Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

User states within CSA

I have been trying for the life of me to figure out why CSA will not allow a group, that I create in AD, to have write access to a wwwroot directory. I can make user accounts work, I can make the built-in accounts in AD (Domain Admins) work. However if I make a group called Domain Admins2, I get no lovin from the MC.

The rule is as follows:

Deny All apps, but not "www services", read/write/create dir.

The user state var is as follows : user <all>, <none>; groups <all>, "Domain Admins2"

I have also tried reversing the rule and doing a allow with the "Domain Admins2" in the first box of the user state.

Other then updating to 5.2 has anyone run into this issue?????


Re: User states within CSA

You should run the csa diagnostics from the csamc, this will tell you exactly what groups csa is seeing on your machine. Also remember that it is the cretedential used to execute a certain function that is used in user-states, not the logged-in user, so you might see some things not getting hit with a user-state if it is executed by ex. SYSTEM

New Member

Re: User states within CSA

I don't see any options for a diagnostics on the MC. Is it called something else?

In the Event Log on the deny that is logged, I can click on details and see that it is being seen as Domain Admins2.

Also I have read that CSA should allow you on if you are a part of any group, not just one that has to be set primary in Active Directory. I can see this being a Windows AD issue though.


Re: User states within CSA

It's on the host detail page under Host Status > Detailed status and diagnostics.

That takes you to another screen where you can run the diags.


Re: User states within CSA

Could it be that you have created the Deny rule as a Priority Deny, which overrides Priority Allow Rules ? Maybe post the actual event here on the forum ?

New Member

Re: User states within CSA

The rule will be a priority deny, that allows the specified group.

I did get this to work, thanks to the host diagnostic link gave me the info I needed, granted I still can't get the name to work, however the SID for the group works just fine, and meets the needs of the web admin.

CreatePlease to create content