Cisco Systems Servers Benutzerhandbuch
12-5
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter 12 Administering External User Databases
Unknown User Processing
NT/2000 database, Cisco Secure ACS caches the username in the CiscoSecure
user database in the form domain\user. The combination of username and domain
makes this cached user unique in the Cisco Secure ACS database.
user database in the form domain\user. The combination of username and domain
makes this cached user unique in the Cisco Secure ACS database.
Note
Cisco Secure ACS does not support the user@domain form of qualified
usernames.
usernames.
Note
We recommend removing a username from a database when the privileges
associated with that username are no longer required.
associated with that username are no longer required.
Windows Authentication with Domain Omitted
If the appropriate domain identifier is not supplied as part of the authentication
process, as with the Windows 95/98 dial-up networking client or with
Windows NT/2000 in a workgroup environment, the Windows NT/2000
operating system of the Cisco Secure ACS server follows a more complex
authentication process. It first attempts to authenticate the user against its local
domain controller. If the user does not exist in the local domain controller’s user
database, it progresses down the list of all its trusted domains, trying the username
against each one. If Windows NT/2000 does not find the username, it tries the
credentials against its local accounts database. If it does not find the username in
the local accounts database, it rejects the authentication request. If authentication
succeeds against the local domain, any of the trusted domains, or the local
Windows NT/2000 accounts database, the user is granted access and
Cisco Secure ACS ceases further attempts to find the user in other domains.
process, as with the Windows 95/98 dial-up networking client or with
Windows NT/2000 in a workgroup environment, the Windows NT/2000
operating system of the Cisco Secure ACS server follows a more complex
authentication process. It first attempts to authenticate the user against its local
domain controller. If the user does not exist in the local domain controller’s user
database, it progresses down the list of all its trusted domains, trying the username
against each one. If Windows NT/2000 does not find the username, it tries the
credentials against its local accounts database. If it does not find the username in
the local accounts database, it rejects the authentication request. If authentication
succeeds against the local domain, any of the trusted domains, or the local
Windows NT/2000 accounts database, the user is granted access and
Cisco Secure ACS ceases further attempts to find the user in other domains.
If the username exists in the local domain or any of the trusted domains but the
password does not match the one supplied as part of the authentication
credentials, Windows NT/2000 returns a rejection message to Cisco Secure ACS.
You can circumvent this difficulty by using the Domain List in the
Cisco Secure ACS configuration for the Windows NT/2000 database. If you have
configured the Domain List with a list of trusted domains, Cisco Secure ACS
submits the username and password to each domain in the list, using a
domain-qualified format, until Cisco Secure ACS successfully authenticates the
user. If Cisco Secure ACS has tried each domain listed in the Domain List, or if
no trusted domains have been configured in the Domain List, Cisco Secure ACS
fails the authentication request for that user.
password does not match the one supplied as part of the authentication
credentials, Windows NT/2000 returns a rejection message to Cisco Secure ACS.
You can circumvent this difficulty by using the Domain List in the
Cisco Secure ACS configuration for the Windows NT/2000 database. If you have
configured the Domain List with a list of trusted domains, Cisco Secure ACS
submits the username and password to each domain in the list, using a
domain-qualified format, until Cisco Secure ACS successfully authenticates the
user. If Cisco Secure ACS has tried each domain listed in the Domain List, or if
no trusted domains have been configured in the Domain List, Cisco Secure ACS
fails the authentication request for that user.