02-04-2016 11:10 PM - edited 03-10-2019 11:27 PM
Hi All ,
I need expert advice , I am an ACS 5.6 with fallback authentication configured , there is no issue in terms of configuration on NAD . What is strange is , once I try to login via AD credentials it works fine however , if I enter admin credentials , it is also accepted , though it should not work . After analysing , I found that via admin , it takes 10-15 seconds to login for the first time and then it is faster , my AD credentials is blocked at that tim I
I checked sh aaa-servers on ASA , it showed me TACACS disabled and after 20 minutes it started working again with AD
I enabled wireshark on ASA/ACS , it showed that AD is timing out the connection once it tried to authenticate via admin and there is an error message related to KDC "KRB5KDC_ERR_ETYPE_NOSUPP
++Already verified the NTP timing , there is no difference on ACS/AD , can it be encryption problem as there is no ACS ..I am not technical on AD , wha can we checked to fix this permanently
Log message on ACS bundle is
Feb 4 09:40:24 xxxxxx adclient[19294]: DEBUG <fd:41 CAPIAuthValidatePlainTextUser > network.state NST: SniffList: postfailsort=xxxxxxxet
Feb 4 09:40:39 xxxxxx adclient[19294]: DEBUG <fd:41 CAPIAuthValidatePlainTextUser > base.osutil Module=Base : KDC unavailable: Cannot contact any KDC for requested realm (reference base/aduser.cpp:962 rc: 1019)
02-05-2016 12:10 AM
Could you have had a DNS failure that caused "KDC unavailable"?
02-05-2016 04:32 AM
Thanks Philip ,
How to verify it , my AD IP address and DNS IP is the same .
++this issue we came across when our AD credentials stopped working intermittently for 10 min approx and error message on ACS is "application indentity store not available "
++There is no expert person in AD , is there any settings we can verify in AD or test
++Resolution of domain name is working fine
02-05-2016 08:02 AM
Please double check if the ports UDP 88 and TCP 88 are allowed between ACS's and DC's? Also what do you see when you run the test / diagnostic tool from ACS ?
Run nslookup from ACS CLI for you domain name. There could be possibility that DC listed in top of the list is not in prodcution any more and ACS keep trying to contact it first and wait for 15 seconds before jumping on the other DC in the same list.
Also if you want put the acs to debug mode; please type in acs-config and login with your GUI credentials - (config-acs)# debug-adclient enable & recreate the issue. After that check the following logs on ACS
sh acs-logs filename ACSADAgent.log | last 80
~ Jatin
02-05-2016 06:11 PM
Hi Jatin ,
I have already captured the debug , and domain name is fine , we are only using one domain controller . The captures suggest that there are certain encryption parameters on ACS , it seems like AD does not have it enabled
ports are allowed , test connection is successfull from ACS
This only happens if I am trying to login via admin credentials which should not work when acs is up , there are issues earlier when we are not able to login via AD credentials though the ACS is still up
You can refer -637953097 which I have opened --engineer has done a great job in isolating the issue
All details are mentioned , I have not approached AD people as they are not technical , and I need to be sure what recommendation I can make
02-08-2016 01:21 AM
it seems like issue has been fixed , I enabled KCD service which is automated service on AD server , all is back to normal
I will take working capture from ACS with AD credentials and check the difference
Thanks ,
02-05-2016 11:38 AM
Have you got one or two AD servers configured in ACS?
If you have just one, any chance the AD controller rebooted? Perhaps due to Windows Update?
Can you get the up time of the AD controller? That would help confirm if this was an issue or not.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide