ACS Failed to Enumerate Windows Groups

Unanswered Question
Jun 5th, 2007

I am having issues with my Cisco 1112 Server authenticating with LDAP. I have followed the "Installtion of Cisco Secure ACS Remote Agent for Windows". I have given the service account "log on as a service" and "act as part of the os". This account is also a domain admin.

My issue arises when I go to:

External User Database--> Database Group Mappings--> MyDomain--> Add Mapping

It throws:

Failed to enumerate Windows groups

I have visited:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_notice09186a00800b1583.shtml

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Premdeep Banga Tue, 06/05/2007 - 14:50

Hi,

As you have a Remote Agent, can you please confirm that version of Remote Agent is same as ACS SE's software version,

C:\Program Files\Cisco\CiscoSecure Remote Agent\Bin>csagent -v

I am assuming that we have ACS 4.x

Also, go to CSWinAgent folder, and see and share the logs in CSWinagent.log

That will give to ample information why is it failing.

Regards,

Prem

sri.chalasani Thu, 06/07/2007 - 06:46

This is an excerpt from my log:

This is intersting:

CSWinAgent 06/06/2007 08:18:05 A 0048 1568 NTLIB: The 'insist on domain' feature is enabled

CSWinAgent 06/06/2007 08:18:05 A 0048 1568 NTLIB: We are NOT a domain controller

Also my Agent version is:

ACSRemoteAgent version 4.0(1.42) and I'm running ACS 4.0 on the 1112 appliance.

I hope this is what you were looking for.

Attachment: 
Premdeep Banga Thu, 06/07/2007 - 07:12

Hi,

Try this,

- Create a user.

- To make it hard to hack, give it a very long complicated password.

- Make the user a member of Domain Admins group.

- Make the user a member of Administrators group.

On the Windows 2000 server running ACS:

- Add new user to proper local group.

-- Open "Administrative Tools" from the control panel.

-- Open "Computer Management."

-- Open "Local Users and Groups" and then "Groups."

-- Double-click the "Administrators" group.

-- Click "Add."

-- Choose the domain from the "Look in" box.

-- Double-click the user created earlier to add it.

-- Click OK.

- Give new user special rights on ACS server.

-- Open "Administrative Tools" from the control panel.

-- Open "Local Security Policy."

-- Open "Local Policies."

-- Open "User Rights Assignment."

-- Double-click on "Act as part of the operating system."

-- Click "Add."

-- Choose the domain from the "Look in" box.

-- Double-click the user created earlier to add it.

-- Click OK.

-- Double-click on "Log on as a service."

-- Click "Add."

-- Choose the domain from the "Look in" box.

-- Double-click the user created earlier to add it.

-- Click OK.

- Set the Cisco Secure Remote Agent to run as the created user.

-- Open "Administrative Tools" from the control panel.

-- Open "Services."

-- Double-click the Remote Agent service entry.

-- Click the "Log On" tab.

-- Click "This Account" and then the "Browse" button.

-- Choose the domain, double-click the user created earlier.

-- Click "OK."

-- Repeat for the rest of the CS services.

- Wait for Windows to apply the security policy changes, or reboot the server.

- If you rebooted the server, skip the rest of these instructions.

- Stop and then start the Remote Agent service.

Note that if the Domain Security Policy is set to override settings for "Act as part of the operating system" and "Log on as a service" rights, the user rights changes listed above will also need to be made there.

Regards,

Prem

sri.chalasani Thu, 06/07/2007 - 08:05

Yep I found that article too. I followed those steps to the word. I even made the account a domain admin, gave them log on as service and act as part of OS. I also allowed NTLM responses to be sent/recieved.

Premdeep Banga Thu, 06/07/2007 - 09:07

Hi Sir,

-------------------------------

NTLIB: NetGetDCName returned error [2453] for [DOMAIN.INT]

NTLIB: Failed to find domain controller for DOMAIN.INT

NTLIB: Failed to get PDC for DOMAIN.INT

-------------------------------

we are getting error 2453, Which indicates that RA was not able to get PDC for DOMAIN.INT, the

resolution for error code 2453 provided by Microsoft is provided below in

the link :

http://support.microsoft.com/default.aspx?scid=kb;en-us;136873

Other then that can you be sure that PDC *is* actually UP?

Regards,

Prem

sri.chalasani Thu, 06/07/2007 - 09:35

The DC is UP and running.

It appears this article is for 3.11 Workgroups use of the NET PASSWORD command, and is used for changing a domain password in 3.11. But the article does say:

"not find the PDC if there are no backup domain controllers (BDC) in the same subnet."

Could it be that the Remote Agent Server is not in the same subnet as my PDC.

Premdeep Banga Thu, 06/07/2007 - 11:30

Could be, because all Remote Agent do is, take the authentication request, and hand it over to underlying Operating System(Windows server) and has no control over how authentication takes place. So I suspect something missing on Windows end, somehow we are not able to reach it.

Regards,

Prem

Actions

This Discussion