NAD (ASA/routers) able to login via admin credentials as well when ACS is still up

samahmad · ‎02-04-2016

Hi All ,

I need expert advice , I am an ACS 5.6 with fallback authentication configured , there is no issue in terms of configuration on NAD . What is strange is , once I try to login via AD credentials it works fine however , if I enter admin credentials , it is also accepted , though it should not work . After analysing , I found that via admin , it takes 10-15 seconds to login for the first time and then it is faster , my AD credentials is blocked at that tim I

I checked sh aaa-servers on ASA , it showed me TACACS disabled and after 20 minutes it started working again with AD

I enabled wireshark on ASA/ACS , it showed that AD is timing out the connection once it tried to authenticate via admin and there is an error message related to KDC "KRB5KDC_ERR_ETYPE_NOSUPP

++Already verified the NTP timing , there is no difference on ACS/AD , can it be encryption problem as there is no ACS ..I am not technical on AD , wha can we checked to fix this permanently

Log message on ACS bundle is

Feb  4 09:40:24 xxxxxx adclient[19294]: DEBUG <fd:41 CAPIAuthValidatePlainTextUser > network.state NST: SniffList: postfailsort=xxxxxxxet

Feb  4 09:40:39 xxxxxx adclient[19294]: DEBUG <fd:41 CAPIAuthValidatePlainTextUser > base.osutil Module=Base : KDC unavailable: Cannot contact any KDC for requested realm (reference base/aduser.cpp:962 rc: 1019)

Philip D'Ath · ‎02-05-2016

Could you have had a DNS failure that caused "KDC unavailable"?

samahmad · ‎02-05-2016

Thanks Philip ,

How to verify it , my AD IP address and DNS IP is the same .

++this issue we came across when our AD credentials stopped working intermittently for 10 min approx and error message on ACS is "application indentity store not available "

++There is no expert person in AD , is there any settings we can verify in AD or test

++Resolution of domain name is working fine

Jatin Katyal · ‎02-05-2016

Please double check if the ports UDP 88 and TCP 88 are allowed between ACS's and DC's? Also what do you see when you run the test / diagnostic tool from ACS ?

Run nslookup from ACS CLI for you domain name. There could be possibility that DC listed in top of the list is not in prodcution any more and ACS keep trying to contact it first and wait for 15 seconds before jumping on the other DC in the same list.

Also if you want put the acs to debug mode; please type in acs-config and login with your GUI credentials - (config-acs)# debug-adclient enable & recreate the issue. After that check the following logs on ACS

sh acs-logs filename ACSADAgent.log | last 80

~ Jatin

~Jatin

samahmad · ‎02-05-2016

Hi Jatin ,

I have already captured the debug , and domain name is fine , we are only using one domain controller . The captures suggest that there are certain encryption parameters on ACS , it seems like AD does not have it enabled

ports are allowed , test connection is successfull from ACS

This only happens if I am trying to login via admin credentials which should not work when acs is up , there are issues earlier when we are not able to login via AD credentials though the ACS is still up

You can refer -637953097 which I have opened --engineer has done a great job in isolating the issue

All details are mentioned , I have not approached AD people as they are not technical , and I need to be sure what recommendation I can make

samahmad · ‎02-08-2016

it seems like issue has been fixed , I enabled KCD service which is automated service on AD server , all is back to normal

I will take working capture from ACS with AD credentials and check the difference

Thanks ,

Philip D'Ath · ‎02-05-2016

Have you got one or two AD servers configured in ACS?

If you have just one, any chance the AD controller rebooted? Perhaps due to Windows Update?

Can you get the up time of the AD controller? That would help confirm if this was an issue or not.