Solved: ACS 5.2.0.26 with two domains

Jodie E Crouch III · ‎08-13-2012

I am trying to upgrade from a production ACS 4.2 installation that utilizes the Windows server that the ACS is installed on as the underlying authentication mechanism to ACS 5.2 that now joins to the domain. I have read several posts and haven't yet found a solution to my problem.

So, we have a domain/forest of Domain X and this is where the ACS server is bound. We have another domain/forest of Domain Y. We have a two=way transitive trust between the two domains. Users can authenticate just fine if they specify the domain name. However, if they leave off the domain, then only users in Domain X can authenticate.

So, the following works to authenticate:

Domain X\username

Domain Y\username

username - if a Domain X username

What doesn't work to authenticate is:

username - if a Domain Y username

How can I tell ACS to authenticate users to a specific list of domains, perhaps in a certain order or perhaps to a default domain. We have many more users in Domain Y. So, if I needed to set a default domain, I could set it to Domain Y and tell the Domain X users to be sure to place the domain in front. Alternatively, it seems I could move the AD binding to Domain Y. However, while the trust is there, the Domain Y is at a different University and I would prefer to keep the ACS server bound to Domain X.

When I try to search for the Directory Groups, I only get groups from Domain X. I cannot even manually type the groups for Domain Y. It accepts them, but they do not work. Inevitably, it results in an error of 22056 Subject not found in the applicable identity store(s). if I leave off the Domain Y.

Any help is appreciated. If more information is needed to assist, please let me know what you need.

Thanks!

Jodie

Tarik Admani · ‎08-13-2012

Jodie,

Are the samaccountname unique across the entire forest? This seems to be a trust type related issue and I have seen this crop up in recent times, here is a article that might help you identify the trust type in order to make this work:

https://supportforums.cisco.com/thread/2162234

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Tarik Admani · ‎08-25-2012

The authentication request will still go though but ACS will reject the request based on the authorization policy that you define on ACS. It is policy based and you can add external groups from AD as a deciding factor if a user gets access or not. Please let me know if you need help setting this up.

(sorry for the late reply, i though i got to this when you posted it before)

Tarik Admani
*Please rate helpful posts*

View solution in original post

Tarik Admani · ‎08-13-2012

Jodie,

Are the samaccountname unique across the entire forest? This seems to be a trust type related issue and I have seen this crop up in recent times, here is a article that might help you identify the trust type in order to make this work:

https://supportforums.cisco.com/thread/2162234

Thanks,

Tarik Admani
*Please rate helpful posts*

Jodie E Crouch III · ‎08-13-2012

Thanks for the reply Tarik. It turns out we have a forest trust and not an external trust which is needed in this case. So, I will have to look at binding ACS to the Domain Y.

Thanks!

Jodie

Jodie E Crouch III · ‎08-13-2012

Hi Tarik,

So, I tried binding the ACS server to Domain Y and now I am able to authenticate users in Domain Y without them having to enter Domain Y\username. However, I now cannot authenticate users in Domain X even with Domain X\username. Any thoughts?

I do not know the answer to your question about samaccountnames being unique across the entire forest. What I know and what is frustrating is that ACS 4.2 works. I realize why it does - because it depends on the underlying Windows OS and NTLM authentication and not kerberos (which I believe is what this is). But, there should be a way to authenticate both domains under the new ACS. I don't have the ability to change the trust type from a forest trust to an external trust.

Any ideas?

Thanks!

Jodie

Tarik Admani · ‎08-13-2012

I understand your frustrations and you can not use ACS to join both domains, I know that you do not have the privs to change the domain but someone in your org will have to understand that this is needed for ACS to authenticate all users.

I assume if users are entering their username and password that they are authenticating through a vpn connection? If so do you have the password management feature turned on?

Or if this is for inside your org are you authenticating users via dot1x?

Thanks,

Tarik Admani
*Please rate helpful posts*

Jodie E Crouch III · ‎08-22-2012

So, I am working on getting that two-way external trust setup. I think they understand why it is needed. But, of course, we have to go through the politics of actually getting it approved.

As for the VPN connection, this is for dot1x authentication on our wireless network primarily. But, the same ACS server authenticates our Juniper SSL VPN users as well.

One question that came from the other domain side is whether selective authentication can be used on this external trust? Do we know?

Thanks!

Jodie

Tarik Admani · ‎08-22-2012

Please explain the selective authentication? However I will explain the selective authentication that I think you are talking about.

If a client uses dot1x authentication then you can set the policy so that is uses AD

If a client is coming through a vpn connection you can use an LDAP instance or a radius proxy, or an RSA token database...etc.

All this requires is that you configure your network devices properly so that you can set these conditions in the service selection rules for this to occur. You can also configure identity store sequences so you can check all the database in any order that you want, if you feel that you dont need the additional overhead in segementing devices in seperate network device groups.

Thanks,

Tarik Admani
*Please rate helpful posts*

Jodie E Crouch III · ‎08-24-2012

Actually, the way it was explained to me is that selective authentication would be used to allow or disallow authentication based on a group/OU. So, if you are not in a certain group/OU, then you cannot even try to authenticate.

Thanks!

Jodie

Tarik Admani · ‎08-25-2012

The authentication request will still go though but ACS will reject the request based on the authorization policy that you define on ACS. It is policy based and you can add external groups from AD as a deciding factor if a user gets access or not. Please let me know if you need help setting this up.

(sorry for the late reply, i though i got to this when you posted it before)

Tarik Admani
*Please rate helpful posts*

Jodie E Crouch III · ‎08-28-2012

No worries Tarik. I thought I had also replied and then checked and it wasn't there. Maybe the site messed up.

Anyway, thanks for the information. I will let you know if I need assistance in setting this up. Is there a document that you would recommend reading that would assist me on this front?

Thanks!

Jodie

Jodie E Crouch III · ‎09-24-2012

Tarik,

As of Friday, we now have a two-way external trust between our two domains. So, I joined the ACS server to the Domain Y. I can now authenticate users for Domain Y with DomainY\username or just username. However, when I try to authenticate users as DomainX\username, it tells me error 22056 Subject not found in the applicable identity store(s).

Now, under Network Resources>External Identity Stores>Active Directory, I went into the Directory Groups tab and I added a Group of DomainX/Users/Domain Users. Is there something else I am supposed to do or what else can I do to troubleshoot this. Any idea?

As always, thanks!

Jodie

Tarik Admani · ‎09-24-2012

Jodie,

Can you try authenticating the user with username@domain.com, and also just username?

If you perform a dns query for domainx does it resolve?

Thanks,

Tarik Admani
*Please rate helpful posts*

Jodie E Crouch III · ‎09-24-2012

I can logon to the ACS CLI and ping/nslookup the FQDN of domain x just fine. It doesn't authenticate the username@domainx either. I tried @FQDN and @domainx.

Tarik Admani · ‎09-24-2012

Jodie,

Can you follow this guide to get the relevant debugs and post the event at the time of the authentication:

https://supportforums.cisco.com/docs/DOC-26787

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani · ‎09-24-2012

Jodie,

Just so I understand which domain is ACS joined to (MASTER.LSUHSC.EDU)? I would like to know a little bit more about your trust, do you mind private messaging me details on this. If you need this resolved fast you can open a TAC case and have them take a look.

Also are you using a service account to join ACS to the domain, or are you using and administrator's account?

Also did you try rebooting the ACS after the trust was established?

Thanks,

Tarik Admani
*Please rate helpful posts*