Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Can't get ACS5.1 to join AD 2003

I have an acs 5.1 eval VM appliance that I am testing and I can not get it
to join the domain.

I have been running two ACS4.1 windows servers for years.

The popup error that the ACS gives is when you press the "Test Connection" button is:

Error while configuring Active Directory:Error while configuring Active Directory:Using
writable domain controller: domcon04.campus.stevens-tech.eduError: (Kerberos) : Cannot
contact any KDC for requested realm due to unexpected configuration or network
error.Please try the --verbose option or run 'adinfo --diag' to diagnose the problem.Join
to domain 'CAMPUS.STEVENS-TECH.EDU', zone 'null' failed.


FIRST QUESTION:  where can I find
'adinfo --diag' that is refered to in the above error?

On the domain controller (which is running AD 2003) the error is:

I first get this message:

While processing an AS request for target service krbtgt, the account bdolana did not
have a suitable key for generating a Kerberos ticket (the missing key has an ID of 2). The
requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  1.


Then about 3 minutes later (and it take about 3 minutes for this process to return the
error)

While processing an AS request for target service krbtgt, the account acs2$ did not  have
a suitable key for generating a Kerberos ticket (the missing key has an ID of 1).  The
requested etypes were 18  17  3  1.  The accounts available etypes were 23  -133  -128. 
Changing or resetting the password of acs2$ will generate a proper key.


After this whole process errors out I go to search for the account acs2 or acs2$ it can not be found.


I do see the the Security logs that the account is getting created, here are those logs.

Event Type:     Success Audit
Event Source:     Security
Event Category:     Account Management
Event ID:     645
Date:          1/22/2010
Time:          10:18:58 AM
User:          CAMPUS\bdolana
Computer:     DOMCON04
Description:
Computer Account Created:
     New Account Name:     acs2$
     New Domain:     CAMPUS
     New Account ID:     acs2
DEL:9f185c9b-8e96-4bfe-b2ca-f710bd0d7873
     Caller User Name:     bdolana
     Caller Domain:     CAMPUS
     Caller Logon ID:     (0x1,0x3C448FC8)
     Privileges          -
Attributes:
     Sam Account Name:     acs2$
     Display Name:     <value not set>
     User Principal Name:     -
     Home Directory:     <value not set>
     Home Drive:     <value not set>
     Script Path:     <value not set>
     Profile Path:     <value not set>
     User Workstations:     <value not set>
     Password Last Set:     <never>
     Account Expires:     <never>
     Primary Group ID:     515
     AllowedToDelegateTo:     -
     Old UAC Value:     0x0
     New UAC Value:     0x85
     User Account Control:     
          Account Disabled
          'Password Not Required' - Enabled
          'Workstation Trust Account' - Enabled
     User Parameters:     <value changed, but not displayed>
     Sid History:     -
     Logon Hours:     <value not set>
     DNS Host Name:     -
     Service Principal Names:     -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type:     Success Audit
Event Source:     Security
Event Category:     Account Management
Event ID:     626
Date:          1/22/2010
Time:          10:18:58 AM
User:          CAMPUS\bdolana
Computer:     DOMCON04
Description:
User Account Enabled:
     Target Account Name:     acs2$
     Target Domain:     CAMPUS
     Target Account ID:     acs2
DEL:9f185c9b-8e96-4bfe-b2ca-f710bd0d7873
     Caller User Name:     bdolana
     Caller Domain:     CAMPUS
     Caller Logon ID:     (0x1,0x3C448FC8)


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type:     Success Audit
Event Source:     Security
Event Category:     Account Management
Event ID:     646
Date:          1/22/2010
Time:          10:18:58 AM
User:          CAMPUS\bdolana
Computer:     DOMCON04
Description:
Computer Account Changed:
     -
     Target Account Name:     acs2$
     Target Domain:     CAMPUS
     Target Account ID:     acs2
DEL:9f185c9b-8e96-4bfe-b2ca-f710bd0d7873
     Caller User Name:     bdolana
     Caller Domain:     CAMPUS
     Caller Logon ID:     (0x1,0x3C448FC8)
     Privileges:     -
Changed Attributes:
     Sam Account Name:     -
     Display Name:     -
     User Principal Name:     -
     Home Directory:     -
     Home Drive:     -
     Script Path:     -
     Profile Path:     -
     User Workstations:     -
     Password Last Set:     -
     Account Expires:     -
     Primary Group ID:     -
     AllowedToDelegateTo:     -
     Old UAC Value:     0x85
     New UAC Value:     0x80
     User Account Control:     
          Account Enabled
          'Password Not Required' - Disabled
     User Parameters:     -
     Sid History:     -
     Logon Hours:     -
     DNS Host Name:     -
     Service Principal Names:     -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type:     Success Audit
Event Source:     Security
Event Category:     Account Management
Event ID:     646
Date:          1/22/2010
Time:          10:18:58 AM
User:          CAMPUS\bdolana
Computer:     DOMCON04
Description:
Computer Account Changed:
     -
     Target Account Name:     acs2$
     Target Domain:     CAMPUS
     Target Account ID:     acs2
DEL:9f185c9b-8e96-4bfe-b2ca-f710bd0d7873
     Caller User Name:     bdolana
     Caller Domain:     CAMPUS
     Caller Logon ID:     (0x1,0x3C448F6F)
     Privileges:     -
Changed Attributes:
     Sam Account Name:     -
     Display Name:     -
     User Principal Name:     -
     Home Directory:     -
     Home Drive:     -
     Script Path:     -
     Profile Path:     -
     User Workstations:     -
     Password Last Set:     -
     Account Expires:     -
     Primary Group ID:     -
     AllowedToDelegateTo:     -
     Old UAC Value:     -
     New UAC Value:     -
     User Account Control:     -
     User Parameters:     -
     Sid History:     -
     Logon Hours:     -
     DNS Host Name:     acs2.campus.stevens-tech.edu
     Service Principal Names:     
          cifs/acs2
          cifs/acs2.campus.stevens-tech.edu
          ftp/acs2
          ftp/acs2.campus.stevens-tech.edu
          host/acs2
          host/acs2.campus.stevens-tech.edu
          http/acs2
          http/acs2.campus.stevens-tech.edu
          nfs/acs2
          nfs/acs2.campus.stevens-tech.edu


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type:     Success Audit
Event Source:     Security
Event Category:     Account Management
Event ID:     646
Date:          1/22/2010
Time:          10:18:58 AM
User:          CAMPUS\bdolana
Computer:     DOMCON04
Description:
Computer Account Changed:
     -
     Target Account Name:     acs2$
     Target Domain:     CAMPUS
     Target Account ID:     acs2
DEL:9f185c9b-8e96-4bfe-b2ca-f710bd0d7873
     Caller User Name:     bdolana
     Caller Domain:     CAMPUS
     Caller Logon ID:     (0x1,0x3C4490AA)
     Privileges:     -
Changed Attributes:
     Sam Account Name:     -
     Display Name:     -
     User Principal Name:     -
     Home Directory:     -
     Home Drive:     -
     Script Path:     -
     Profile Path:     -
     User Workstations:     -
     Password Last Set:     -
     Account Expires:     -
     Primary Group ID:     -
     AllowedToDelegateTo:     -
     Old UAC Value:     -
     New UAC Value:     -
     User Account Control:     -
     User Parameters:     -
     Sid History:     -
     Logon Hours:     -
     DNS Host Name:     -
     Service Principal Names:     -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type:     Success Audit
Event Source:     Security
Event Category:     Account Management
Event ID:     647
Date:          1/22/2010
Time:          10:22:07 AM
User:          CAMPUS\bdolana
Computer:     DOMCON04
Description:
Computer Account Deleted:
     Target Account Name:     acs2$
     Target Domain:     CAMPUS
     Target Account ID:     acs2
DEL:9f185c9b-8e96-4bfe-b2ca-f710bd0d7873
     Caller User Name:     bdolana
     Caller Domain:     CAMPUS
     Caller Logon ID:     (0x1,0x3C4490AA)
     Privileges:     -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


There are no other logs in any of the domain controllers, I never see logs that the acs2 account was deleted.

SECOND QUESTION: Any Ideas?

Chris

Everyone's tags (4)
3 REPLIES
New Member

Re: Can't get ACS5.1 to join AD 2003

TAC came through with the answer

We have many TCP/UDP ports open between the nets where the ACS and AD servers are located.

Even though we can join other machines to the domain, whatever protocol the ACS is trying to join the domain it wanted another port.

Chris

New Member

Re: Can't get ACS5.1 to join AD 2003

Hello Chris,

I am curious about your problem, we are experiencing the same issue, so I wonder what was the workaorund that cisco gave you, we have a TAC case open, but htye havent found an answer for this

Thanks

New Member

Re: Can't get ACS5.1 to join AD 2003

Hi Chris,

I didn't have that problem when config ACS 5.2 using AD 2003 as external identity store.

Check the time synchronization between ACS and AD.

And, I using ACS 5.2 and AD 2008 have the same error messages.

But I using Firefox to do test connection. It works correct.

You can try that.

2361
Views
0
Helpful
3
Replies
CreatePlease to create content