Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 3.0(2) - Authenticating users from Active Directory and NT4 Domains

We are running ACS 3.02 on an Active Directory Domain Controller. Most users are still in NT4 but some are migrated to AD (SIDHistory migration) and as such have their NT4 account of the same name, disabled. ACS has both domains configured in the domain list.

The Problem:

User accounts in AD get locked out after one bad password when authenticating against a NAS -- the domain policies are three attempts. This happens when the NT account of the same name is disabled.

It appears like ACS looks at both domains, finds the same user name in the NT domain (which is disabled intentionally) and then locks out the AD account.

Interestingly, if the User account in NT is "expired" this does not happen.


AD domain - "Domain A" and "User A" - everything is enabled

NT domain - "Domain B" and "User A" - the user account is disabled

User A attempts auth against a NAS, and supplies the wrong password only once. User A in Domain A then gets locked out. If User A in Domain B is not disabled, the one bad password attempt does not lock out User A in Domain A.


Re: ACS 3.0(2) - Authenticating users from Active Directory and


What you are seeing is expected behavior on the version of ACS you are running. Your interpretation is quite accurate that it searches all the domain if you provide the wrong password until it finds the user succeeds. You may try to send the domain_name\user_name and test it again with wrong password, you may not see this behavior. If I am not completely off, this behavior is changed in acs version 3.2.



CreatePlease to create content