06-05-2007 12:34 PM - edited 03-10-2019 03:11 PM
I am having issues with my Cisco 1112 Server authenticating with LDAP. I have followed the "Installtion of Cisco Secure ACS Remote Agent for Windows". I have given the service account "log on as a service" and "act as part of the os". This account is also a domain admin.
My issue arises when I go to:
External User Database--> Database Group Mappings--> MyDomain--> Add Mapping
It throws:
Failed to enumerate Windows groups
I have visited:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_notice09186a00800b1583.shtml
06-05-2007 02:50 PM
Hi,
As you have a Remote Agent, can you please confirm that version of Remote Agent is same as ACS SE's software version,
C:\Program Files\Cisco\CiscoSecure Remote Agent\Bin>csagent -v
I am assuming that we have ACS 4.x
Also, go to CSWinAgent folder, and see and share the logs in CSWinagent.log
That will give to ample information why is it failing.
Regards,
Prem
06-07-2007 06:46 AM
This is an excerpt from my log:
This is intersting:
CSWinAgent 06/06/2007 08:18:05 A 0048 1568 NTLIB: The 'insist on domain' feature is enabled
CSWinAgent 06/06/2007 08:18:05 A 0048 1568 NTLIB: We are NOT a domain controller
Also my Agent version is:
ACSRemoteAgent version 4.0(1.42) and I'm running ACS 4.0 on the 1112 appliance.
I hope this is what you were looking for.
06-07-2007 07:12 AM
Hi,
Try this,
- Create a user.
- To make it hard to hack, give it a very long complicated password.
- Make the user a member of Domain Admins group.
- Make the user a member of Administrators group.
On the Windows 2000 server running ACS:
- Add new user to proper local group.
-- Open "Administrative Tools" from the control panel.
-- Open "Computer Management."
-- Open "Local Users and Groups" and then "Groups."
-- Double-click the "Administrators" group.
-- Click "Add."
-- Choose the domain from the "Look in" box.
-- Double-click the user created earlier to add it.
-- Click OK.
- Give new user special rights on ACS server.
-- Open "Administrative Tools" from the control panel.
-- Open "Local Security Policy."
-- Open "Local Policies."
-- Open "User Rights Assignment."
-- Double-click on "Act as part of the operating system."
-- Click "Add."
-- Choose the domain from the "Look in" box.
-- Double-click the user created earlier to add it.
-- Click OK.
-- Double-click on "Log on as a service."
-- Click "Add."
-- Choose the domain from the "Look in" box.
-- Double-click the user created earlier to add it.
-- Click OK.
- Set the Cisco Secure Remote Agent to run as the created user.
-- Open "Administrative Tools" from the control panel.
-- Open "Services."
-- Double-click the Remote Agent service entry.
-- Click the "Log On" tab.
-- Click "This Account" and then the "Browse" button.
-- Choose the domain, double-click the user created earlier.
-- Click "OK."
-- Repeat for the rest of the CS services.
- Wait for Windows to apply the security policy changes, or reboot the server.
- If you rebooted the server, skip the rest of these instructions.
- Stop and then start the Remote Agent service.
Note that if the Domain Security Policy is set to override settings for "Act as part of the operating system" and "Log on as a service" rights, the user rights changes listed above will also need to be made there.
Regards,
Prem
06-07-2007 08:05 AM
Yep I found that article too. I followed those steps to the word. I even made the account a domain admin, gave them log on as service and act as part of OS. I also allowed NTLM responses to be sent/recieved.
06-07-2007 09:07 AM
Hi Sir,
-------------------------------
NTLIB: NetGetDCName returned error [2453] for [DOMAIN.INT]
NTLIB: Failed to find domain controller for DOMAIN.INT
NTLIB: Failed to get PDC for DOMAIN.INT
-------------------------------
we are getting error 2453, Which indicates that RA was not able to get PDC for DOMAIN.INT, the
resolution for error code 2453 provided by Microsoft is provided below in
the link :
http://support.microsoft.com/default.aspx?scid=kb;en-us;136873
Other then that can you be sure that PDC *is* actually UP?
Regards,
Prem
06-07-2007 09:35 AM
The DC is UP and running.
It appears this article is for 3.11 Workgroups use of the NET PASSWORD command, and is used for changing a domain password in 3.11. But the article does say:
"not find the PDC if there are no backup domain controllers (BDC) in the same subnet."
Could it be that the Remote Agent Server is not in the same subnet as my PDC.
06-07-2007 11:30 AM
Could be, because all Remote Agent do is, take the authentication request, and hand it over to underlying Operating System(Windows server) and has no control over how authentication takes place. So I suspect something missing on Windows end, somehow we are not able to reach it.
Regards,
Prem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide