Windows authentication

Unanswered Question
Aug 11th, 2009
User Badges:

We are trying to authenticate against a AD group, instead of authenticating with AD it gives the following message and places the users in the default group, any ideas ?

RDS 08/10/2009 23:54:03 P 0786 3192 0x0 Found local user MSNET\ibis5471

RDS 08/10/2009 23:54:03 E 5800 3192 0x0 Failed to get group info about user:MSNET\ibis5471 - CSAuth client has passed userID with invalid id info

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mchin345 Mon, 08/17/2009 - 16:26
User Badges:
  • Silver, 250 points or more

It is a known issue that ACS does look ups based on the outer id instead of the inner id when the outer identity is a username. For whatever reason, when the outer identity is anonymous, ACS correctly does its lookups based on the inner identity.

It is entirely possible this is why fast-reconnect also fails. I saw the following entries in the RDS.log that correspond to the reported fast-reconnect error in the Failed Attempts log.

Robert.N.Barrett_2 Wed, 08/19/2009 - 08:09
User Badges:
  • Bronze, 100 points or more

It is normal ACS behavior for AD users to show up in the local users database once they have authenticated. This is a caching feature that is enabled by default(and can be disabled).

Are users being allowed access, but these messages are showing up in the logs?

lni1 Thu, 08/20/2009 - 22:33
User Badges:

I disabled the whole setup to Windows AD,

so the authentication should fail, still the authentication for the devices are valid, they are in the default group (0).

The default group (0) is off limits for everybody, but still these users enter via this group, how is this possible ?

Jagdeep Gambhir Fri, 08/21/2009 - 01:28
User Badges:
  • Red, 2250 points or more

You can create a mapping and map default group with no access group.

lni1 Fri, 08/21/2009 - 01:42
User Badges:

I already did that, it still enters the default group (0),could it be a problem with my link to AD ?

Jagdeep Gambhir Fri, 08/21/2009 - 05:37
User Badges:
  • Red, 2250 points or more

Does that user belongs to multiple group in AD?

lni1 Tue, 08/25/2009 - 23:15
User Badges:

Yes, it belongs to multiple groups in AD, but for the moment the whole AD setup is offline, but still users enter via the group 0.


This Discussion