I'm running a cluster of ACS 5.1 doing 802.1x authentication against AD.
We currently have four AD domains with trust relationships going around. After sorting out some DNS related issues it is all working as it should, except for one of them where machine authentications fail.
Digging around I realize that it has been setup with disjoint namespaces. The AD is ad.example.com, but all the computer accounts have been registered as client.example.com. This means that machine authentications gets sent as host/laptop.client.example.com as an example, causing the ACS to try and find the active directory of client.example.com instead of ad.example.com which is where the machine accounts actually are.
Trying to be clever I configured the DNS zone for client.example.com to point the relevant kerberos and LDAP SRV records in the direction of one of the domain controllers, only to be told by the ACS:
adclient: INFO <fd:23 MS-RPC user authentication> base.bind.healing Lost connection to CLIENT.EXAMPLE.COM. Running in disconnected mode: Connected to wrong domain. Expected CLIENT.EXAMPLE.COM, connected to AD.EXAMPLE.COM
Is there anything I can do except request to have all the clients changed to use ad.example.com? This would ofcourse be a major operation.