Too many AD security groups for ACS 4.1

Unanswered Question
Jan 19th, 2010
User Badges:

We have an issue that when a user is a member of too many Windows AD (2003) security groups (roughly 65) they won't get authenticated by our ACS 4.1.


The 1st thing we investigated was the Windows Kerberos authentication issue. Which basically says that if a user is a member of more than 70 security groups then Kerberos authentication might fail. However we've used the tokensz.exe tool to calculate that the affected users Kerberos Token size isn't above the problem 12,000 bytes. Link to that issue http://technet.microsoft.com/en-us/library/cc757478%28WS.10%29.aspx


On the ACS, when a user is a member of too many security groups, the error message is "External user not found". When the user is brought down to the "magic" number of security groups authentication works no problem.


At the same time on the DC errors can be found in the CSWinAgent.log file.



CSWinAgent 01/18/2010 12:25:23 A 0063 5720 NTLIB: Insufficient space for all of user [email protected] certificates

CSWinAgent 01/18/2010 12:25:23 A 0063 5720 NTLIB: Group list buffer is too small for getting full groups list.


So we are starting to think that the DC and / or CSWinAgent is causing us issues. Has anyone experienced similar issues?


Thanks

Stuart

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jagdeep Gambhir Tue, 01/19/2010 - 09:25
User Badges:
  • Red, 2250 points or more

Hi Stuart,

We are hitting a bug here.


CSCse49827            Bug Details



ACS Remote Agent fails users with too many goups

Symptom:
Windows External Database authentication fails on the ACS 4.0 SE if a user is a member of
too many Windows groups.

Conditions:
This is specific to the ACS SE running 4.0.1(42) or earlier using Windows Domain Authentication
to the ACS Remote Agent.

Workaround:
Reduce the number of group memberships the user is part of or reduce the lenght of
the group names the user is a part of.

Further Problem Description:
If a user ia a part of enough windows groups that the number of characters total of all the groups
exceed 1024 bytes the authentication of that user will fail.  All other users should still authenticate
without any trouble


Please upgrade ACS to 4.1.4 and that should fix it.


First you need to upgrade it to 4.1.1 and then 4.1.4


Regards,

~JG


Do rate helpful posts

stup9togo Wed, 01/20/2010 - 00:08
User Badges:

Cheers mate.


I think thats the fix. Also found it last night. Although I think it was fixed in 4.1.3. The below shows the resolved caveats in 4.1.3.


Hopefully get this upgraded soon to confirm fix.



Thanks

Actions

This Discussion