ACS w/ AD - auth failure due to case sensitive input of username

Unanswered Question

I've got a very interesting issue. I have ACS 3.2 configured with Windows Domain Database. The primary use is for Auth on Wireless with PEAP. I have one user account that was failing due to "External DB account Restriction" After hacking away at the issue I realized I was logging in with the username all lower case and within AD the username begam with a Capital letter. When logging in using the cap the auth was accepted. AD is not case sensitive, I have other users connecting showing the name with caps on the account. I cannot seem to replicate the issue with any other account and I cannot seem to fix it with this one.I also tried from multiple workstations. Any Ideas?

** Note - tested Auth to a MS IAS box with the user account and did not experience the problem.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Vivek Santuka Tue, 03/20/2007 - 06:42
User Badges:
  • Cisco Employee,


It is very strange because neither AD nor ACS are case sensetive regarding user names.

It would be intresting to see the auth.log for this attempt

One thing you can try is delete the dynamic entry for this user on ACS and then try to login again.



Vivek Santuka Tue, 03/20/2007 - 08:25
User Badges:
  • Cisco Employee,


We will need the Logging to be full (System Configuration->Service Control) when this user is trying to authenticate.



I've done that now. Further research shows that the problem exists with all user accounts.

Within AD under a user account profile there are two attributes.

user login name: JBlow

User login name (Pre-Windows 2000)


It looks like if you have the pre-windows 2000 login lower case then it works. Users typically enter crendentials lower case. I have thousands of accounts that are entered into the system like the example above and therefore will fail login.

I'm grabbing logs to show.


This Discussion