Cisco Support Community
Community Member

CiscoWorks 2K and Active Directory Authentication

I would like to use Active Directory authentication for users such as help desk and network staff. How do you configure the Active Directory plugin? Hopefully there is some documentation on how to fill in the blanks in the plugin. Any help would be appreciated. Have searched TAC and this forum and can find nothing. The help file in CW is useless.

Community Member

Re: CiscoWorks 2K and Active Directory Authentication

I am not sure whether any detailed documentation is available on configuring the AD login module. I am including descriptions of the various fields in AD login module and how they are configured:


This field has the name of the Win2K server with Active Directory (AD) configured. CiscoWorks will use LDAP to authenticate against this server. The contents of this field mention an ldap URL. So if we have a Win2K Advanced server(having AD) with the name "" then this field will contain the URL "ldap://"


This is the root LDAP distinguished name that is used to authenticate users. I will come to the detailed configuration for this a little later.


The prefix to prepend before the userid entered during login. It should be kept at it's default value of "cn=".


This will enable(True)/disable(False) debug mode for the login module. During initial attempts it is a good idea to set this to true. In debug mode detailed logs will be generated in the file CSCOpx\lib\jrun\jsm-cw2000\logs\stdout.log

This will help in debugging problems. This option should be set to False once the configuration is working fine to avoid the performance penalty of detailed logging.

Login Fallback Options:-

This setting controls whether to allow authentication of users against the local CiscoWorks user database if authentication against AD fails. It is a good idea to retain the default setting of authenticating only CiscoWorks admin against CiscoWorks local db.

The setting "Allow no fallbacks to the CiscoWorks Local login." is risky. If the AD authentication does not work for any reason then login to CiscoWorks will be denied to all users including local admin.

In order to understand the "Usersroot" configuration lets look at a typical Active

Directory configuration in Win2K: (The root AD domain)


|-- Builtin

|-- Computers |-- default AD groups

|-- Users


|-- Netop (Organizational Unit)

By default the users will be created under the Users group. It is also possible to create groups in AD and make users member of multiple groups. However AD groups are Not supported by CiscoWorks.

Lets also suppose that the fully-qualified Win2K server name is, and that we want to authenticate users against userids in the default "Users" group.

Thus our configuration will look like:

Server: ldap://

Usersroot: cn=Users, dc=domain1, dc=com

Prefix: cn=

Please note that the server name "master1" is Not included in the Usersroot field. The default Usersroot string in CiscoWorks includes "dc=servername" which is misleading.

Now suppose that you want to authenticate users against the userids in the "Netop" Organizational Unit. In this case only the "Usersroot" configuration needs to change:

Usersroot: ou=Netop, dc=domain1, dc=com

Thats about all I can think about the Active Directory login module at the momment. Please let me know if you have any questions/doubts.



Community Member

Re: CiscoWorks 2K and Active Directory Authentication

This explains a lot. I will give these a try and let you know my results. Thanks very much for the info.



Community Member

Re: CiscoWorks 2K and Active Directory Authentication


I am currently trying this out with no success. My server is a W2k workgroup server, but am able to authenticate and access the LDAP from both server and ws connected to our test domain using the MS Ldap 2000 query tool.

My config is:

server ldap://

Userroot ou=ADC accounts,ou=accounts,dc=dev,dc=fg,dc=xxx,dc=com


note* there is a space between ADC and accounts, and I left no spaces between parameters.

Looking at stdout.log :

init: Obtained thread pool entry:

java.lang.StringIndexOutOfBoundsException: String index out of range: -2

Q: when I launch Cw2k i still specify :1741 and logon box still appears, I tried using domain\user name with password as well as domain ID and Password and can not log in. Is the logon panel still supposed to show up ?

Does a matching user ID need to be inputted to local db ?

CreatePlease to create content