We are still running ACS 4.1 on Window 2003 server. We recently upgraded AD to 2008 although the domain and forest functional level are still 2003. After AD upgrade we now unable to authenticate via ACS Windows Database.
Is this an incompatibility issue? Any info is appreciated. Thanks.
We are running 4.2 and ACS is working even with the functional level increased. I would be surprised if 4.1 does not work. What is more likely is that, since ACS 4 uses an agent for Windows authentication, is that during your migration to 2008, something happened to the agent installed on one of your servers. There have been several times where Windows authentication has quit working with our ACS because our agents tend to run on utility servers that get neglected. There have been times where different server admin tasks have caused one of our agents to stop working. When this happens I take the opportunity to make sure I have the latest version and reinstall it which has always worked.
Check out this guide on the agent install. http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.1/installation/guide/remote_agent/rawi.html
Thanks Jason. Looks like the remote agent is only supported on ACS SE. We have ACS 4.1 for Windows. One of our staff mentioned that he did not have to install remote agent on any server after ACS installation. It's always worked until we upgraded our domain controllers to 2008.
Sorry about that Richard, I completely missed that you mentioned it was running on Windows. I am less familiar with ACS for Windows.
You will need to upgrade to 4.2. 4.1 is not compatible with AD 2008. Hopefully you have a support contract with Cisco. I had to open a ticket because the installation kept failing due to corrupt file(s). After the cleanup, the installation went pretty smooth. Make sure you backup the database before upgrading.
Thanks a lot for your prompt reply...... But what files r u talking about that kept failing?
Sent from Cisco Technical Support iPad App
I can't remember which file(s) were corrupt the were causing the installation to fail. It's been almost a year since I did the upgrade. I recommend opening a ticket with Cisco before performing the upgrade.
I'm in the same boat - our M$ engineers upgraded our Windows DCs from Win2K3 to Win2k8 and now I'm getting annoying authentication errors in Windows. I understand that Windows2008 DCs dont support NTLMV1 (without downgrading security,) and that 4.2.1 with patch 4 will support NTLMv2(I'm guessing this will solve my issues.)
I'm also running 4.2.0 and attempted to upgrade to 4.2.1 and the installer wont export my database so I can't move to 4.2.1 without rebuilding my database manually (as the ACS upgrade document states that I cant use the 4.2.0 DBs to restore to 4.2.1 if I'm upgrading. (Arggh!)
I think I'll log a support call with Cisco ....
I have a 4.2 appliance and want to integrate it to a windows 2008 active directory. Concerning your post above, do you know if my appliance will be compatible after an upgrade to an ACS 4.2.1 version?
As I said before if you have 2008 R2 Active directory it won't work.
If you have an ACS 220.127.116.11 and you are planning to move to Windows server
2008 no R2 32-bits, then you will need to apply patch 12 at least to the ACS server.
If the Windows server is going to be 2008 no R2 64-bits then you will have to upgrade to 18.104.22.168