Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

External AD authentication fails.


I have set up an Active Directory database as an external resource via Generic LDAP option (I didnt set up via windows database option as my infrastructure does not allow me this).

I am trying to authenticate with no luck. The report database contains the following error message:

Message type: Authentication failed

Authentication Failure Code: External DB reports about an error condition.

My configuration steps are as follows:

Process all user names

Qualified by suffix (

Strip domain before submitting username to LDAP server

User Directory Subtree=dc=local,dc=com

Group Directory Subtree=dc=local,dc=com

User Object Type=SamAccountName

User Object Class=person

Group Object Type=cn

The rest is default settings.

Certificate DB path: empty

I also created an unknown user policy and added my external database in the list of databases and moved it up.

What am I doing wrong? Any help is appreciated.




Re: External AD authentication fails.

As far as I know ACS does not have the sub tree query mode in which if a user is not found on the same level that was defined acs will look further levels deep, so you might want to put the user DN pointing exactly where the users are, also your user object type is not defined correctly, if it indeed is the value you are defining, then the correct syntax is sAMAccountName. I would advise to download the following trial "softerra ldap browser" and browse to your AD LDAP infrastructure, and check the right values that you are using, it might be that you are using the defaults which would mean that you would need to use in most of the cases cn user object type and so on.



CreatePlease to create content