Guest

Cisco Secure Access Control Server for Windows

Field Notice: FN - 62167 - ACS Windows 3.3.3 - User Authentication Failure With NTLM V2 - Software Update Required


Revised January 26, 2006

January 24, 2006

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

  • ACS Windows - 3.3.3

Problem Description

When NT LAN Manager (NTLM) V2 is in use on the Windows servers, usually on the Windows 2003 platform, Cisco Secure Access Control Server (ACS) 3.3.3 will not properly authenticate Windows users. The Domain Controller will indicate an authentication failure.

Background

NTLM V2 was introduced in Windows 2003. When this version of NTLM authentication is on the Domain Controller and is being used by the ACS to authenticate against, the authentication will fail. This fix had only been previously available in ACS for Windows 4.0 as it is built into the 4.0 version.

Problem Symptoms

When users try to authenticate against a Windows 2003 server running NTLM V2, the authentication attempt will fail with a an authentication failed message and the user will not be loged into the domain.

Workaround/Solution

There are two ways to resolve this issue:

  1. Request a patch from Cisco TAC to enable this functionality on the 3.3.3 platform.

  2. Upgrade to ACS 4.x code for fully integrated NTLM v2 functionality.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCea91947 (registered customers only)

ACS will not authenticate Win2k users when NTLMv2 is enabled on network.

Revision History

Revision

Date

Comment

1.1

26-JAN-2006

Workaround section updated.

1.0

24-JAN-2006

Initial Public Release

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.