[cisco-voip] ACS 2008 R2
Jason Aarons (US)
jason.aarons at us.didata.com
Tue Feb 8 09:54:28 EST 2011
This is a good example of why you should lab test the AD upgrade prior to production.
ACS 5.1 can't talk to 2008 Domain controller in 2003 functional level. ACS runs Centrify and ACS 5.2 fixed it. I think ACS 4.2.1 has similar issue but not positive.
From TAC case after upgrade, "I believe you are running into a problem when a 2008 DC is running at 2003 functional level. Basically we send a ticket request to the KDC and it responds with the encryption versions it supports including AES. Since AES is the strongest encryption we choose that and send an ticket request using AES to the KDC. The KDC then responds saying it does not support AES since 2003 does not support AES encryption.
If this is the case then raising the domain functional level to 2008 native should resolve the issue assuming that this will not break anything else in your environment. "
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/da205761-4eb3-4896-a71f-7cc8512d5420
http://www.windowsitpro.com/article/kerberos/Q-Can-the-default-encryption-types-the-Kerberos-authentication-protocol-uses-in-Windows-7-and-Windows-Server-2008-R2-cause-compatibility-problems-Is-there-a-workaround-.aspx
Yes customer was warned in advance that 2008R2 isn't supported until ACS 5.2 was released, for whatever reason they upgraded regardless breaking VPN authentications.
From: Bill Riley [mailto:bill at hitechconnection.net]
Sent: Tuesday, February 08, 2011 9:31 AM
To: Jason Aarons (US); cisco-voip at puck.nether.net
Subject: ACS 2008 R2
From the original thread "support for MS AD 2008R2 and "mixed" 2003 R2 / 2008 R2"
You said that the 2008 R2 DC caused problems with ACS. What issues did you have? I am surprised there is that much dependencies between ACS and the active directory authentication.
-----------------------------------------
Disclaimer:
This e-mail communication and any attachments may contain
confidential and privileged information and is for use by the
designated addressee(s) named above only. If you are not the
intended addressee, you are hereby notified that you have received
this communication in error and that any use or reproduction of
this email or its contents is strictly prohibited and may be
unlawful. If you have received this communication in error, please
notify us immediately by replying to this message and deleting it
from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110208/48b8951e/attachment.html>
More information about the cisco-voip
mailing list