ACS 5.1, active directory and disjoint namespaces

Unanswered Question
May 20th, 2010

I'm running a cluster of ACS 5.1 doing 802.1x authentication against AD.

We currently have four AD domains with trust relationships going around. After sorting out some DNS related issues it is all working as it should, except for one of them where machine authentications fail.

Digging around I realize that it has been setup with disjoint namespaces. The AD is, but all the computer accounts have been registered as This means that machine authentications gets sent as host/ as an example, causing the ACS to try and find the active directory of instead of which is where the machine accounts actually are.

Trying to be clever I configured the DNS zone for to point the relevant kerberos and LDAP SRV records in the direction of one of the domain controllers, only to be told by the ACS:

adclient[2349]: INFO  <fd:23 MS-RPC user authentication> base.bind.healing Lost connection to CLIENT.EXAMPLE.COM. Running in disconnected mode: Connected to wrong domain. Expected CLIENT.EXAMPLE.COM, connected to AD.EXAMPLE.COM

Is there anything I can do except request to have all the clients changed to use This would ofcourse be a major operation.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
heriomortis Tue, 06/08/2010 - 03:16

Replying to myself here.

Reading the release notes I find bug CSCtb00427 under known issues, which describes exactly my problem.

As a workaround it suggests "Perform authentication with the host's NETBIOS name (for example, domainB\myhost$)." which I can see that it would help. Currently looking for a way to make the clients do this without much success, mostly on WinXP SP3 with the native 802.1x supplicant here.

Trying to look up the bug in ciscos bug toolkit to check the "fixed in" information, it tells me that the bug contains proprietary information and hence is not public. Not very helpful seeing as the bug is documented in a release note.

Anybody have any suggestions?


This Discussion

Related Content