AD authentication with ACS 4.1

Unanswered Question

I set up ACS 4.1 on a Windows2003R2 Member Server with Servicepack2. I did all the configuration and it looks like the ACS server can see AD (I can see all AD groups in Groups managemant of ACS). However, if I try to authenticate a user against Windows database, I get always a failed attempt with "Internal Error" in the log.


Looking at the log file in CSAuth, I can see the following lines:


pvAuthenticateUser: authenticate '***' against Windows Database

External DB [NTAuthenDLL.dll]: Starting authentication for user [***]

External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user ***

External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 6L)


Unfortunately, I can't find anything about this error. Any idea?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
catalin.anghel Fri, 05/11/2007 - 07:05
User Badges:

I have (almost) the same problem with a Cisco ACS 4.1 Solution Engine (appliance).


The CSWinAgent log file (the remote agent log file)shows:


CSWinAgent 05/11/2007 10:54:51 A 0136 2080 Client connecting from 1.2.3.4:3360

CSWinAgent 05/11/2007 10:54:52 A 0386 3372 RPC: NT_MSCHAPAuthenticateUser received

CSWinAgent 05/11/2007 10:54:52 A 0063 3372 NTLIB: Attempting Windows authentication for user johndoe

CSWinAgent 05/11/2007 10:54:52 A 0063 3372 NTLIB: Windows authentication FAILED (error 6L)

CSWinAgent 05/11/2007 10:54:52 A 0451 3372 RPC: NT_MSCHAPAuthenticateUser reply sent.


I don't know if this will help YOU, but I imported the configuration from an ACS 4.1 running on Windows 2000 advanced that was working fine. (I was using a domain administrator account to run the ACS services)

Jagdeep Gambhir Fri, 05/11/2007 - 14:55
User Badges:
  • Red, 2250 points or more

This error is sometime caused by unsupported software/harware. Do you have VMware installed on the same box ?

catalin.anghel Mon, 05/14/2007 - 13:17
User Badges:

Try to verify the following:


- the account used to run ACS services is a domain administrator

- the local policies (User Rights Assignment) of the ACS server include "Act as part of the operating system" and "Log on as a service" for the ACS services account

- the local policies (Security Options, Network security)LAN manager authentication level allows NTLM v2


Then restart ACS services.


balsheikh Sun, 06/17/2007 - 06:54
User Badges:

Hi Guys,


I had experienced the same problem, I had ACS appliance running v4.1 and the RA running on AD . all the groups on AD enumerated successfully but I still getting the same aforementioned error.


could u plz share with us how could u overcome this obstacle!!.


Regards,

Belal

catalin.anghel Mon, 06/18/2007 - 04:23
User Badges:

Balsheikh,


Please verify with Cisco, but it looks like the ACS remote agent version 4.1 is not supported on Windows 2003 R2.


I had the same problem and I had to install the agent on a different server running Windows 2003.

balsheikh Mon, 06/18/2007 - 04:51
User Badges:

Hi Catalin.anghel,


I have opened a Case with Cisco TAC and waiting the feedback but they almost confirmed that the problem from AD side. I need to verify the versions of RA on both AD and ACS.


BTW, please correct me if I'm wrong, if the groups enumerated successfully to ACS; is it means that RA (Remote Agent) working perfectly !!


Regards,

catalin.anghel Mon, 06/18/2007 - 05:17
User Badges:

"if the groups enumerated successfully to ACS; is it means that RA (Remote Agent) working perfectly !!"


Not really ... If you check the CSWinAgent log you will see "6L" errors.


Install the agent on a W2K or W2K3 (not R2) server and the agent will magically start working :-)


balsheikh Wed, 06/20/2007 - 06:36
User Badges:

Hello Catalin.anghel,


finally I have good news, u r absolutely right W2k3(R2) caused this issue. I installed the RA on a member server running W2k3 standard edition and as u said magically start working.


Many thx..

jtberge01 Fri, 06/29/2007 - 10:15
User Badges:

I have the same problem on W2k3(R2) and Cisco TAC told me to upgrade to 4.1.3.12. According to the release notes W2k3(R2) is supported in 4.1.3.


Didn't upgrade yet though. Will let you know if it works once I have the new version installed.

parmsing Mon, 07/02/2007 - 04:53
User Badges:

I would suggest you to check the security settings for the ACS server as most of the time when ACS is not able to fetch user info from AD at that time we get this error message. There are many cases in TAC case collection with the same error and they are resolved by configuring security settings for the ACS services.


As you have mentioned that we have ACS installed on member server.


Do we have security settings configured for ACS services as mentioned in ACS installation guide? there are some extra steps we need to follow if ACS installed on member server.


-Parm

Actions

This Discussion