We have an issue that when a user is a member of too many Windows AD (2003) security groups (roughly 65) they won't get authenticated by our ACS 4.1.
The 1st thing we investigated was the Windows Kerberos authentication issue. Which basically says that if a user is a member of more than 70 security groups then Kerberos authentication might fail. However we've used the tokensz.exe tool to calculate that the affected users Kerberos Token size isn't above the problem 12,000 bytes. Link to that issue http://technet.microsoft.com/en-us/library/cc757478%28WS.10%29.aspx
On the ACS, when a user is a member of too many security groups, the error message is "External user not found". When the user is brought down to the "magic" number of security groups authentication works no problem.
At the same time on the DC errors can be found in the CSWinAgent.log file.
CSWinAgent 01/18/2010 12:25:23 A 0063 5720 NTLIB: Insufficient space for all of user firstname.lastname@example.org certificates
CSWinAgent 01/18/2010 12:25:23 A 0063 5720 NTLIB: Group list buffer is too small for getting full groups list.
So we are starting to think that the DC and / or CSWinAgent is causing us issues. Has anyone experienced similar issues?
Symptom: Windows External Database authentication fails on the ACS 4.0 SE if a user is a member of too many Windows groups.
Conditions: This is specific to the ACS SE running 4.0.1(42) or earlier using Windows Domain Authentication to the ACS Remote Agent.
Workaround: Reduce the number of group memberships the user is part of or reduce the lenght of the group names the user is a part of.
Further Problem Description: If a user ia a part of enough windows groups that the number of characters total of all the groups exceed 1024 bytes the authentication of that user will fail. All other users should still authenticate without any trouble
Please upgrade ACS to 4.1.4 and that should fix it.
First you need to upgrade it to 4.1.1 and then 4.1.4
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :