Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 5.1 AD group enumeration

I am trying to setup the ACS to authenticate users that are in certain AD groups.

If I go into the ACS cannot seem to enumerate AD groups correctly. Although the AD server shows as connected in the Identity stores (and it tests fine) if you go the the directory groups tab and hit "select" no groups will show up no matter what search string or base you specify. This is seemingly allowing anyone with an AD account to authorize on the switch even though they are not in the specified group.

I also get the following errors showing up in the monitor:

May 5,2010 3:14:26.683 PM
ERROR
AD Operation failure
CSCOacs_Internal_Operations_Diagnostics
33201
AdminInterface=GUI
AdminIPAddress=10.x.x.x
AdminSession=F7434BE137EBD195B586055A58875E3E
AdminName=ACSAdmin
DomainName=DC=mydomain
DC=com
ADOperationResult=No global catalog can be found for domain: mydomain.com

I can assure you that AD isnt broken for other things, and all the DNS underscore zones, etc are all there. No AD servers are down or offline, etc.

Any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACS 5.1 AD group enumeration


If AD is connected to the ACS, but you can’t retrieve the group directories from it and getting "ADOperationResult=No global catalog can be found for domain" found the let me inform you that this is an on-going issue and will be fixed in ACS 5.1 patch 3 that is not yet released. We are expecting the availability of this patch on CCO in the mid of June

CSCtf39158    Can't retrieve AD groups in single forest with multiple trees scenarios


Regds,

JK


Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
4 REPLIES
Cisco Employee

Re: ACS 5.1 AD group enumeration


If AD is connected to the ACS, but you can’t retrieve the group directories from it and getting "ADOperationResult=No global catalog can be found for domain" found the let me inform you that this is an on-going issue and will be fixed in ACS 5.1 patch 3 that is not yet released. We are expecting the availability of this patch on CCO in the mid of June

CSCtf39158    Can't retrieve AD groups in single forest with multiple trees scenarios


Regds,

JK


Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: ACS 5.1 AD group enumeration

This does fit my scenario as far as I can tell - though I am still working with TAC on it. Hopefully patch 3 comes early, as this is a show stopper for our implementation.

New Member

Re: ACS 5.1 AD group enumeration

Patch 3 fixed this problem

Cisco Employee

Re: ACS 5.1 AD group enumeration

I would appreciaciate if you mark this thread as RESOLVED so that others can take benefit out of it.

~BR Jatin Katyal **Do rate helpful posts**
1522
Views
0
Helpful
4
Replies