- Silver, 250 points or more
Community Spotlight Award,
Best Publication, November 2015
We have a Unity 5.0 server that exists in a stand along AD Domain/forest. We have users who have accounts in another AD Domain/Forest that we are trying to associate using the GrantUnityAccess tool. The tool terminates with an error. Log output from the run is below. It almost looks like there is a problem getting access to the remote domain/forest. I'm wondering about this since that administrator account would definately have a different password. I can't find any documentation on this issue.
Can anyone offer any suggestions here?
Mon Oct 01 14:40:32.525 Entering Initialize \ConnectorClientBase.cpp (line 48)
Mon Oct 01 14:40:33.807 Exiting Initialize \ConnectorClientBase.cpp (line 89)
Mon Oct 01 14:40:33.807 Entering GetSimpleFilter \ConnectorClientBase.cpp (line 412)
Mon Oct 01 14:40:33.807 Exiting GetSimpleFilter \ConnectorClientBase.cpp (line 428)
Mon Oct 01 14:40:33.807 Entering GetRowSet \ConnectorClientBase.cpp (line 105)
Mon Oct 01 14:40:33.807 Exiting GetRowSet \ConnectorClientBase.cpp (line 121)
Mon Oct 01 14:40:33.822 Entering GetOneRow \ConnectorClientBase.cpp (line 127)
Mon Oct 01 14:40:33.838 Exiting GetOneRow \ConnectorClientBase.cpp (line 143)
Mon Oct 01 14:40:33.838 GetDC returning '\\USFTWCiscoMSG1.USFTWUnity.com' (dwErr = 0) \GrantAccess.cpp (line 146)
Mon Oct 01 14:40:33.838 Using local DC \\USFTWCiscoMSG1.USFTWUnity.com \GrantAccess.cpp (line 165)
Mon Oct 01 14:40:33.947 GetDC returning '\\USFTW000.MyADDomain.com' (dwErr = 0) \GrantAccess.cpp (line 146)
Mon Oct 01 14:40:33.947 Using user's domain DC \\USFTW000.MyADDomain.com \GrantAccess.cpp (line 175)
Mon Oct 01 14:40:34.57 LookupAccountName Returned Error 5 \GrantAccess.cpp (line 227)
Mon Oct 01 14:40:34.72 LookupAccountName Failed: 0 \GrantAccess.cpp (line 233)
Sounds like you ran into CSCsi68156. You need to set up a two-way trust between the domains. Here's the release note enclosure for the defect:
GrantUnityAccess.exe fails granting access between two domains in separate AD forest roots.
When a one way trust is established using the Cisco documented procedure between domains in two different forest roots, GrantUnityAccess.exe fails granting rights to the remote domain account as it is not able to get the SID for that remote account.
Establish a temporary two-way trust between the two domains in the different AD forest roots. GrantUnityAccess.exe will then be able to complete the process properly. Once the AD accounts are granted Unity access, the trust can be reverted back to the documented one-way trust to tighten security. If GrantUnityAccess.exe is going to be run again, the two-way trust will have to be re-established.
Further Problem Description:
Please note: If the one-way trust is established in the wrong direction, GrantUnityAccess.exe will succeed in associating the AD account to the Unity subscriber; however when using the remote domains AD credentials to access Unity resources the authentication will fail. This is important as it could be confusing when setting up the trust direction.
The Cisco documented procedure is to have a 'Voice Mail' domain trust the 'Corporate' domain can be found here: http://www.cisco.com/univercd/cc/td/doc/product/voice/c_unity/whitpapr/c_access.htm#34909