How Users Interact with Your External Database Configuration

Different types of users exist in the perspective of ACS. A user might be a known user, meaning that the user was explicitly added to ACS or that ACS learned about the user from a database replication, database synchronization, or by using the CSUtil.exe tool. Other types of users are unknown users and discovered users. When an unknown user attempts an authentication request, he or she becomes a discovered user if he or she is found in one of the configured external databases. To facilitate the process of authentication, you need to add an external database configuration and a database group mapping.

The process of authentication is quite simple. ACS first checks its internal database and, if the user is not found there, proceeds to check the list of external databases and, if the user is not found there, finally fails the authentication request.

If the user is, in fact, found in an external database, the "discovered" user is added to the ACS database, with a pointer to the external server that served back the authentication reply. The next time this user authenticates, ACS checks this external server again, but only for authentication. At this point, all authorizations take place on the ACS by the group the user was placed in at the time of authentication.