Cisco ACS- All about Active Directory.

ACS TO AD
1. First it looks to see if it can reach DNS using both UDP and TCP
2. Next it does a reverse DNS lookup of its IP to find the name
associate with that IP in DNS. If ACS is behind NAT, the local (not
natted) IP address should resolve to the hostname of the ACS.
3. Next it does a _ldap._tcp. DNS query for the domain to find the DC
4. It then checks to see if it can reach the DC on the following ports:
ldap: 389/tcp
ldap: 389/udp
smb: 445/tcp
kdc: 88/tcp
kpasswd: 464/tcp
ntp: 123/udp
5. It then binds (LDAP) anonymously to the DC to find the following:
DC name
DC OS
Domain name
GC Status
DC funtionality
Site name
6. Next it tries to find the GC using the _gc._tcp. DNS query.
7. Then it checks if GC is reachable on port 3268.
8. Next it connects to the DC again to verify the site name and subnet.
9. Finally it compares the clock with ACS and the DC
========================================================================
Database replicationTCP 2638
=====================================================================
ACS View CollectorUDP 20514
========================================================================
SNMP (for request)UDP 161
SNMP (for notifications)UDP 162
=======================================================================
AD:-
++Check that the clock between AD and the ACS matches there could be a
5 minute difference  but the time zone has to be the same.
+ +That the domain name that you configure on the AD 
configuration on the ACS can be resolved by the DNS server set up on the
ACS. To check this you can perform a ping < domain-name> or nslookup <domain
name>.
++That the user being used to make the bind has account 
operator rights since this account will be used to create a computer account
on AD. Also we recommend that this account isn't used by anyone and is set
to never expiries.
++Go to the ACS GUI and perform a test connection and 
send me the output. To do this go to Users and identity stores > External
Identity stores > Active directory.


ACS 5.x version was designed to retrieve the AD Attribute information only
when referring to the AD:External Groups.
1.Restarting the acs services
2.Delete the ACs machine account from the AD and disconnect/re-join it to the AD.

How to change kerberos encryption:
Security Settings \ Local Policies \ Security Options \ "Network security:

"Configure encryption types allowed for Kerberos"

While processing an AS request for target service krbtgt, the account smcwifiacs01$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes were 1. The accounts available etypes were 23  -133  -128  18  17  3  -140

http://support.microsoft.com/kb/978055 - KB Article:
FIX: User accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows Server 2008 R2 domain controller joins the domain

http://technet.microsoft.com/en-us/library/cc734055.aspx- Event ID 26 — KDC Encryption Type Configuration


http://technet.microsoft.com/en-us/library/jj852180%28v=ws.10%29.aspx - Network security: Configure encryption types allowed for Kerberos
While processing an AS request for target service krbtgt/SOMERSET-HEALTHCARE.COM, the account smcwifiacs02$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 3). The requested etypes : 17. The accounts available etypes : 23  -133  -128. Changing or resetting the password of krbtgt will generate a proper key.
http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xml



While processing an AS request for target service krbtgt, the account smcwifiacs01$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes were 1. The accounts available etypes were 23  -133  -128  18  17  3  -140


http://support.microsoft.com/kb/978055 - KB Article:
FIX: User accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows Server 2008 R2 domain controller joins the domain

http://technet.microsoft.com/en-us/library/cc734055.aspx- Event ID 26 — KDC Encryption Type Configuration


http://technet.microsoft.com/en-us/library/jj852180%28v=ws.10%29.aspx - Network security: Configure encryption types allowed for Kerberos



ACS was sending DES which is disabled by default on 2008 R2

http://tools.ietf.org/html/rfc3961#section-8
================================================================================

Below are the Use commands performed under Root Mode after installing Root Patch provided by cisco TAC

To stop the adclient:
./ACS_AD_Runner.sh adclient -x

To start the adclient:
./ACS_AD_Runner.sh adclient

To leave a domain:
./ACS_AD_Runner.sh adleave –u <username> -r

To join a domain:
 ./ACS_AD_Runner.sh adjoin –u <username> -z null –V <domain>


To flush the client cache:
./ACS_AD_Runner.sh adflush


/opt/CSCOacs/runtime/adagent/etc
# acs stop adclient
# vi centrifydc.conf
 dns.dc.<domain.name>: <hostname>
dns.gc.<domain.name>: <hostname>
# Example:
# dns.dc.acme.com: anvil.acme.com cayote.acme.com 
# dns.gc.acme.com: roadrunner.acme.com
Press 'a' on your keyboard to enter write mode
Press Esc to exit write mode
9) Enter :wq
========================================================================
acstest/rsriramo# acs troubleshoot adcheck MCS55.com
acs/admin# acs troubleshoot adcheck -v   (centrify DC)

acstest/rsriramo# acs troubleshoot adinfo -a   (connected or not connected)
acstest/rsriramo# acs troubleshoot adinfo -r (shows joined domain controller)

1 Response to "Cisco ACS- All about Active Directory."

  1. mandyroy says:

    Professionally written blogs are rare to find, however I appreciate all the points mentioned here. I also want to include some other writing skills which everyone must aware of. Windows 10 home product key

Post a Comment

Powered by Blogger