Chapter 11 Working with User Databases
Windows NT/2000 User Database
11-12
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
matching username and password. This also illustrates the importance of
removing usernames from a domain when the privileges associated with the user
are no longer required.
Tip Entering the domain name can speed up authentication, because authentication is
directed to a specific domain rather than depending upon Windows to search
through the local domain and all trusted domains until it finds the username.
Note Cisco Secure ACS does not support the user@domain (UPN) format of qualified
usernames when authenticating users with Windows user databases of any type,
including local and domain SAM databases and Active Directory databases.
If you do not specify a domain name when typing the username,
Cisco Secure ACS submits the username to the Windows operating system on the
server than runs Cisco Secure ACS. If Windows does not find the username in its
local domain database, it then checks all trusted domains. If Cisco Secure ACS
runs on a member server and the username is not found in trusted domains,
Windows also checks its local accounts database. Windows attempts to
authenticate a user with the first occurrence of the username that it finds.
Note If the credentials submitted by the user do not match the credentials associated
with the first matching username that Windows finds, authentication fails. Thus,
if different users in different domains share the same exact username, logging in
with a non-domain-qualified username can result in inadvertent authentication
failure.
Use of the Domain List is not required to support Windows authentication, but it
can alleviate authentication failures caused by non-domain-qualified usernames.
If you have configured the Domain List in the Windows NT/2000 User Database
Configuration page of the External User Databases section, Cisco Secure ACS
submits the username and password to each domain in the list in a fully qualified
format until it successfully authenticates the user. If Cisco Secure ACS has tried
each domain listed in the Domain List or if no trusted domains have been
configured in the Domain List, Cisco Secure ACS stops attempting to
authenticate the user and does not grant that user access.
To Next Page
Loading...
Need help?
General