We are moving from a Novell to a Microsoft AD environment. The Domain controllers are running 2008. Running ACS 4.2 on a ACS SE appliance. So, we need to have a Windows remote agent. We have the unknown user policy active and we have some group mappings that will map our AD groups to ACS groups. When we create those mappings, we can see all of the groups in our Doamin, so we know that the Windows remote agent is working and ACS can see the domain. However, when we try to authenticate, it fails and ACS reports the error External DB not operational. Well, I know its operational because when I configure a group mapping, it sees the AD groups.
This is an issue for the TAC to look at... they'll ask you to use the Support page to generate a package.cab file.
Before you do this, set system logging to max then see if you can replicate the problem - the logs collected in the cab file will then contain as much debug info as possible. If you wanted to look yourself the cab file holds loads of logs of which one is the CSAuth service log file - open and search for "external" and you should find all related logged events.
currently we are getting connection between ACS 4.2 with our external AD 2003, but users are not authenticated using the same username and password and by checking the ACS logs we found "Internal Error".
anyone can help us to identify what kind of this error?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...