Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
793
Views
0
Helpful
3
Replies

ACS Authentication in another (trusted) domain bij ACS Agent

Go to solution
remco.gussen
Level 1
Level 1

‎01-30-2008 05:56 AM - last edited on ‎03-25-2019 05:24 PM by Community Manager

Hi

I have got two domains. Domain A is top level domain. Domain B is Child domain from Domain A.

The ACS Agents are installed on two DC's in Domain A.

Authentication of clients in Domain A is ok.

Authentication of clients in Domain B is a problem.

I created a Universal Group in Domain A. In this Universal Group, I put a Global User Group from Domain B. Authentication not ok.

The ACS "Failed Authentication Log": sais: "External DB account Restriction".

What is the problem here ?

Gr.

Remco

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tstanik
Level 5
Level 5

‎02-05-2008 07:20 AM

Check if the users are not mapped to a disabled group. Do not map multiple windows groups to ACS group. Following link may help you

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/qg.html

View solution in original post

0 Helpful
3 Replies 3

Go to solution
tstanik
Level 5
Level 5

‎02-05-2008 07:20 AM

Check if the users are not mapped to a disabled group. Do not map multiple windows groups to ACS group. Following link may help you

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/qg.html

0 Helpful

Go to solution
remco.gussen
Level 1
Level 1
In response to tstanik

‎02-05-2008 07:29 AM

Windows Group Mapping Limitations

ACS has the following limits on group mapping for users who are authenticated by a Windows user database:

•ACS can only support group mapping for users who belong to 500 or fewer Windows groups.

•ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication.

What does the second bullet actually mean ?

Is it not allowed to make a domain local group in Domain A (in which the Remote Agents are) that contains users (not groups) from Domain B ?

Do you have to connect to Domain B in ACS (seen due to Trust relationship) and create a group mapping directly in Domain B ?

0 Helpful

Go to solution
remco.gussen
Level 1
Level 1
In response to remco.gussen

‎02-06-2008 02:42 AM

Upgraded to ACS 3.3.4 build 12 with fix 6.

I made a direct connection to the trusted domain and everything works fine now. In this version it is also possible to create manual group mappings. That solved the "failed to enumerate Windows Groups" problem.

Gr.

Remco

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents