Cisco Support Community
Community Member

Cisco ACS for multiple AD domains

Hello All -

Is there a way for Cisco ACS v 4.1 to authenticate users in different AD domains without having a trust relationship between the different domains?

Any help will be appreciated!


Re: Cisco ACS for multiple AD domains

Yes, just configure as normal and add each domain.

Community Member

Re: Cisco ACS for multiple AD domains

Thanks for your prompt response.

Can you elaborate on what you mean by "just configure as normal and add each domain".

When I go under External User Databases->Database Group Mappings -> Windows Database -> New configuration, I don't see all the domains listed. The only domain listed is the one where ACS is installed.

I can manually specify the other domain name, but will that really work? How will the ACS server know how to reach the other domains with which it does not have a trust relationship?


Re: Cisco ACS for multiple AD domains

After some digging, apparently we have trusts between the domains. We can just see and add them. According to the documentation, only the domain in which ACS is a member of can authenticate users. Indirect trusts will work, remote agent if you're using the appliance, or LDAP which has some limitations.

Re: Cisco ACS for multiple AD domains


We would require two way external/transitive

trust between the two domains.

There are 2 ways to work around our problem:

1. Install another ACS at the remote site/domain and forward all the

requests for the users of remote domain to that ACS.

2. Configure partner domain as LDAP on the ACS (at corp site), this

should not require domain trust. The only problem we will have certain

authentication methods will not be supported when using ldap.

Here is the complete list of stuff which is supported with LDAP:​_for_windows/4.1/user/Overvw.html#wp824733​

Hope that helps!



Do rate helpful posts

CreatePlease to create content