ACS Two Windows Domains

Similar Messages

• ACS and Windows Domain / AD

  Hi All,
  In my environment there are two Windows Domain - Doamin A and B. ACS is configured on member server in domain B and hence Windows Authentication for users in Domain B is working fine. However I'm unable to see domain A in Configure Domain List on ACS server in Windows Domain configuration menu.
  Please note, there is one way trust between domain A and B with Domain A trusting Domain B.
  Is there a way I can use the same instance of ACS to authenticate the users in Domain A as well? If YES, can you please guide me with some pointers - thanks.
  I'm using ACS and Windows AD elements to authenticate users for SSL Web VPN on ASA 5540.
  Apprecaite quick help on this.
  -Satishcp

  Unfortunatley we are not using the Cisco Secure ACS Appliances, rather its ACS Ver 3.3 running on Windows 2000 Server (member server in Domain B).
  My guess Remote Agents for Windows / Solaris works with Appliances alone.

• WAAS 4.1.15b and two windows domain

  Hi
  I have two data centers and two windows domains (lets call them X and Y)- in data center X I have to WAE - CM and Core, in date center Y I have one configured as Edge and Core as well (peple in data senter Y have to access to resources in doman X).
  In all remote offices are WAEs configured as Edge. Ale WAE are added to domain X.
  All prepositions in domain X works fine.
  I have created secound CoreCluster for domain Y, added WAE in date center Y as Core and one WAE in remote office as Edge to this CoreCluster, but preposition doesn't work.
  On Edge WAE In logs /local1/logs/actona/RxLogging.log i can find only this:
  [2010-03-25 14:35:58,765][ INFO] - Preposition ID  929205 started on \\serverY\testfolder\.
  [2010-03-25 14:39:59,303][ INFO] - Prpositioned files under \\serverY\testfolder\ (task 929205): File server disconnection - scanned 0 files, up
  dated 0 files, 0 bytes 0 directories.
  [2010-03-25 14:39:59,323][ INFO] - Preposition ID  929205 failed, reason: Completed with error(0 files with errors).
  I can ping this serverY from this WAE.
  The question is:
  Is it possible to create preposition for two windows using this infrastructure ?
  ps. I have to use lagacy services.
  I hope that this is not so complicated
  Thanks in advance
  james

  James,
  Thanks for the log files.  In the Tx.internal.log file, there is the following entry:
  2010-04-15 12:08:28,952  WARN (actona.cifs.fsclient.FileSystemClient:1799) TP-1 -  Terminating caller due to disconnect: error=13caller=TYPE_START_SESSION [cookie=null]
  This message and error code means that the WAFS Core was unable to open a socket to the origin file server you are trying to preposition content from.  Can you please verify the following from the CLI of the WAAS device running the WAFS Core service:
  Verify name resolution - dns xchn.i.shadm
  Verify IP connectivity - ping xchn.i.shadm
  Verify TCP connectivity - telnet xchn.i.shadm 445
  Thanks,
  Zach

• ISE and Two distinct Windows Domains

  All,
  I have a customer who wants to integrate ISE with two seperate Windows Domains, they have no trust releationship. We can integrate with one of the domains and can make use of LDAP for the other but can only get Machine Authentication working with the domain with the full integration. Machine authentication will not work with LDAP, only user authentication. The problem is the config of the switches places the client in the guest network as they fail machine auth and then client auth is not recognised by the switch. I'm thinking about either not going direct to MAB if a user fails machine auth or diabling guest all together as the porblem is a guest with a dot1x suplication is not given guest access in a timely mannor without this command. Another option I have thought about is to use the radius token external identity store to talk to a Cisco ACS server attached to the other domain.
  Any help would be greatly appreciated
  Thanks
  Simon                  

  Here's the list of which methods are supported when using different kinds of user databases :
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1053140

• Can I configure two webserver domain in one windows server

  Can I configure two webserver domain in one windows server with default port. ( i.e 80 )
  For Ex:- http://server-name/psp/DOMAIN/?cmd=login and another one
  http://server-name/psp/DOMAIN2/?cmd=login.
  If not please let me know the workaround to do so. B'coz i don't want to put portnumber in my second URL..

  Hi,
  You can even have serveral domains within the same webserver instance.
  During PIA installation (of the second) choose option existing domain and then add an additional site.
  Give the domain a unique name and port to your second application server and you are ready to go.
  I usually do this on sandbox environments to keep the sandbox small , with several databases (Portal, HCM, FIN, CRM) and one PIA with serveral domain.
  But is definitely not what you should do for production systems.
  Each application should have it's one PIA instance.
  Hakan
  I didn't read the port number requirement.
  You can only run one webserver instance on a port number for example port 80.
  But you can still have one webserver PIA with serveral domain on the same port number as described above.
  Edited by: Hakan Biroglu on Mar 14, 2012 2:28 PM

• 802.1x and Windows Domain Controller with ACS

  Wow, I am having a tough time getting my ACS and the Domain controller to work with 802.1x PEAP. Can somebody explane to me how to set up the domain controller (Active directry) to get a PEAP cert? Some other questions. If I am using PEAP and 802.1x how does my computer get a cert. from the CA if the port is disabled by 802.1x? And How do I set up my domain controller to work with ACS to authenticate users. I have been beating my self to death to figure this out. Any help would be ausome. I am really stuck on trying to make this work.
  Thanks a ton in advance
  Justin

  I as a Cisco customer would like to see answers to our questions based on some real world experience or something you've noticed in a lab environment.
  By simply posting links is not very helpful. The reason most of us come to this site and post our questions, is because we already went to the Cisco website and found the explanation to be vague. In the future, please post answers to our question, intead of referring us to a link.
  Thank you,
  John...

• STMS config at two different windows domain

  Hi,
  We are under ECC6 Implementation ,We have i nstalled dev,qa, and prod.
  But as per security reason client placed development in USTDC.com   , and QA and PROD SHAFT.com
  Now when we configure Transport domain in SAP level, how would i configure domain controleer?
  Should i configure two different domains , one for dev. QA and prod for one.
  when we release the request from dev , need to copy cofiles and data files to other domain?
  Please suggest some best.
  Thanks
  Kristene

  If you want this split screen thingy for a single app, do like captfred suggests or see if the app itself supports some sort of splitting, like MS Excel.
  If you want to do this system-wide, maybe you can get what you want by activating and using Spaces: http://support.apple.com/kb/PH4313

• ACS Authentication, multiple domains

  Hi all,
  I have the following problem
  I have a Win 2003 domain (A) and a trust established with another Win
  2003 domain (B). Domain A is the one with the CiscoSecure software.
  We have many trusts with other domains (mostly Win 2000) and have
  configured the mappings by using CiscoSecure.
  But when trying to "add mappings" for this new 2003 Domain (B), I
  continually am getting "failed to enumerate Windows groups. If you are
  using Active Directory consult the installation guide for information."
  I am not able to see domain B's users and groups from within the Cisco
  Secure software.
  However, if I use Active Directory Users and Computers from Domain A,
  and "connect to domain" and choose Domain B, I am able to view all
  users and groups just fine.
  Do you know if there is a problem with configuring two 2003 domains in
  this software? Do you have any other areas that I should investigate?
  Some local policy on Domain B?

  If ACS is installed on a DC of DOM1 and DOM1 has trust relationship to a remote domain DOM2
  1) ACS Services (on DOM1 DC) run under a DOM1 Domain User (and Local Machine Administrator) - "acsacct"
  2) This account (acsacct) has "Act as part of the OS" permission in Domain Security Policy and Domain Controller Security Policy
  3) On DOM2 (The Remote Domain) , we Delegated Control to the acsacct User to the Custom Task of "Group Objects" and "User Objects".

• ACS for Windows vs ACS Appliance?

  First, the only thing I saw on the Appliance was that it was a 'hardened OS'. So I'm assuming like many of their other appliances that this is Windows 2003 locked down? Regardless if it is or not, are there any issues with the appliance being in a mixed environment with ACS for Windows and replication between the two?
  Thanks,
  Raun

  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawo.html
  When you use ACS for Windows, you install it on a member server, which can "relay" the auth requests to the domain controllers.
  ACS SE's are not a member in the domain, therefore you need to install the remote agent on a member/DC, so that it would act as a "relay agent" for the auth requests.
  You'll also need to manually create a workstation account in AD to allow auth requests from the ACS SE's.
  The default name used is "CISCO", but it can be defined differently.
  For this part, see
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp311476

• How to use CSACS 3.3 to authenticate users from multiple windows domain?

  Can Cisco Secure ACS 3.3 be used to authenticate users from another Windows domain that is not a child nor a trusted domain???
  hello, here is my scenario:
  ACS 3.3 was installed on a member server on domain1. I need to authenticate and ultimately populate the users into ACS from another domain. The service already works perfect on just domain1, but now I need to authenticate users from another domain.
  And adding those domains as trusted domains in domain1 is not an option.
  Is Generic LDAP my only other option? Any config guides that you guys know with regard to doing this?
  Any input is much appreciated.

  Hi Betcy,
  I am not familiar with sharepoint solutions, but as you mentioned about windows credentials I believe it refers to kerberos tokens. On this case you can take advantage of SPNego authentication.
  You can find more details on following SAP note:
  #[1488409|https://service.sap.com/sap/support/notes/1488409] - New SPNego Implementation
  I hope it helps.
  Kind regards,
  Lisandro Magnus

• How can I start two FF instances under two Windows accounts at once w/o -no-remote? I need to be able to send URLs to them.

  I have one FF (36.0) installation and two Windows user accounts: one for work (w/o internet access but with access to domain resources like JIRA) and one for internet access (w/o access to local resources). I need two instances of FF running at the same time with different resources.
  I've created profiles with different names under both accounts and specify profile names using -p parameter. However when I try to start both instances of FF (second one is started via RUNAS), second instance can't be started, new tab in already running instance is opened instead:
  firefox.exe -p profile
  runas.exe /profile /savecred /user:user_i "\"firefox.exe\" -p profile_i"
  When I start one of them with -no-profile, I can start both at once... but when I try to execute firefox.exe with an URL in order to open a tab with this URL in one of running instances (local URLs I open by starting firefox.exe under work account and remote URLs I open by starting FF via RUNAS), it can't sent URL to already running instance of same user, it always sends URLs to an instance that is runnung w/o -no-remote.
  firefox.exe -p profile -url "url"
  runas.exe /profile /savecred /user:user_i "\"firefox.exe\" -p profile_i -url \"url\""
  So, I need to have two instances under two different Windows user accounts, and when firefox.exe is started again, it should only communicate with instance that is running under same user account, it must not communicate with instance that is running under different Windows account.

  ''guigs2 [[#answer-699118|said]]''
  <blockquote>
  https://developer.mozilla.org/en-US/docs/Mozilla/Command_Line_Options#-no-remote
  This feature was removed and unfortunately I do not have any ETA or work around for this.
  </blockquote>
  It was the different '''-remote''' switch that was removed and not the '''-no-remote'''
  https://www.mozilla.org/en-US/firefox/36.0/releasenotes/

• A problem with Win 7 Pro, Outlook Web Access based on Exchange Server 2003, and two different domains

  Dear Microsoft Support,
  As mentioned in the title,
  I have two domains. One is Domain A at HQ. The other one is Domain A at branch office. A laptop having Win 7 Pro OS is a client of Domain A. The Domain A has Exchange Server 2003. Users of Domain B get connected to Exchange Server for email services. In
  all clients of the Domain B, IP address of the email server added in C:\Windows\System 32\drivers\etc\host file.
  Whereas in the clients of Domain A it was not done, because all the servers including the email server belong to the Domain A.
  Now, a user with Domain A's client (it is a laptop) came to Branch office and wanted to access the Outlook (using Outlook Web Access). since there is no IP address added in the Host file of the laptop, connectivity to email is not possible. When I try to
  add the IP address, I was not able to do so due to Domain A's security reasons.
  So, let me know, is there a way out to add the IP address in the host file of the Domain A's client.
  Thanks in advance.
  Ravi Sekhar Modukuru

  I would suggest adding the mailserver address in Domain B's DNS. Would that be possible?
  I agree. The correct solution in this case (since it appears you already have a two-way Domain Trust in place) is to properly configure DNS in Domain 'B' to be a secondary of Domain 'A' and completely eliminate the need to maintain the HOSTS file.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• ISE and authenticating against Windows AD with RADIUS realm that is different from the Windows domain

  Hello
  We are in the process of evaluating the Cisco ISE VMWare appliance with a view to replace our existing FreeRADIUS installation as authentication provider for our wireless network and VPN service. As a part of this we are hoping to migrate our user authentication to Microsoft Active Directory - we have previously authenticated against a different identity store (not MS AD).  Because of this legacy our Windows domain is not the same as our RADIUS realm name - the Windows domain is "win.mydomain" whereas we wish to allow users to authenticate using "username@mydomain" or even "[email protected]" as they are doing today. We are experiencing an issue where authentication requests with the format "[email protected]" will be forwarded to the Windows AD whereas authentication requests with the format "username@mydomain" will fail with the log message "User not found in Active Directory". We do not know if the ISE itself is validating the username and triggering this error, or if the error originates from AD. We suspect the that the ISE is not even asking AD because "win.mydomain" is the domain configured in "Active Directory" in "External Identity Sources".
  Authentication requests against the AD without a realm are successful (that is, using only "username"). With this in mind we located a post on the Cisco support forums that described a process of proxying the request back to the ISE and strip the realm information, but this was specific for the ACS platform. We have attempted to implement this solution but it is still not working as we would have hoped, and we are not entirely certain where the fault might lie. We are currently using PEAP with MSCHAPv2 for authentication in our WLAN where the main problem is. We suspect that the "proxy-to-self" with realm stripping is an issue with PEAP.
  Is there a supported method of achieving our goal, or should we abandon the ISE platform as our scenario is simply not supported?

  Seems like your issue maybe related to DNS, when ISE receives the format [email protected], the dns request is failing. However, there is a setting for alternate UPN Suffixes that can be configured to include domain.com and student.domain.com.
  Here is a windows article that should fix this for you. Once you get this updated please reboot ISE so it rejoins AD. Try your tests again.
  http://technet.microsoft.com/en-us/library/cc772007.aspx
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Machine authentication by certificate and windows domain checking

  Hi,
  We intend to deploy machine?s certificate authentication for wifi users.
  We want to check certificate validity of the machine, and also that the machine is included on the windows domain.
  We intend to use EAP-TLS :
  - One CA server.
  - each machine (laptop) retrieves its own certificate from GPO or SMS
  - the public certificate of the CA is pushed on the ACS as well as on each of the machine (laptop)
  - ACS version is the appliance one
  - one ACS remote agent installed on the A.D.
  - when a user intends to log on the wifi network :
  - the server (ACS appliance) sends its certificate to the client. This client checks the certificate thanks to the CA server certificate he already trusts, results : the client also trusts the ACS?s certificate signed by the CA server .
  - the client sends its certificate to the server (ACS appliance). This ACS checks the certificate thanks to the CA server certificate he already trusts, results : the ACS also trusts the client?s certificate signed by the CA server but the ACS also checks that this certificate isn?t revocated (the ACS checks this thanks to the CA server CRL ? certificate revocation list).
  Am I right about these previous points ?
  And then my question is : is it possible to check that the machine is also included in the windows domain ?
  That is, is it possible for the ACS to retrieve the needed field (perhaps CN ?? certificate type "host/....") and then perform an authentication request to the A.D. (active directory) thanks to the ACS remote agent ? We want to perform only machine authentication, not user authentication.
  Thanks in advance for your attention.
  Best Regards,
  Arnaud

  Hi Prem,
  Thanks for these inputs.
  I've passed the logs details to full, performed other tests and retrieved the package.cab.
  I've started investigating the 2 log files you pointed.
  First, we can see that the requests reach the ACS, so that's a good point.
  Then, I'm not sure how to understand the messages.
  In the auth.log, we can see the message "no profile match". I guess it is about network access profile. For my purpose (machine authentication by certificate), I don't think Network Access Profiles to be mandatory to be configured.
  But I'm not sure this NAP problem to be the root cause of my problem.
  And when no NAP is matched, then the default action should accept.
  We can see the correct name of the machine (host/...). We can see that he's trying to authenticate this machine "against CSDB". Then we have several lines with "status -2046" but I can't understand what the problem is.
  I don't know what CSDB is.
  I've configured external user database: for this, I've configured windows database with Remote Agent. The domain is retrieved and added in the domain list. And EAP-TLS machine authentication is enabled.
  I copy below an extract of the auth.log.
  I also attach parts of auth.log and RDS.log.
  If you have any ideas or advices ?
  Thanks in advance for your attention.
  Best Regards,
  Arnaud
  AUTH 04/07/2007 12:25:41 S 5100 16860 Listening for new TCP connection ------------
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::CreateContext: new context id=1
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/nomadev2001.lab.fr
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::SelectService: context id=1; no profile was matched - using default (0)
  AUTH 04/07/2007 12:25:41 I 0143 1880 [PDE]: PolicyMgr::Process: request type=5; context id=1; applied default profiles (0) - do nothing
  AUTH 04/07/2007 12:25:41 I 5388 1880 Attempting authentication for Unknown User 'host/nomadev2001.lab.fr'
  AUTH 04/07/2007 12:25:41 I 1645 1880 pvAuthenticateUser: authenticate 'host/nomadev2001.lab.fr' against CSDB
  AUTH 04/07/2007 12:25:41 I 5081 1880 Done RQ1026, client 50, status -2046

• Can Appliance 1113/1120 running ACS 4.1 replicate to ACS for Windows 4.2.1.15.2

  Anyone tested/tried to replication from ACS 4.1 (running on Appliance) to ACS for Windows 4.2(1)?

  Hi ,
  For replication to work between the two acs they should be on same version and patch level.
  Thanks
  Waris Hussain.