I set up ACS 4.1 on a Windows2003R2 Member Server with Servicepack2. I did all the configuration and it looks like the ACS server can see AD (I can see all AD groups in Groups managemant of ACS). However, if I try to authenticate a user against Windows database, I get always a failed attempt with "Internal Error" in the log.
Looking at the log file in CSAuth, I can see the following lines:
pvAuthenticateUser: authenticate '***' against Windows Database
External DB [NTAuthenDLL.dll]: Starting authentication for user [***]
External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user ***
External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 6L)
Unfortunately, I can't find anything about this error. Any idea?
I have (almost) the same problem with a Cisco ACS 4.1 Solution Engine (appliance).
The CSWinAgent log file (the remote agent log file)shows:
CSWinAgent 05/11/2007 10:54:51 A 0136 2080 Client connecting from 188.8.131.52:3360
CSWinAgent 05/11/2007 10:54:52 A 0386 3372 RPC: NT_MSCHAPAuthenticateUser received
CSWinAgent 05/11/2007 10:54:52 A 0063 3372 NTLIB: Attempting Windows authentication for user johndoe
CSWinAgent 05/11/2007 10:54:52 A 0063 3372 NTLIB: Windows authentication FAILED (error 6L)
CSWinAgent 05/11/2007 10:54:52 A 0451 3372 RPC: NT_MSCHAPAuthenticateUser reply sent.
I don't know if this will help YOU, but I imported the configuration from an ACS 4.1 running on Windows 2000 advanced that was working fine. (I was using a domain administrator account to run the ACS services)
Try to verify the following:
- the account used to run ACS services is a domain administrator
- the local policies (User Rights Assignment) of the ACS server include "Act as part of the operating system" and "Log on as a service" for the ACS services account
- the local policies (Security Options, Network security)LAN manager authentication level allows NTLM v2
Then restart ACS services.
I had experienced the same problem, I had ACS appliance running v4.1 and the RA running on AD . all the groups on AD enumerated successfully but I still getting the same aforementioned error.
could u plz share with us how could u overcome this obstacle!!.
Please verify with Cisco, but it looks like the ACS remote agent version 4.1 is not supported on Windows 2003 R2.
I had the same problem and I had to install the agent on a different server running Windows 2003.
I have opened a Case with Cisco TAC and waiting the feedback but they almost confirmed that the problem from AD side. I need to verify the versions of RA on both AD and ACS.
BTW, please correct me if I'm wrong, if the groups enumerated successfully to ACS; is it means that RA (Remote Agent) working perfectly !!
"if the groups enumerated successfully to ACS; is it means that RA (Remote Agent) working perfectly !!"
Not really ... If you check the CSWinAgent log you will see "6L" errors.
Install the agent on a W2K or W2K3 (not R2) server and the agent will magically start working :-)
finally I have good news, u r absolutely right W2k3(R2) caused this issue. I installed the RA on a member server running W2k3 standard edition and as u said magically start working.
I have the same problem on W2k3(R2) and Cisco TAC told me to upgrade to 184.108.40.206. According to the release notes W2k3(R2) is supported in 4.1.3.
Didn't upgrade yet though. Will let you know if it works once I have the new version installed.
I would suggest you to check the security settings for the ACS server as most of the time when ACS is not able to fetch user info from AD at that time we get this error message. There are many cases in TAC case collection with the same error and they are resolved by configuring security settings for the ACS services.
As you have mentioned that we have ACS installed on member server.
Do we have security settings configured for ACS services as mentioned in ACS installation guide? there are some extra steps we need to follow if ACS installed on member server.