ACS 5.1 - AD account change

Unanswered Question
Jan 25th, 2010

Hi,

I was able to configure  ACS with AD successfully.

I was using my AD account to get connected and now I want to change it to system account I have created for that.

Each time I am trying to change username and password I can get through Test Connection phase successfully but when I am trying to save this configuration I got message:

The item you trying to delete is referenced by other items.

You must remove all references to this item before it can be deleted.

Anybody could help on that?

Thank you

P.S. With my current connection to AD I also cannot see groups anymore.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jatin Katyal Tue, 01/26/2010 - 03:19

Hi Levter,


Looks like you are trying to change the admin account on the ACS for AD connectivity. Before you do that you need to remove all the settings linked with AD like group mapping and policy elements.


You need to delete all the ad settings before you use new admin account.


If you are ready to delete it, click Clear Configuration after you verify that:

There are no policy rules that use custom conditions based on the AD dictionary.

The AD is not chosen as the identity source in any of the available access services.

There are no identity store sequences with the AD.


You can not use different/new user account without deleting the old AD config.


Please try to delete from there and see if that helps.


HTH


Regards,

JK


Plz rate helpful posts-

levter Tue, 01/26/2010 - 08:07

I forgot to mention that I have added AD on ACS 5.0 and then have it updated to the ACS 5.1

I also lost ability to see groups usong current account.

I feel this is some king of bug which hopefulli will be fixed in next update/release.

Solution you offering will ruine all my configuration. It is not small.

I will have to delete all my config for account name change only?

Can I back up my rules first and then restore it?

I am connecting to the same AD. Just different username.

Could you help please?

Thank you.

Jason Aarons Mon, 09/27/2010 - 10:46

The documentation stated this username was only for joining the Domain, so I used my Domain Admin account to join the Domain.

It appears the documentation is wrong, a service account to run-as is actually needed. Seems at reboots and other circumstances the account is needed.  No problem, I'm creating a service account.

However now once I enter the new service accont username you want me to delete all AD references before you can change it?  What is Cisco nuts or just a bunch of horrilbe software developers?

It was bad enough I had to burn a DVD and stick it in a drive to upgrade from ACS 5.1 to ACS 5.2 to support 2008R2 domain controllers.

Jason Aarons Mon, 09/27/2010 - 13:20

In working with Cisco TAC (SR615252563), on ACS 5.2 I was getting the same error message " The item you trying to delete is referenced by other items. You must remove all references to this item before it can be deleted." when trying to change the Active Directory username.

Fix was via SSH

acs stop

acs start

Once I restarted ACS I could change the Active Directory username/password without a problem.

MAGNUS SVENSSON Mon, 12/06/2010 - 04:07

Hi, I have the similar problem as describe, The ACS server account's password has expired in AD. I then changed the password in ACS and in AD, but was not able to save the changes in ACS , got this error message: "The item you are trying to delete is referenced by other items.You must remove all references to this item before it can be deleted".

If I (from ssh) did a restart on ACS i was able to save the settings

BUT

Only if I skipped pressing the test button.So skip the test button after the restart and just do a save configuration then it works.

/Magnus

I've had the same types of issues before with this.

Note to all of you who are setting up ACS 5.x, I'd suggest you get the account right from the start, get one made in AD if you have to dedicated to ACS allowing it to bind to AD.

Choose a complex password, set it to never expire, end of story.

Changing account names and passwords later on is a pain, and often you have to recreate all your rules etc.

Actions

This Discussion