Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
859
Views
0
Helpful
5
Replies

ACS 3.3, changed the domain administrator password and ACS broke

Go to solution
ted.schwind
Level 1
Level 1

‎09-23-2010 06:36 AM - edited ‎03-10-2019 05:26 PM

I did not setup the TACACS. I want to disable the AD administrator account, but it appears to be needed by ACS.

I changed the administrator PW and TACACS stops working. The ACS windows services all start using the administrator acount. If I change them to use another domain admin account they start, but disabling administrator again breaks TACACS.

Ideas?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Yudong Wu
Level 7
Level 7
In response to ted.schwind

‎09-23-2010 09:11 AM

I am not sure your point.

Again, your windows ACS services are run by Windows AD admin account. ACS will use that account to login to AD for user authentication. If you disable the Window AD admin account or change its password, ACS could not login to AD to authenticate the user. That's probably the reason that TACACS authentication was failed after you changed windows AD admin account. In ACS External User DB configuration, you should see the related Windows AD.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Yudong Wu
Level 7
Level 7

‎09-23-2010 08:21 AM

In your setup, your ACS probably need to talk to Windows AD (configured as external DB in ACS) for authenticating the user. ACS must use an account which has the privilege to let it to query the AD. In general, most user use an domain admin account to run ACS service in windows to make sure that ACS can use the same domain admin account to check AD.

0 Helpful

Go to solution
ted.schwind
Level 1
Level 1
In response to Yudong Wu

‎09-23-2010 08:45 AM

Inside of the ACS web app I do not see anywhere that the administrator account or any other account is authentcating.

- Ted

0 Helpful

Go to solution
Yudong Wu
Level 7
Level 7
In response to ted.schwind

‎09-23-2010 09:11 AM

I am not sure your point.

Again, your windows ACS services are run by Windows AD admin account. ACS will use that account to login to AD for user authentication. If you disable the Window AD admin account or change its password, ACS could not login to AD to authenticate the user. That's probably the reason that TACACS authentication was failed after you changed windows AD admin account. In ACS External User DB configuration, you should see the related Windows AD.

0 Helpful

Go to solution
ted.schwind
Level 1
Level 1
In response to Yudong Wu

‎09-23-2010 09:34 AM

If I change the ACS services to log in with a different domain admin account it does not fix the problem. Disabling the admin account breaks ACS. Something still needs the administrator account.

0 Helpful

Go to solution
Yudong Wu
Level 7
Level 7
In response to ted.schwind

‎09-23-2010 10:15 AM

As long as you use a domain admin account to run all ACS service, it should work.

Could you please confirm if the new account is a domain admin account and has the same privilege as the previous one.

The link below provides the info about this.

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/installation/guide/windows/postin.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents