[cisco-voip] ACS 2008 R2

Lelio Fulgenzi lelio at uoguelph.ca
Tue Feb 8 10:26:16 EST 2011 

Lab'ing is great, but it doesn't help with the support issue later on. It might work, but if it breaks later and I call the TAC, the TAC looks at the data sheet and says, R2 is not there. ;) 

Since there will be multiple AD servers, some at 2003, some at 2008R2, we have the option to simply continue pointing to the 2003 servers (which are 2003R2 I believe!). 

I guess I can open a TAC case and ask them to clarify whether 2008 R2 is supported or not. Minimally I will have that to go back to management with. 



--- 
Lelio Fulgenzi, B.A. 
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1 
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN) 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
Cooking with unix is easy. You just sed it and forget it. 
- LFJ (with apologies to Mr. Popeil) 


----- Original Message -----
From: "Jason Aarons (US)" <jason.aarons at us.didata.com> 
To: "Bill Riley" <bill at hitechconnection.net>, cisco-voip at puck.nether.net 
Sent: Tuesday, February 8, 2011 9:54:28 AM 
Subject: Re: [cisco-voip] ACS 2008 R2 




This is a good example of why you should lab test the AD upgrade prior to production. 



ACS 5.1 can’t talk to 2008 Domain controller in 2003 functional level. ACS runs Centrify and ACS 5.2 fixed it. I think ACS 4.2.1 has similar issue but not positive. 



>From TAC case after upgrade, “I believe you are running into a problem when a 2008 DC is running at 2003 functional level. Basically we send a ticket request to the KDC and it responds with the encryption versions it supports including AES. Since AES is the strongest encryption we choose that and send an ticket request using AES to the KDC. The KDC then responds saying it does not support AES since 2003 does not support AES encryption. 

If this is the case then raising the domain functional level to 2008 native should resolve the issue assuming that this will not break anything else in your environment. “ 



http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/da205761-4eb3-4896-a71f-7cc8512d5420 



http://www.windowsitpro.com/article/kerberos/Q-Can-the-default-encryption-types-the-Kerberos-authentication-protocol-uses-in-Windows-7-and-Windows-Server-2008-R2-cause-compatibility-problems-Is-there-a-workaround-.aspx 



Yes customer was warned in advance that 2008R2 isn’t supported until ACS 5.2 was released, for whatever reason they upgraded regardless breaking VPN authentications. 





From: Bill Riley [mailto:bill at hitechconnection.net] 
Sent: Tuesday, February 08, 2011 9:31 AM 
To: Jason Aarons (US); cisco-voip at puck.nether.net 
Subject: ACS 2008 R2 



>From the original thread “support for MS AD 2008R2 and "mixed" 2003 R2 / 2008 R2” 



You said that the 2008 R2 DC caused problems with ACS. What issues did you have? I am surprised there is that much dependencies between ACS and the active directory authentication. 




DDIPT

Disclaimer: This e-mail communication and any attachments may contain confidential and privileged information and is for use by the designated addressee(s) named above only. If you are not the intended addressee, you are hereby notified that you have received this communication in error and that any use or reproduction of this email or its contents is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer. Thank you. 
_______________________________________________ 
cisco-voip mailing list 
cisco-voip at puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-voip 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110208/8fead1e5/attachment.html>

More information about the cisco-voip mailing list