Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 3.0 and AD

Good Morning All,

My question to everyone is as follows. I have ACS 3.0 and have been authenticating via my NT domain for quite some time now. My company finished their AD rollout and since the ACS rests on an old BDC (not Win2k) I am holding up their upgrade. I have ACS 3.0 now on a Win2k member server and cannot get it to aunthenticate to the domain. When I try to setup the log on as a service and act as part of the OS with the new AD account I created, I get an arror saying it couldn't contact the doamin. This would make sense but the user list propogates with users from the domain. Please help. I know that's a lot of info. Thank you very much.

  • AAA Identity and NAC
New Member

Re: ACS 3.0 and AD

We had similar problems with ACS3.0.x.

Finally we stopped investigations into 3.0 and have upgraded to 3.1. There the problem has definitely been solved. A couple of workarounds for ACS 3.0 exist but they have not worked. You can try the following steps but in our case they have not solved the problem:

1.Uncheck the box that will require the user to have been granted Dial-in Access in the AD. This can be completed in ACS by navigating to the External User Databases -> Database Configuration section. Next select Windows NT/2000, then Configure.

2.Add all users to the Pre-Windows 2000 Compatible Access group in the AD. This will allow read access to the AD by these accounts.

3.Change the logon credentials for the ACS services to use a domain administrator account. Often times the local member server administrator account does not have any rights on the AD.

4.Ensure the ACS services start with the Domain Administrator account.

o Ensure you are able to log in to the server using this Domain Administrator account .

o Ensure the Domain Administrator account (or the account with which the services start) have privileges to log on locally, Log on as a service and Act as part of the operating system.

5.Remove database group mappings and use only all other combinations.