Cisco CSC SSM to Active directory integration issue

Unanswered Question
Sep 25th, 2010

Hi,

I have configured ASA CSC SSM module for AD integration for user based access control. The domain controller Agent has been installed in AD server. But the Agent is not able to communicate to CSC module. There are errors getting generated in AD and CSC.

There are no network layer issues between AD server and CSC. All the frewalls have been turned off. I suspect some configuration changes to be done on AD or with the Agent installation file. I have followed the configuration steps recommended by Cisco in configuring AD server and CSC module. I have attached the Log files.

Please suggest solution for this issue. Thank you.

With Regards,

Madhan kumar G.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Jennifer Halim Sat, 09/25/2010 - 17:14

Seems to be problem with Windows server interaction with the TrendMicro IdAgent itself.

Here is the error message (from syscsv):

The Trend Micro IdAgent service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

And also the following (from apcsv):

Windows Installer reconfigured the product. Product Name: Trend Micro IdAgent. Product Version: 1.0.0.0. Product Language: 1033. Reconfiguration success or error status: 1602.
Product: Trend Micro IdAgent -- Configuration failed.

Please check your Microsoft Server machine itself and/or try to uninstall the Trend Micro IdAgent and reinstall it again, or try to install the agent on a different Windows machine.

Hope that helps.

madhankumar.g Sun, 09/26/2010 - 22:13

Hi Jennifer,

Thanks for your suggestion. I am trying to understand the communication pattern between CSC module and Domain controller server. Please comment on following queries.

1. My CSC SSM management ip is in WAN segment and cannot reach AD server. Is that a problem for LDAP integration?

2. How does the CSC finds the host with domain controller agent. Obviously we are giving the ip of the host, at userid configuration of CSC. But how does the traffic flow occur. what will be the source ip, when trying to access the machine hosting the agent?

3. Can I have the agent software in the domain controller server itself?

4.  My Domain controller server is a Microsoft windows server 2008. Does LDAP integration with CSC module supports this version?

5. Does the agent software automatically binds itself with the IP address of the hosting machine. Because, after installing the agent in the windows server, I gave 'netstat' command to check the port binding. The port binding was "0.0.0.0:65015 listening". Whether there is a issue here, that the port is not binded with the ip of the windows server?

Please reply back on these queries.

Thanks and Regards,

Madhan kumar G.

madhankumar.g Tue, 10/19/2010 - 06:22

Hi,

I am facing one more problem with CSC integration with AD. Now the integration is fine and all configurations are done. Still user based access control is not working.

I am testing with a Linux based client machine..Whether there is an issue with that?

Regards,

Madhan kumar G

madhankumar.g Tue, 10/19/2010 - 06:35

Hi,

In continuity with the previous post, I could see in the dubug file the following line "Query Id for (10.10.10.2) but not found".

I have attached the Debug output of Id Agent.

Regards,

Madhan kumar G

madhankumar.g Sun, 09/26/2010 - 22:11

Hi Mike,

Thanks for your suggestion. I am trying to understand the communication pattern between CSC module and Domain controller server. Please comment on following queries.

1. My CSC SSM management ip is in WAN segment and cannot reach AD server. Is that a problem for LDAP integration?

2. How does the CSC finds the host with domain controller agent. Obviously we are giving the ip of the host, at userid configuration of CSC. But how does the traffic flow occur. what will be the source ip, when trying to access the machine hosting the agent?

3. Can I have the agent software in the domain controller server itself?

4.  My Domain controller server is a Microsoft windows server 2008. Does LDAP integration with CSC module supports this version?

5. Does the agent software automatically binds itself with the IP address of the hosting machine. Because, after installing the agent in the windows server, I gave 'netstat' command to check the port binding. The port binding was "0.0.0.0:65015 listening". Whether there is a issue here, that the port is not binded with the ip of the windows server?

Please reply back on these queries.

Thanks and Regards,

Madhan kumar G.

madhankumar.g Tue, 10/05/2010 - 23:18

Hi,

I have found the answers for  my queries.

1. The AD integration issue was because, my CSC SSM management ip couldnot reach Active directory.

2. There should be ip reachability from CSC SSM management ip to Active directory.

3. The Agent software can be installed in the domain controller itself(recommended procedure).

4. Domain controller can be Microsoft windows 2008 server. In such case, the agent should also recide in a Windows 2008 machine only.

5. The agent automatically binds itself with the ip of the hosting machine.

Thankyou.

Regards,

Madhan kumar G.

alig.norbert Mon, 10/18/2010 - 12:10

Hi all,

I have as well an issue with the connection with the domain controller server.

The connectivity with the domain controller agent is working fine. LDAP lookup is working as well.

Here is the set up:

- Domain controller agent is installed on a Windows 2003 32bit AD-Member

- The domain controller server is/are Windows 2008 64bit (There is no 32bit server to get a try)

- Auto detect is showing up all AD-Servers, but not connected

I tried to install the agent on a Windows 2008 64bit but without luck.

Can it be an issue with the AD-Server (Windows 2008 64bit)? Can the domain controller agent only work on 32bit environment?

Thanks,

Norbert

madhankumar.g Tue, 10/19/2010 - 06:43

Hi,

I am using a Microsoft Windows 2008 server, 64 bit version. My CSC is connected to AD. I hope you have provided the AD admin user credentials in the "Domain controller server credentials" space in the userid settings page. If not, Provide the same and try. Use the combination of "\" format for username.

Hope that helps.

Regards,

Madhan kumar G.

alig.norbert Tue, 10/19/2010 - 10:41

Hi,

Thanks for the reply. Which CSC-Version do you have?

I could not build up a connection between CSC and Windows 2008 (64bit) through the Domain Controller Agent...

Thanks,

Norbert

mirober2 Tue, 10/19/2010 - 11:39

Hi Norbert,

Is the "Trend Micro IdAgent" service started on the Windows server? Check the output of 'netstat -anb | more' on the Windows server to make sure that the ID Agent process is listening on the same port that is configured on the Administration > User ID Settings tab on the CSC admin page. Also, double check that there is no firewall enabled on the Windows server that would block access on this port.

The steps defined in this troubleshooting guide may help you find the problem as well:

http://www.cisco.com/en/US/docs/security/csc/csc63/administration/guide/csc8.html#wp1147111

Hope that helps.

-Mike

alig.norbert Wed, 10/20/2010 - 11:35

Hi Mike,

The connection between CSC and the TrendMicro Agent is fine.

I can do the auto discovery to get the AD-controllers as well, but this connection isn't working.

The weird thing is, it can get connected to an "old" Windows 2000 AD-Controller but not to the Windows 2008 (64bit) AD-Controller.

I will do the debug on the TrendMicro Agent, to track it down....

Greets,

Norbert

Azhar Munawar Mon, 05/30/2011 - 10:06

Dear All,

I am also facing the same issue I was tried with windows 2003 it was working but when i installed on windows 2008 64bit no success.

I define some exception on CSC which is not working if i define userid while if i define workstation ip it start working.

Is it issue of windows 2008 or different agent is required  for windows 2008 R2 64bit.

Regads,

Azhar

madhankumar.g Tue, 05/31/2011 - 07:58

Hi,

Below are the suggestions from TAC engineer, which rectified issue in my case. Hope this helps your scenario.

Ø  Verify the following

Ø  1. The client machines should be part of the windows domain

Ø 

Ø  2. File Sharing should be enabled on the client machine

Ø 

Ø  3."Remote Registry" Service should be enabled

Ø 

Ø  4. On the windows firewall, select "Windows Management Instrumentation

Ø 

Ø  (WMI)" as exception program to allow in bound WMI calls.

Ø 

Ø  Also, make sure the "File and Printer Sharing" is part of the exception list.

Ø 

Ø  5. The client is able to ping the Agent and the Domain Controllers.

Azhar Munawar Wed, 06/01/2011 - 11:44

Dear All,

In my case agent is installed successfully and I am not getting any error but still CSC not performing exception for selected users which I defined in list.

Intresting thing is I can call any group or users from AD which shows comunication is fine then why exception is not working.

If I define IP of workstation in csc ssm exception list its working.

Regards,

Azhar

Poonguzhali Sankar Wed, 06/01/2011 - 11:48

1.  The machine should be part of the windows domain (this applies to both the end user's machine and the machine the ID Agent is installed on)
2.  File Sharing should be enabled on the end user's machine; also need to start "File Sharing"& Net Logon services on the machine where the ID
Agent is installed
3.  "Remote Registry" Service should be enabled on end user's machine
4.    If you have to leave Windows Firewall enabled, then do the
following:

       - on end user's machine, only "File and Printer Sharing" should be in the exception list, 'WMI' is not necessary.
      -  on the machine where the ID Agent is installed on, we need to add "File and Printer Sharing" into exception list and add Port 65015 into
           exception list.

5. A simple test would be to telnet via tcp port 445 to the client PC  from the DC or member server that has the ID Agent installed.

You can read here: http://www.cisco.com/en/US/docs/security/csc/csc63/administration/guide/csc6.html

- watch the security event logs on domain controllers for events indicating that a logon has occurred.
- idagent learns the IP and user ID from this event
- the userid to ip mapping is not valid until the agent can "validate" that it is correct information
- validation is done by establishing a connection from the idagent  machine to the desktop PC on TCP/445. It is connecting to the remote  registry service.
- if this step fails, we log a debug message on the agent saying  something to the effect of "UID validation failed for xxx.xxx.xxx.xxx  ()
- the error number is important here... If my memory serves right 53 = timeout and 5 = incorrect credentials

Error 53 can be caused by:
- firewall running on the desktop blocking TCP/445 connections from the id agent machine
- the "remote registry" service not running on the desktop PC. Windows 7 has this service turned off by default.
- "RPC service" not enabled on desktop PC

  The first error (53) could be caused by:

1) Remote Registry Service not enabled on 192.168.1.225 (sample IP)
2) RPC Server service not enabled on 192.168.1.225
3) Client firewall enabled on 192.168.1.225 (windows Firewall) that blocks
the TCP/445 connection.
4) Host machine 192.168.1.225 was not running when it tried to poll the
machine.

Error 5:
- non domain administrator credentials programmed into the CSC GUI under "user id settings"
- re-enter the domain admin details on that page and hit save.

-KS

Azhar Munawar Wed, 06/01/2011 - 12:05

Dear KS,

Whats the problem in my case?while CSC succesfully added ad controller aswell as agent I can call any group and user from windows 2008 R2 64bit AD.

Do I need to perform these activities?

Regards,

Azhar

Azhar Munawar Wed, 06/01/2011 - 12:18

In my case everything is looks fine no error message appears.

How can i check request are coming from csc and ad ack that req?

Regards,

Azhar

alig.norbert Mon, 03/05/2012 - 11:40

Hi there,

Sorry for "reactivate" this post.... How can the AD-agent handle a terminlserver Session. Many users with the same terminalserver IP?

Thanks,

Norbert

Actions

Login or Register to take actions

This Discussion

Posted September 25, 2010 at 10:13 AM
Stats:
Replies:20 Avg. Rating:
Views:4236 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,165
4 1,473
5 1,446