ACS 4.1 authentication issue with Microsoft AD

Unanswered Question
Mar 19th, 2007
User Badges:

Hi Sir,


I deployed an ACS (running on Windows Server 2003 R2 SP1) to authenticate wireless clients (WLC is the authenticator). The ACS is configured to authenticate Windows machines against Microsoft Windows Active Directory. The ACS runs on a member server and authenticates with the AD. PEAP machine authentication is enabled.


Originally the ACS is v4.0, I hit the bug with the following error message in AUTH.log:


AUTH 02/09/2007 10:44:21 E 0376 3076 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed


I upgraded to v4.1 since then, which is supposed to fix the bug.


It's been running fine for a month until recently when the ACS failed to authenticate users again. But this time, the above error did not appear. So I suppose I can rule out the possibility that ACS v4.1 upgrade causes the issue.


I got the following authentication failure messages:


AUTH 03/13/2007 09:03:22 I 1645 4312 pvAuthenticateUser: authenticate 'host/DH32G1S.dept.ent.abc.com.my' against Windows Database

AUTH 03/13/2007 09:03:22 I 0396 4312 External DB [NTAuthenDLL.dll]: Starting MSCHAP authentication for user [host/DH32G1S.dept.ent.abc.com.my]

AUTH 03/13/2007 09:03:22 I 0396 4312 External DB [NTAuthenDLL.dll]: Could not find machine host/DH32G1S.dept.ent.abc.com.my [1390]

AUTH 03/13/2007 09:03:22 I 0396 4312 External DB [NTAuthenDLL.dll]: host/DH32G1S.dept.ent.abc.com.my is not a valid machine name


Little info can be found on cisco.com with regards to how ACS actually authenticates with AD and how to interpret messages such as the ones above, whether it's ACS issue or AD issue.


During the incident, I noticed many "NT AUTHORITY\ANONYMOUS LOGON" messages in the ACS machine's Event Viewer.


When I did the initial installation of ACS, I didn't perform the post-installation tasks because without which the setup still works. I'm not certain whether this could cause the issue.


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_installation_guide_chapter09186a008070a63c.html


According to domain admin, the AD is running on native Windows 2000 mode.



Please advise.



Thank you.


B.Rgds,

Lim TS


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Vivek Santuka Tue, 03/20/2007 - 06:40
User Badges:
  • Cisco Employee,

Hi,


ACS uses the Windows API to make a call to the domain controller. Hence it is highly suggested that you complete the post installation taks.


Without them the ACS will not have necessary privileges to authenticate to AD.


Now in some Domain configurations it might work without the post installation taks and in some it might not.


Regards,

Vivek

Actions

This Discussion