ACS SE setup for windows authentication

Similar Messages

• Interactive Reporting 9.3.1 - Server-side ODBC setup for Windows Authent.

  Help. I am having a problem with Interactive Reporting connections to SQL server through the Web Client.
  In our environment, we have the Hyperion BI 9.3.1 suite. We develop IR documents (BQY's) on our local machine using Studio and using locally setup ODBC connections to SQL Server, using Windows NT authentication. Everything works perfectly fine, locally.
  When we upload the BQY and the OCE, and properly associate them to each other in Workspace, we then proceed to open them using the Web Client. The file opens fine, and when I hit process to run the query, I am prompted to login. When I login (using my NT Authenticated login), I receive the following error message: "Error Logging on as Windows User: Win32 Error code: 1385 Logon failure: the user has not been granted the requested logon type at this computer."
  The ODBC that was setup on the server was setup to use NT Authentication (as opposed to SQL server). The DAS connections are setup properly. My question is - how do you setup a connection to a SQL server using NT authentication and have the user authenticate through the Web Client. We don't want to grant users access to the server directly.
  If you can't answer this question, can you tell me how you have setup your connections on the server through DAS and how you properly maintained security controls?
  Thanks - Mike

  its not really in the bqy (its in the oce) but I understand your point. Now we get to the point It s not my expertiece any more but perhaps something like row level security or making use of odsusername variable might give some solution or workaround. sometimes this how we solve it when it comes to sensitive information from a app DB. We retrieve users security from the db app and use it as a where clause in the bqy. as long as endusers do not have enough right to change the query its enough.

• CA and Certificate Issue in ACS 4.0 For Windows 2003 Enterprise Server

  Hi,
  I have configured Microsoft CA server on the same ACS 4.0 for Windows 2003 enterprise server which was configured earlier using the self generated certificates for EAP and PEAP authentications.
  After I change the certificate from self generated to the new CA certificate that can be viewed under install ACS certificate option on ACS server but having the following problems
  1. SSL is not functioning while internet browser access to the ACS server and going through http instead of https.
  2. Wireless clients are authenticated successfully even after the certificate is uninstalled.
  Any help on these problems will be appreciated.
  Thanks
  Best Regards,
  Ahmed

  Hi Rohit,
  Thanks for reminding the HTTPS option under Administration Control on ACS.
  I have some doubts pertaining to installation of certificates on Wireless clients though it is optional for Self Generated Certificates but what in case of Mirosoft CA as I tested wireless client authentications even after removing the certificate from microsoft supplicant WindowsXP SP2 having installed the patch KB885453 for PEAP. How the certificate on wireless client works.
  Is it mandatory or optional to keep certificate on Wireless Clients as they could able to get authenticated through ACS after removing the certificate.
  Thanks
  Best Regards,
  Ahmed

• ACS 3.2 for Windows and MS Windows AD Directory Integration Problem

  Dear all,
  We have some issues while integrating Windows AD with ACS 3.2 for Windows.Currently we have done the following:
  1. Installed ACS 3.2 for Windows on Windows 2003 Enterprise with SP1
  2. ACS and Domain Controller are configured on the same server
  Checked and verified the following configurations
  1. created a domain user "csacs" selected Act as a part of operating system and log on as a service enabled for this user.
  2. Enabled all the CS services to log on as a user csacs.
  But I noticed CS services are not respdonding and gives the error as "Could not able to start the service with service specific error ..." while trying to start services manually on ACS.
  Kindly help me through this integration part
  An easy and handy Step wise procedure on configuring integration of AD with ACS 3.2 on both Domain Controller and on Member server will be of great help.
  Thanks
  Kind Regards,
  Ahmed

  I have no issues running Cisco ACS version 3.2 on Windows
  Server 2003 with SP2:
  1) create user test1 in MS Active Directory and put test1
  in users group with dial-in access granted,
  3) Create a group called "LDAP". Actually I renamed
  group name "group 1" to "LDAP".
  3) in ACS external user database configuration, I specified
  domain "CCIE" as for this. unknow user policy is to use
  Windows Database configuration,
  4) Configure the database configuration in ACS to point
  to "CCIE" windows domain,
  5) setup the ACS to authenticate one of your Cisco devices
  and log in using the MS windows account,
  By the way, mgurwara, you are wrong. I run Cisco
  ACS 3.2 on windows 2003 Enterprise Edition with Service
  Pack 2. I am running it on a Dell Optiplex Gx240
  (1.7 GHz with 512MB of RAM) and it is running fine.
  I use it to manage about 20 cisco devices and
  about 200 Wireless LEAP user(s). Furthermore, I am also
  running ACS 4.1 on another identical hardware. It has
  nothing to do with the hardware. I don't know where
  you get that information from.

• CiscoSecure ACS v2.4 for Windows NT Upgrade

  We still have two ancient instances of CiscoSecure ACS v2.4 for Windows NT running on our network. ACS1 (primary) and ACS2 (secondary). I would like to upgrade these, not only because of how old they are but because of an issue trying to replicate the user and group database from ACS1 to ACS2. When trying to replicate the user and group database the logs say it's successful but the databases don't match. ACS2 is missing some of the users that are in ACS1. I have successfully replicated the interface database. But for whatever reason, the user and group database will not replicate.
  First, is there any other way I can get the user and group database copied from ACS1 to ACS2? Other than using the built in database replication tool?
  Second, is there any way I can get these upgraded? I read that the recommended upgrade path is 2.4->2.6->3.0->3.2. But Cisco no longer has version 2.6 available for download. I really would like to upgrade rather than starting from scratch.
  Thanks!

  ACS 2.4 - wow! That hasn't been sold for over 11 years. (reference)
  Think about it - would you want to try to upgrade Windows 98 to Windows 7? That's about an equivalent span of software product timeline.
  The current product is so different that even if you could upgrade it would not be advisable to do so. While painful, it would be much better option to make a clean break with the old and move onto a current platform (e.g ACS 5.3).

• Advice for Buying Cisco Secure ACS 3.3 for Windows

  Just need advice on what other things I NEED to order apart from the Windows server when I want to iplement ACS and I want to use CISCO SECURE ACS 3.3 FOR WINDOWS
  Hope someone will help

  Hi,
  This is all what you require:
  Supported Operating System
  Cisco Secure ACS for Windows Servers 3.3 supports the Windows operating systems listed below. Both the operating system and the service pack must be English-language versions.
  •Windows 2000 Server, with Service Pack 4 installed
  •Windows 2000 Advanced Server, with the following conditions:
  –with Service Pack 4 installed
  –without features specific to Windows 2000 Advanced Server enabled
  •Windows Server 2003, Enterprise Edition
  •Windows Server 2003, Standard Edition
  Note The following restrictions apply to support for Microsoft Windows operating systems:
  •We have not tested and cannot support the multi-processor feature of any supported operating system.
  •We cannot support Microsoft clustering service on any supported operating system.
  •Windows 2000 Datacenter Server is not a supported operating system.
  Please refer to the following link for more information:
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/win33sdt.htm
  Thanx & Regards

• Delete proxy config on Cisco Secure ACS 4.1 for Windows ?

  We have a pair of ACS 4.1 servers (Windows Server 2003 R2). Let's call them ACS1 and ACS2.
  We don't want either one of them to proxy to any AAA server, including each other. We're using mostly TACACS authentication.
  While troubleshooting a general problem, I'm guessing that one of us did this on ACS1:
  pressed the Network Configuration button,
  saw the Proxy Distribution Table
  clicked (Default)
  moved ACS1 from the AAA Servers column to the Forward To column.
  So, essentially, we're telling ACS1 to proxy all requests to itself, which doesn't seem to make sense. I don't know for sure whether it should work when configured to "self proxy," but in that state, it does not authenticate anyone and gives merely "Internal error" as the reason.
  If I change the configuration so that "ACS2" appears in the Forward To column, and I move "ACS1" back to AAA Servers and restart, ACS1 starts responding correctly to TACACS requests. Of course, ACS1 is just proxying all requests to ACS2, so having two servers isn't doing much good.
  I cannot simply remove ACS1 from the Forward To column and leave it empty. The interface complains that it can't forward to zero servers. Of course, on ACS2, there are no servers in the Forward To column, since we never touched the Proxy Distribution Table there.
  Is there any way to return the Proxy Distribution Table to its default setup, that is, no servers appear in the "Forward To" column?
  We're planning to upgrade to version 4.2 very soon, so this question is mostly academic, unless the same problem exists in 4.2.
  For full disclosure, I should mention that the problem we were troubleshooting was loss of connectivity to our Windows Domain Controllers from our ACS servers. We had missed adding some exceptions in our firewalls to allow for four new DCs. As far as we can tell from testing, connectivity to the DCs is now fine. The firewall rules group ACS1 and ACS2 together, so connectivity should be the same, and ACS2 authenticates users correctly.

  Hello Jeffrey,
  By default the ACS 4.x Proxy Distribution Settings should have the ACS entry for itself on the Forward To box. Your ACS1 entry should be on the Forward To box.
  The Internal Error message on the ACS should be highligthing a different issue on your ACS1. Also, the message stating that we cannot have zero servers on the "Forward To" box is expected.
  Set your ACS1 for Full Logging Detail (System Configuration > Service Control) and configure the ACS1 entry under the Forward To box. Recreate the authentication issue and collect a package.cab file. If you have an ACS for Windows, under the ACS Installation folder look for the CSAuth folder > Logs and share the auth.log file with a failure timestamp for us to review the ACS logs when failing with Internal Error.
  If this was helpful please rate.
  Regards.

• Initial configuration of ACS 5.1 for EAP authentication for Wireless clients

  Hi,
  I have set-up with below devices :
  Wireless LAN controller 5508
  LAP 3302i
  and ACS 5.1
  since i am new in ACS 5.1 configuration , I need so information to go ahead to configure ACS 5.1.
  which EAP method to use for wireless client authentication ? what is the best practice ?
  I have gone through some cisco documents and it shows that best practice is to configure PEAP but for the same , I need to install certificate in ACS server as well in client PC. is that so ?
  I have no clear picture for this certificate ?
  from where i can get this certificate or do i need to purchase this certificate separately from cisco. how to install it in ACS server ?
  I will be obliged to get atleast initial configuration for ACS 5.1 to enable the EAP method,
  I need GUI based initial configuration for ACS 5.1
  This mentioned ACS 5.1 is installed on ACS 1121 hardware appliance.

  Hi,
  which EAP method to use for wireless client authentication ? what is the best practice ?
  -> I would advise the most widely spread EAP method, which has the best ratio security/easy to deploy: PEAP with MSCHAPv2, which is available by default by all windows machines.
  I  have gone through some cisco documents and it shows that best practice  is to configure PEAP but for the same , I need to install certificate in  ACS server as well in client PC. is that so ?
  -> You will always need to install a server certificate, however, there is no need for client certificate because the authentication is based on the MSCHAP credentials exchange, not certificate based. The only requirement on the client regarding certificates is the following.
  If you want to validate the server certificate, you have to install the server certificate under the trusted CAs of the clients.
  If you do not require to trust the server certificate, you can simply disable the option of server certificate validation.
  I have no clear picture for this certificate ?
  from  where i can get this certificate or do i need to purchase this  certificate separately from cisco. how to install it in ACS server ?
  -> The server certificate can be a simple self signed certificate that you generate and install on the ACS GUI.
  Please feel free to follow this step-by-step guide on
  PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server:
  http://www.cisco.com/en/US/partner/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml or in pdf
  http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Certificate issues in ACS 4.0 for Windows

  Hi,
  One of the ACS is configured as CA using third party Certificate, But the server certificate on ACS was self generated and is expired.
  I tried using the same third party certificate to replace the existing expired server certificate on ACS both by generating CSR on ACS and install new certificate using local storage and read from file options but failed.It gives the following error while using CSR generated private key
  "private key doesnt fit for this certificate"
  Next assuming that the installed third party certificate with its own private key can be used to install certificate from the storage gives the following error:
  "Cannot get the private key from certificate. It's absent or not marked as exportable"
  Again assuming that third party certificate has multi server/seat licences.
  Any solution to this issue will be of great help.
  Thanks
  Regards,
  Ahmed

  Re-installing the certificate may resolve this issue.
  Install CA Certificate on your Appliance
  ===============================
  A. Go to System Configuration > ACS Certificate Setup > ACS Certification Authority
  Setup
  B. Click "Download CA certificate file"
  C. Type the IP address or hostname of the FTP server in the FTP Server field
  D. Type a valid username that Cisco Secure ACS can use to access the FTP server in the
  Login field
  E. Type the above user's password in the Password field
  F. Type the relative path from the FTP server root directory to the directory containing
  the CA certificate file in the Remote FTP Directory field
  G. Type the name of the CA certificate file in the Remote FTP File Name field
  H. Click Submit
  I. Verify the filename in the field and click Submit
  J. Restart the ACS services in System Configuration > Service Control

• AD FS Token issuance endpoints for Windows authentication fail to open

  Hi,
  I have had issue with AD FS and after turning tracing on, I realized that the AD FS endpoints to issue token based on windows authentication were all failing with an error like:
  A WS-Trust endpoint that was configured could not be opened. 
  Additional Data 
  Address: https://adfsvm.dub01.local/adfs/services/trust/13/windowstransport 
  Mode:    WindowsTransport 
  Error: 
  MSIS0006: A Service Principal Name is not registered for the AD FS service account. 
  I have tried to register an SPN for the AD FS service using the following command (I have found the AD FS Service Name in the Federation Service Properties as in the screenshot hereunder) but it fails with the following error.
  setspn -a host/ADFSVM.dub01.local DUB01\ADFSService
  Checking domain DC=dub01,DC=local
  CN=ADFSVM,CN=Computers,DC=dub01,DC=local
          WSMAN/ADFSVM
          WSMAN/ADFSVM.dub01.local
          TERMSRV/ADFSVM
          TERMSRV/ADFSVM.dub01.local
          RestrictedKrbHost/ADFSVM
          HOST/ADFSVM
          RestrictedKrbHost/ADFSVM.dub01.local
          HOST/ADFSVM.dub01.local
  Duplicate SPN found, aborting operation!
  Now I have come to realise that the Federation Service name is the same as the computer name but:
  I dont know if that is an issue
  I don't recall having been offered to give a particular name when installing AD FS
  This is the first time I install AD FS. Is there anyone who could give me a pointer?
  Thanks.
  Francois

  the ADFS federation service FQDN should NOT be the same as the hostname. You will run into Kerberos issues because of duplicate SPNs as you have found
  https://jorgequestforknowledge.wordpress.com/2013/09/06/duplicate-spn-breaks-trust-between-clientserver-and-active-directory/
  When installing ADFS you should specify a federation service FQDN and a service account. When using the GUI to install ADFS, (if I'm not mistaken) the federation service FQDN is derived from the selected cert in the GUI. If that cert had a subject name being
  the hostname, you get this scenario. Instead, install an SSL cert, a token signing cert and a token encryption cert BEFORE the installation and use powershell to install/configure ADFS as it gives you more control.
  As an example see (ADFS v2):
  https://jorgequestforknowledge.wordpress.com/2012/05/08/installing-and-configuring-adfs-v2-as-an-sts-server-part-1/
  https://jorgequestforknowledge.wordpress.com/2012/05/09/installing-and-configuring-adfs-v2-as-an-sts-server-part-2/
  https://jorgequestforknowledge.wordpress.com/2012/05/10/installing-and-configuring-adfs-v2-as-an-sts-server-part-3/
  Install-ADFSFarm
  https://technet.microsoft.com/en-us/library/dn479416.aspx
  Cheers,
  Jorge de Almeida Pinto
  Principal Consultant | MVP Directory Services | IAM Technologies
  COMMUNITY...:
  DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

• IIsProxy version for windows authentication

  We are in the process of installing windows authentication to our EP 6.0 portal. We are running on SP 11 J2EE with portal SP 11 patch 3. 
  The first question I have in document “Using Header variables or Integrated Windows Authentication” section “Installing the IIsProxy module” says for security reasons we need to install version 1.7.0.0. Was this version released, we cannot find it on the service market place?
  My second question, when we use version IISPROXY16_2-10001433.SAR the authentication mechanism works fine to the portal but I cannot navigate within the portal, it looks like the screen get stuck on the first Iview no matter what role you choose. When we use version IISPROXY15_0-10001969.SAR things work fine. I increased the trace while using IISProxy 16.2 but there were no errors in the logs. We would like to be on the latest version. Any idea what might be the problem?
  Thanks for your help,
  Mike Fasheh

  Hi folks !
  I have made this configuration a couple of times without problems (other iisproxy version), but for some reason this time is not working and Im totally desesperated =(
  Scenario:
  - 1st server, win 2003, iis 6.0: Iisproxy 1.6.2 installed, it forwards the requests correctly
  - 2st. server, ibm with aix, sap ep 6.0 sp12. Configurations made for NT authentication.
  The problem:
  For some reason the virtual directories defined in IisProxy.xml file are not taking the IIS Security Settings (Integrated Windows Authenticated). The iisproxy is just forwarding the request, but the IIS is not making the NT authentication.
  If I change the name of the virtual directory in the IisProxy.xml file (put any name). In this case, IIS applies the security settings correctly.
  Any clue about this ?
  Thanks a lot for your help !!!!!!
  Regards from Mexico,
  Diego

• ACS 4.2 For Windows DB Replication

  Hi Folks.
  I have a pair of ACS for windows 4,2 and we also have a few mappings (ACS Group --> AD Group)
  The replication process was configured and it replicates all the seetings, but the Group Mappings.
  Is this the way it's supposed to be or it should replicate the group mappings as well?
  Best regards,
  AL

  The following items cannot be replicated:
  •IP pool definitions (for more information, see About IP Pools Server).
  •ACS certificate and private key files.
  •Unknown user group mapping configuration.
  •Dynamically-mapped users.
  •Settings on the ACS Service Management page in the System Configuration section.
  •RDBMS Synchronization settings.
  User guide
  http://www.ciscosystems.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAdv.html#wp756078
  Regards,
  Jatin
  Do rate helpful posts-

• ACS 5.1 for Windows VM Ware

  Hello,
  Please help me...
  I want to know can we install ACS 5.1 in Windows VM Ware machine. I have downloaded it but it is giving me the option of installation in Linux.
  Please suggest.

  Ravi,
  This release of ACS 5.1 provides new architecture and functionality on a standard Cisco Linux-based. We would be requiring a new box all together for 5.0.
  Installing ACS on VMware virtual machine
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_vmware.pdf
  ACS 5.1 doesn't support windows OS.
  HTH
  JK
  -Do rate helpful posts-

• Cisco Secure ACS 4.2 for Windows web-based Admin Console log in problems

  To Whomever Can Assist,
        I am running two deployments of Cisco Secure ACS for Windows 4.2 and I can login into the admin web-console just fine.  However, when I create a new or test user that mirror my configuration that user cannot login to the admin web-console.  The user can login it to devices with the appropriate privileges, but can't administer his/her account within ACS.  This has proven very problematic and needs a remedy.  Thanks for the assistance.

  Bradbryant.dhs,
  Where are you creating the new admin user who should have access to ACS web gui under internal users or administration.
  Internal user and ACS administrator accounts are completely different. 
  Adding administrator account
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4-2/user/guide/ACS4_2UG/Admin.html
  Regards,
  Jatin Katyal
  ** Do rate helpful posts **

• ACS SE & CSACS for windows

  Hello Friends,
  If i order Access Control Server Solution Engine (ACS SE) CSACS-1120-K9, i should'nt order a CSACS for windows CD,????? Is it ACS server is built-in in ACS SE no need of installing windows OS and on top of that ACS server ,i m confuse regarding the product.
  Can anybody help me for this,i have been through the cisco web site but not pretty sure regarding these two product.
  Thanks

  CSACS-1120-K9 is an ACS appliance, and it supports both ACS version 5.0 and 5.1.
  Here is the release notes for both versions:
  5.0: http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/release/notes/ACS-50-releasenotes.html
  5.1: http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/release/notes/acs_51_rn.html
  FYI, ACS version 5.x onwards is completely different to the previous version of ACS 3.x and 4.x.