ACS 4.0 and Active Directory authentication

Unanswered Question
Sep 20th, 2007

We;re deploying the ACS as the means for authenticating our wireless users. The users have different domain that they're authenticating against and I have specified these domains in the Windows Database config. Can anybody please tell me the process for the ACS to hand over the authentication request to the Domain Controller? - i.e. is the ACS configured to go to only one domain controller or multiple? Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jagdeep Gambhir Fri, 09/21/2007 - 05:30


ACS will first look in root domain and then other domains with the condition of two way trust.

There is no limit on the number of domain controllers that can be associated with ACS.

The priority between them can be determined by changing their order in the 'Selected Databases' list in the 'External User Databases->Unknown User Policy' page .



axfalk Sun, 09/23/2007 - 10:13

Thanks for your response.

Considering a user qualifies the Domain name when he's authenticating to the ACS, does the Domain have to be in the "Domain List" for the user to successfully authenticate?

Thanks again...

Jagdeep Gambhir Sun, 09/23/2007 - 19:06


If the user supplied a domain in his username, ACS will try to authenticate the user on that domain and only that domain. The domain list does not make any difference here and its not even used.

If the user does not specify his domain, the documentation say search order is:

# the local domain controller

# trusted domains

First, it checks the local domain then the trusted domains. The trusted domains are

checked in a unpredicatable order because Windows takes care of it. This creates a problem

- if the same username exists in multiple domains, then Windows could end up trying the

wrong domain first and think a user has failed authentication. Unfortunately, Windows isn't smart enough to look for the username/password pair in all the trusted domains until it finds one that works. Instead, it gives up with "bad username/password" when it find the right username even though its not the right one. This is why the domain list feature was added. So, after Windows has had a go (and failed), if a domain list exists then ACS repeats the authentication at the domains in the list and in the order it specifies.

You can use this to get round the duplicate username problem because you can force ACS to always have a go in the "user" domains.

There seems to be some confusion as to whether you have to add all trusted domains to the

domain list - this is not the case. ACS will always try trusted domains if there is no

domain in the username. The domain list is only needed to get ACS to explicitly do an

authentication at certain domains and this is only needed if you have the duplicate

username problem. Otherwise, you are just lengthening the process - if an Auth fails

legitimately, then it will repeat and fail again.

Hope that helps.



axfalk Mon, 09/24/2007 - 08:36

Thanks for your very thorough response. I just have a small follow-up question...In the Domain Config Window, under "Available Domains", I am only seeing some of the Domains, not all of them, that have a bi-directional trust with the local domain...Where is this info being fed from and what needs to be done so that all the Domains with the bi-directional trust are there?

Thanks again...


This Discussion