I am trying to setup the ACS to authenticate users that are in certain AD groups.
If I go into the ACS cannot seem to enumerate AD groups correctly. Although the AD server shows as connected in the Identity stores (and it tests fine) if you go the the directory groups tab and hit "select" no groups will show up no matter what search string or base you specify. This is seemingly allowing anyone with an AD account to authorize on the switch even though they are not in the specified group.
I also get the following errors showing up in the monitor:
May 5,2010 3:14:26.683 PM
AD Operation failure
ADOperationResult=No global catalog can be found for domain: mydomain.com
I can assure you that AD isnt broken for other things, and all the DNS underscore zones, etc are all there. No AD servers are down or offline, etc.
If AD is connected to the ACS, but you can’t retrieve the group directories from it and getting "ADOperationResult=No global catalog can be found for domain" found the let me inform you that this is an on-going issue and will be fixed in ACS 5.1 patch 3 that is not yet released. We are expecting the availability of this patch on CCO in the mid of June
CSCtf39158 Can't retrieve AD groups in single forest with multiple trees scenarios
Do rate helpful posts-