ACS Failed to Enumerate Windows Groups

Unanswered Question
Jun 5th, 2007
User Badges:

I am having issues with my Cisco 1112 Server authenticating with LDAP. I have followed the "Installtion of Cisco Secure ACS Remote Agent for Windows". I have given the service account "log on as a service" and "act as part of the os". This account is also a domain admin.


My issue arises when I go to:

External User Database--> Database Group Mappings--> MyDomain--> Add Mapping


It throws:


Failed to enumerate Windows groups


I have visited:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_notice09186a00800b1583.shtml


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Premdeep Banga Tue, 06/05/2007 - 14:50
User Badges:
  • Gold, 750 points or more

Hi,


As you have a Remote Agent, can you please confirm that version of Remote Agent is same as ACS SE's software version,


C:\Program Files\Cisco\CiscoSecure Remote Agent\Bin>csagent -v


I am assuming that we have ACS 4.x


Also, go to CSWinAgent folder, and see and share the logs in CSWinagent.log


That will give to ample information why is it failing.


Regards,

Prem

sri.chalasani Thu, 06/07/2007 - 06:46
User Badges:

This is an excerpt from my log:


This is intersting:

CSWinAgent 06/06/2007 08:18:05 A 0048 1568 NTLIB: The 'insist on domain' feature is enabled

CSWinAgent 06/06/2007 08:18:05 A 0048 1568 NTLIB: We are NOT a domain controller


Also my Agent version is:

ACSRemoteAgent version 4.0(1.42) and I'm running ACS 4.0 on the 1112 appliance.


I hope this is what you were looking for.





Attachment: 
Premdeep Banga Thu, 06/07/2007 - 07:12
User Badges:
  • Gold, 750 points or more

Hi,


Try this,


- Create a user.

- To make it hard to hack, give it a very long complicated password.

- Make the user a member of Domain Admins group.

- Make the user a member of Administrators group.


On the Windows 2000 server running ACS:


- Add new user to proper local group.

-- Open "Administrative Tools" from the control panel.

-- Open "Computer Management."

-- Open "Local Users and Groups" and then "Groups."

-- Double-click the "Administrators" group.

-- Click "Add."

-- Choose the domain from the "Look in" box.

-- Double-click the user created earlier to add it.

-- Click OK.

- Give new user special rights on ACS server.

-- Open "Administrative Tools" from the control panel.

-- Open "Local Security Policy."

-- Open "Local Policies."

-- Open "User Rights Assignment."

-- Double-click on "Act as part of the operating system."

-- Click "Add."

-- Choose the domain from the "Look in" box.

-- Double-click the user created earlier to add it.

-- Click OK.

-- Double-click on "Log on as a service."

-- Click "Add."

-- Choose the domain from the "Look in" box.

-- Double-click the user created earlier to add it.

-- Click OK.

- Set the Cisco Secure Remote Agent to run as the created user.

-- Open "Administrative Tools" from the control panel.

-- Open "Services."

-- Double-click the Remote Agent service entry.

-- Click the "Log On" tab.

-- Click "This Account" and then the "Browse" button.

-- Choose the domain, double-click the user created earlier.

-- Click "OK."

-- Repeat for the rest of the CS services.

- Wait for Windows to apply the security policy changes, or reboot the server.

- If you rebooted the server, skip the rest of these instructions.

- Stop and then start the Remote Agent service.


Note that if the Domain Security Policy is set to override settings for "Act as part of the operating system" and "Log on as a service" rights, the user rights changes listed above will also need to be made there.


Regards,

Prem

sri.chalasani Thu, 06/07/2007 - 08:05
User Badges:

Yep I found that article too. I followed those steps to the word. I even made the account a domain admin, gave them log on as service and act as part of OS. I also allowed NTLM responses to be sent/recieved.

Premdeep Banga Thu, 06/07/2007 - 09:07
User Badges:
  • Gold, 750 points or more

Hi Sir,


-------------------------------

NTLIB: NetGetDCName returned error [2453] for [DOMAIN.INT]

NTLIB: Failed to find domain controller for DOMAIN.INT

NTLIB: Failed to get PDC for DOMAIN.INT

-------------------------------


we are getting error 2453, Which indicates that RA was not able to get PDC for DOMAIN.INT, the

resolution for error code 2453 provided by Microsoft is provided below in

the link :


http://support.microsoft.com/default.aspx?scid=kb;en-us;136873


Other then that can you be sure that PDC *is* actually UP?


Regards,

Prem

sri.chalasani Thu, 06/07/2007 - 09:35
User Badges:

The DC is UP and running.


It appears this article is for 3.11 Workgroups use of the NET PASSWORD command, and is used for changing a domain password in 3.11. But the article does say:


"not find the PDC if there are no backup domain controllers (BDC) in the same subnet."


Could it be that the Remote Agent Server is not in the same subnet as my PDC.

Premdeep Banga Thu, 06/07/2007 - 11:30
User Badges:
  • Gold, 750 points or more

Could be, because all Remote Agent do is, take the authentication request, and hand it over to underlying Operating System(Windows server) and has no control over how authentication takes place. So I suspect something missing on Windows end, somehow we are not able to reach it.


Regards,

Prem

Actions

This Discussion