is held” radio dial in the Configure Enable Password Behaviour section
  Hope that helps!

• ACS and Windows 2000 user database communication port

  Could my Windows 2000 SP4 + ACS v3.23 can install any new Windows 2000 service pack ?
  I'm affraid to infect ACS Service.
  So, I want to install firewall on this server to block malicious traffic.
  However, my ACS used external user database Windows 2000 for authentication.
  Who can tell me What protocols or port list they are communication?
  I have to avoid these traffic on my firewall.

  Hi cheng
  I think you can install any servie pack without problem and the SP4 is the latest one for WIN2000 and you server already has this SP
  For your second question you need to specify many protocols according to your active directory config in this link you can find a list of this protocols and the best way is to make debug or logging or use a siniffer to know the exactly protocols flow between your ACS and AD server
  http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx
  Best Regards

• ACS support Kerberos User Database?

  Hi,
  I've a customer currently having kerberos user database. I proposed to him to implement ACS to enable 802.1x on wireless client. Can ACS support or integrate with Kerberos User Database? If yes, any user guide which list out the steps on doing so?
  I searched through Cisco website but failed to find any info related to the integration of ACS with Kerberos User Database.
  Thank.
  Delon

  For network users who are authenticated by a Windows user database, Cisco Secure ACS supports user-changeable passwords upon password expiration. You can enable this feature in the MS-CHAP Settings and Windows EAP Settings tables on the Windows User Database Configuration page in the External User Databases section.

• ACS external database issue

  Hi
  I have the following issue, user exists on both the ACS and token server authenication is set to external database with no unknown user policy as the user is known to the ACS! this fails authenication error message is CS user unknown... Now if the unknown user policy is set to the external database the authenication works fine this is on 3.3. I have checked for bugs to no avail.
  Any assistance would be good...
  Thanks MJ

  Hi JG
  Many thanks for your response, it is configured this way due the documentation below:
  Known Users -Users explicitly added, either manually or automatically, into the CiscoSecureACS database.
  These are users added through User Setup in the HTML interface, by the RDBMS Synchronization feature, by the Database Replication feature, or by the CSUtil.exe utility. For more information about CSUtil.exe, see "CSUtil Database Utility".
  CiscoSecureACS attempts to authenticate a known user with the single database that the user is associated with. If the user database is the CiscoSecure user database and the user does not represent a Voice-over-IP (VoIP) user account, a password is required for the user. If the user database is an external user database or if the user represents a VoIP user account, CiscoSecureACS does not have to store a user password in the CiscoSecure user database.
  This is from the following link....
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user/qu.htm
  Many thanks MJ

• How to add external user to the group programmatically in SharePoint?

  Hi all,
  I want add an external user to a sharepoint group:
  When I run the below code in ConsoleApplication the user will be added to the DemoGroup,
  but when I add my code to User Control and run the code on SharePoint it doesnt work and I get an error:
  The user does not exist or is not unique.<nativehr>0x81020054</nativehr><nativestack></nativestack>
  Now I change the code:
  SPUser user = spWeb.EnsureUser(userName);
  I get again an error:
  The Specified user i:0#.f|IT2S|Doe, John was not found.
  string extName = "Doe, John";
  string domainName = System.Environment.UserDomainName;
  // in sp this is way how we get the domain:
  //string domainName = System.Environment.GetEnvironmentVariables()["USERDOMAIN"].ToString();
  web.AllowUnsafeUpdates = true;
  string userName = string.Format("i:0#.f|{0}|{1}", domainName, extName);
  web.SiteUsers.Add(userName,"[email protected]", extName, "0222");
  SPUser user = web.SiteUsers[userName];
  if (user != null)
  web.Groups["DemoGroup"].AddUser(user);
  web.Update();
  web.AllowUnsafeUpdates = false;
  can anyone please help me and say why that not work? Or if someone have an idea?
  thank you in advance
  Ahmad
  SP 2013 & SPD 2013 & VS 2013 & MSSQL 2012

  Hi Linda Li,
  yes I solve the issue with FBA:
  http://chrisbarba.com/2013/07/16/sharepoint-2013-forms-based-authentication-fba/
  and
  http://sharepointsolutions.blogspot.de/2012/08/configuring-forms-based-authentication.html
  with above links I solved the task.
  Best Regards
  Ahmad
  SP 2013 & SPD 2013 & VS 2013 & MSSQL 2012

• ASA WebVPN - restrict access to users in an AD group via ACS

  Hi folks.
  I'm doing an WebVPN pilot on one of our ASA's (running 7.2.2). Everything is working fine, but I've been asked to restrict access to users that are members of a certain Active Directory group (lets call the group "VPNTEST")
  Right now the ASA does radius auth against out ACS 4.x appliance, which has an external database mapping (via the ACS remote agent) to our Windows active directory domain.
  Currently there are only two groups in ACS, the Default (which we use for Wireless authentication) and the "Operations" group, which we use for TACACS auth for the network.
  I can create a group in ACS that maps to the AD VPNTEST group, but where/how do I restrict WebVPN access to just members of that group? Is it a setting on the ACS or the ASA?

  Try using the following to tie users to certain group policies:
  Using a RADIUS Server
  Using a RADIUS server to authenticate users, assign users to group policies by following these steps:
  Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group
  policy.
  Step 2 Set the class attribute to the group policy name in the format OU=group_name
  For example, to set a WebVPN user to the SSL_VPN group, set the RADIUS Class Attribute to a value
  of OU=SSL_VPN; (Do not omit the semicolon.)

• ACS User Database Export

  Is it possible to export the user database stored in the Cisco Secure ACS Database to some file. I need to see all the user accounts and their group assignments etc to be able to do reporting on this.
  Any ideas?

  yes... csutil -d will dump the db.
  look at aaa-reports (www.extraxi.com) they can import the dump file and run reports off it.

• Export User-Database between ACS-Server

  Hi everyone ,
  an ACS 2.3 is running under Unix with 3000 based user. The job is, to migrate the user-database to a new ACS-Server under Windows.
  On the unix-version 2.3 there is no way to export the database to external.
  The only way, i hope, is to mirror the old and the new server as redundant server and if the database is mirrored on both server, than the database is ready for export.
  Is this correct?
  Is there an other way?
  Thanks for your input.
  Ralf

  The migration should go to version 3.1 or 3.2 .
  Ralf