06-01-2012 06:48 AM - edited 03-10-2019 07:09 PM
hello
i'm using ACS 5.3.0.40.2 and its setup with an AD External Identity store for wireless PEAP MSCHAPv2. AD is configured with Alternate UPN suffixes so that for example:
22056 Subject not found in the applicable identity store(s).
I've checked the release notes for 5.3.0.40.5 and there are some changes/fixes for AD but nothing I can see to explain the behaviour above. Has anyone come across this before? I'm looking to upgrade to 5.3.0.40.5 soon but I really need the Alternate UPN suffixes to work.
A valid AD user can add either the @mydomain.com or the @another.com suffixes to their username and login successfully. This works fine with 5.3.0.40.2 but changes when I upgrade to 5.3.0.40.5 - users who use the @mydomain.com login ok but users using the Alternate UPN @another.com fail with the error:
thanks
andy
ps i've tried LEAP and PEAP/GTC as well but still get the same error when using the Alternate UPN suffix
06-02-2012 05:20 AM
My aplogies for previous post - seems to have messed up when I copied and pasted. Just to recap, AD and user details are:
AD
Thanks
Andy
AD Domain: AD.MYDOMAIN.COM
Alternate UPN Suffix: ANOTHER.MYDOMAIN.COM
User
cn: SOMEUSER
With ACS 5.3.0.40.2 the user can login with usernames SOMEUSER or SOMEUSER@AD.MYDOMAIN.COM or with the Alternate UPN suffix SOMEUSER@ANOTHER.MYDOMAIN.COM
With ACS 5.3.0.40.5 the user can login with usernames SOMEUSER or SOMEUSER@AD.MYDOMAIN.COM but not with the Alternate UPN suffix SOMEUSER@ANOTHER.MYDOMAIN.COM.
I''ve taken ACS adcleint debugs (when using the Alternate UPN suffix) from both ACS versions (see below). 5.3.0.40.2 works ok but 5.3.0.40.5 fails.From the debugs (line 3 highlighted in red), 5.3.0.40.5 is missing out name: SOMEUSER type=SAM domain=AD.MYDOMAIN.COM.
Anyone have any ideas how i get the Alternate UPN suffix working with 5.3.0.40.5 ?
Thanks
Andy
ACS 5.3.0.40.2 debug
...
Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DEBUG <25 ms-rpc="" user="" authentication=""> daemon.ipclient1 executing request 'MS-RPC user authentication' in thread 300947344025>
Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DIAG <25 ms-rpc="" user="" authentication=""> daemon.ipclient1 I:doNetLogonSamLogon - user=SOMEUSER@ANOTHER.MYDOMAIN.COM25>
Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DEBUG <25 ms-rpc="" user="" authentication=""> base.adagent findObject ADNames: SOMEUSER@ANOTHER.MYDOMAIN.COM name: SOMEUSER@ANOTHER.MYDOMAIN.COM type=ALTUPN domain=AD.MYDOMAIN.COM name: SOMEUSER type=SAM domain=AD.MYDOMAIN.COM25>
Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DEBUG <25 ms-rpc="" user="" authentication=""> base.bind.cache search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(userPrincipalName=SOMEUSER@ANOTHER.MYDOMAIN.COM)), attrs 1c (cacheOps=7, GC=1)25>
Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DIAG <25 ms-rpc="" user="" authentication=""> base.bind.ldap ADSERVER.AD.MYDOMAIN.COM:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(userPrincipalName=SOMEUSER@ANOTHER.MYDOMAIN.COM))"25>
Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DEBUG <25 ms-rpc="" user="" authentication=""> base.cache Cache store
Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DEBUG <25 ms-rpc="" user="" authentication=""> base.bind.cache search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=SOMEUSER)), attrs 2 (cacheOps=7, GC=0)25>
Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DIAG <25 ms-rpc="" user="" authentication=""> base.bind.ldap ADSERVER.AD.MYDOMAIN.COM:389 search base="DC=AD,DC=MYDOMAIN,DC=COM" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=SOMEUSER))"25>
...
ACS 5.3.0.40.5 debug
...
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> daemon.ipclient1 executing request 'MS-RPC user authentication' in thread 298544220827>
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DIAG <27 ms-rpc="" user="" authentication=""> daemon.ipclient1 I:doNetLogonSamLogon - user=SOMEUSER@ANOTHER.MYDOMAIN.COM27>
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.adagent findObject ADNames: SOMEUSER@ANOTHER.MYDOMAIN.COM name: SOMEUSER@ANOTHER.MYDOMAIN.COM type=ALTUPN domain=AD.MYDOMAIN.COM 27>
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(userPrincipalName=SOMEUSER@ANOTHER.MYDOMAIN.COM)), attrs 1c (cacheOps=7, GC=1)27>
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.objecthelper age 61, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 727>
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.adagent findObject: NotFound:SOMEUSER@ANOTHER.MYDOMAIN.COM Category:user27>
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.bind.cache making negative response for Person UserPrincipalName="SOMEUSER@ANOTHER.MYDOMAIN.COM" (GC=0)27>
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.cache Cache store
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.objecthelper 'SOMEUSER@ANOTHER.MYDOMAIN.COM' is not a canonical name27>
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> util.except (cims::RPC) : Unable to find user SOMEUSER@ANOTHER.MYDOMAIN.COM: The specified user does not exist. (reference ../smb/rpcclient/rpcwrap.cpp:439 rc: -1073741724)27>
...
06-14-2012 05:22 AM
opened a TAC for this and found the following:
With ACS5.3.0.40.2:
if search by userPrincipalName failed ACS stripped Alternative UPN suffix and tries to use samaccount name.
With ACS 5.3.0.40.5:
if search by userPrincipalName failed ACS DOES NOT STRIP Alternative UPN suffix
The method used in ACS 5.3.0.40.5 is the correct one from a security viewpoint.
To fully resolve this i'll have a look at either:
cheers
andy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: