Preparing Users for Authenticating with Windows Before using the Windows user database for authentication: Step 1 Ensure that the username exists in the Windows user database.
Certificate Database Path The path to the Netscape cert7.db file.
Retries The number of authentication attempts ACS makes before failing over to the secondary proxy radius server.
Note Increase the odbc worker thread count only if the odbc driver that you are using is certified thread safe.A user will be mapped to a specific group, as defined in the External User Databases Database Group Mappings Windows Database settings, when machine authentication occurs.For example, when EAP-TLS authentication a Windows XP client initiates, ACS receives the username in [email protected] format.Amiga: WinUAE.2.0, amiga: WinUAE.1.0, amiga: WinUAE.0.0.Group Mapping for Unknown Users ACS supports group mapping for unknown users by requesting group membership information from Windows user databases.Note You can only use external user databases to authenticate users and to determine the group to which ACS assigns a user.ACS takes the username that the authentication process supplies, and asks the ldap server to search a full subtree of unknown depth, over an unknown user population.
Port The TCP/IP port number on which the ldap server is listening.
Ensure that the delimiting character appears in the applicable position: at the end of the domain name if Prefix is selected on the Qualified by list; at the beginning of the domain name if Suffix is selected on the Qualified by list.
ACS is ready to perform machine authentication for computers whose names exist in the ACS internal database.For detailed steps, see Configuring a Windows External User Database.Step 11 In the Group Directory Subtree box, type the DN of the subtree containing all your groups.Type a name for the new configuration for the RSA the witch's house rpg game SecurID token server in the box provided, or accept the default name in the box.For more information and an example routine, see Sample Routine for Generating an SQL chap Authentication Procedure.Confirm all values for these fields with your ldap server configuration and documentation.To support machine authentication with EAP-TLS, check the Permit EAP-TLS machine authentication check box.For more information, see "Windows Authentication from a Member Server" in the Installation Guide for Cisco Secure ACS for Windows.You can map the ldap group to an ACS group with any name that you want to assign.Table 13-7 Result Codes Result Code Meaning 0 (zero) Authentication successful 1 Unknown username 2 Invalid password 3 Unknown username or invalid password 4 Internal errorauthentication not processed The SQL procedure can decide among 1, 2, or 3 to indicate a failure, depending on how much.Common ldap Configuration This table contains options that apply to all ldap authentication that is performed by using this configuration.Table 13-2 lists the procedure results that ACS expects as output from stored procedure.UPN Usernames ACS supports authentication of usernames in UPN format, such as or cyril.For more information about ACS support of token servers with a radius interface, see radius-Enabled Token Servers.Configuring an RSA SecurID Token Server External User Database ACS supports the RSA SecurID token server custom interface for authentication of users.
Apply Service Pack 4 to the computer that is running Active Directory.
By Unknown User Policy You can configure ACS to attempt authentication of users who are not in the ACS internal database by using an external user database.
For more information about Microsoft operating systems and machine authentication, see Microsoft Windows and Machine Authentication.