01-30-2008 05:56 AM - last edited on 03-25-2019 05:24 PM by ciscomoderator
Hi
I have got two domains. Domain A is top level domain. Domain B is Child domain from Domain A.
The ACS Agents are installed on two DC's in Domain A.
Authentication of clients in Domain A is ok.
Authentication of clients in Domain B is a problem.
I created a Universal Group in Domain A. In this Universal Group, I put a Global User Group from Domain B. Authentication not ok.
The ACS "Failed Authentication Log": sais: "External DB account Restriction".
What is the problem here ?
Gr.
Remco
Solved! Go to Solution.
02-05-2008 07:20 AM
Check if the users are not mapped to a disabled group. Do not map multiple windows groups to ACS group. Following link may help you
02-05-2008 07:20 AM
Check if the users are not mapped to a disabled group. Do not map multiple windows groups to ACS group. Following link may help you
02-05-2008 07:29 AM
Windows Group Mapping Limitations
ACS has the following limits on group mapping for users who are authenticated by a Windows user database:
â¢ACS can only support group mapping for users who belong to 500 or fewer Windows groups.
â¢ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication.
What does the second bullet actually mean ?
Is it not allowed to make a domain local group in Domain A (in which the Remote Agents are) that contains users (not groups) from Domain B ?
Do you have to connect to Domain B in ACS (seen due to Trust relationship) and create a group mapping directly in Domain B ?
02-06-2008 02:42 AM
Upgraded to ACS 3.3.4 build 12 with fix 6.
I made a direct connection to the trusted domain and everything works fine now. In this version it is also possible to create manual group mappings. That solved the "failed to enumerate Windows Groups" problem.
Gr.
Remco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide