Guest

Cisco Secure Access Control Server for Windows

Field Notice: *Expired* FN - 20228 - Authentication Failures When ACS/NT 3.0 Is Authenticating to Active Directory


Revised November 7, 2006

July 31, 2002

NOTICE:

THIS FIELD NOTICE HAS BEEN ARCHIVED AND IS NO LONGER MAINTAINED OR UPDATED BY CISCO.

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE, WARRANTY OR SUPPORT. USE OF THE INFORMATION ON THIS FIELD NOTICE OR MATERIALS LINKED FROM THIS FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

Product

Comments

CSACS-3.0

Cisco Secure ACS 3.0 for Windows

Problem Description

When Cisco Secure ACS NT Version 3.0 is authenticating to a Windows Active Directory, the authentication may fail and generate errors.

Background

Cisco has observed that, in some customer environments, there are issues related to ACS external user authentication to a Windows Active Directory (AD). This problem can occur due to a permissions issue in the AD.

Depending on the Windows environment, some member servers do not have the appropriate permissions to:

  • Read the AD in order to validate the users authentication credentials

  • Retrieve the dial-in permission authorization

  • Enumerate a group listing in order to perform the ACS group mapping function.

Cisco has verified this and is working currently with Microsoft to resolve this issue in accessing the AD.

Problem Symptoms

Entries like the ones listed below will be captured in the auth.log file if the logging level has been set to full and the services were restarted prior to attempting the authentication of a user from the AD.

Note: To set the logging level, open the ACS Admin and navigate to the System Configuration -> Service Control setting. The logging level should be set to full. If it is not currently set to full, select the Full level of detail and check the box to manage the log directory to avoid filling the hard drive with log files, then select Restart.

AUTH 07/13/2002 17:23:12 I 0266 1932 External DB [NTAuthenDLL.dll]: Starting authentication for user [test]
AUTH 07/13/2002 17:23:12 I 0266 1932 External DB [NTAuthenDLL.dll]: Attempting NT/2000 authentication
AUTH 07/13/2002 17:23:12 I 0266 1932 External DB [NTAuthenDLL.dll]: NT/2000 authentication SUCCESSFUL (by TESTDOM)
AUTH 07/13/2002 17:23:12 I 0266 1932 External DB [NTAuthenDLL.dll]: Obtaining RAS information for user test from TESTDOM
AUTH 07/13/2002 17:23:12 E 0266 1932 External DB [NTAuthenDLL.dll]: RasAdminUserGetInfo returned error 0x5
AUTH 07/13/2002 17:23:12 E 0266 1932 External DB [NTAuthenDLL.dll]: Failed to get RAS information for user test from TESTDOM 
AUTH 07/13/2002 17:23:12 I 5081 1932 Done RQ1026, client 2, status -1058

Workaround/Solution

In understanding there are differences in customers' Active Directory environments, we have determined several workarounds which may help in resolving this issue. Please review the following recommendations and make changes as neccesary to resolve this issue. One or more of these recommendations may be required to resolve the problem.

  1. Uncheck the box that will require the user to have been granted Dial-in Access in the AD. This can be completed in ACS by navigating to the External User Databases -> Database Configuration section. Next select Windows NT/2000, then Configure.

  2. Add all users to the Pre-Windows 2000 Compatible Access group in the AD. This will allow read access to the AD by these accounts.

  3. Change the logon credentials for the ACS services to use a domain administrator account. Often times the local member server administrator account does not have any rights on the AD.

    1. Ensure the ACS services start with the Domain Administrator account.

    2. Ensure you are able to log in to the server using this Domain Administrator account .

    3. Ensure the Domain Administrator account (or the account with which the services start) have privileges to log on locally, Log on as a service and Act as part of the operating system.

  4. Remove database group mappings and use only all other combinations.

  5. If none of the previous workarounds resolve the issue in your Windows AD environment, please upgrade the ACS server to be a domain controller.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCdy18833 (registered customers only)

ACS 3.0 on Win2k SP2 member server fails to auth ext. NT/2000 users

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.