11-11
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter11 Working with User Databases Windows NT/2000 User Database
matching username and password. This also illustrates the importance of
removing usernames from a domain when the privileges associated with the user
are no longer required.
Tip For Windows 95/98/ME and Windows NT/2000, entering the domain name
can speed up authentication, because Cisco Secure ACS can go directly to the
domain rather than searching through the local domain and all trusted domains
until it finds the username.
Note Cisco Secure ACS does not support the user@domain (UPN) format of
qualified usernames when authenticating users with Windows user databases.
If you do not specify a domain name when typing the username,
Cisco Secure ACS submits the username to the Windows NT/2000 operating
system on the Cisco Secure ACS server. If the WindowsNT/2000 server does not
find the username in its local database, it then checks all trusted domains. If the
password of the first occurrence of the username in the trusted domains does not
match the password submitted by Cisco Secure ACS, authentication fails. If the
Domain List in the Windows NT/2000 User Database Configuration of the
External User Databases section has been configured with a list of trusted
domains, Cisco Secure ACS submits the username and password to each domain
in the list in a fully qualified format until it successfully authenticates the user. If
Cisco Secure ACS has tried each domain listed in the Domain List or if no trusted
domains have been configured in the Domain List, CiscoSecure ACS stops
attempting to authenticate the user and does not grant that user access.
Note If your Domain List contains domains and your Windows SAM or Active
Directory user databases are configured to lock out users after a number of
failed attempts, users can be inadvertently locked out because
Cisco Secure ACS tries each domain in the Domain List explicitly, resulting
in failed attempts for identical usernames that reside in different domains.