Unity SAWeb login question

Unanswered Question
Nov 6th, 2007

Unity 4.2.1 VM only

Customer has 3 networked Unity servers and is trying to simplify administration. They have several users with a COS that allows for Password resets only: https://IPAddress/web/sa

These Users are complaining about two issues:

1) That they have to have a unique ID for each server, and;

2) That after their initial login to change a subscriber the are again prompted for credentials when they link to the subscribers page.

So the questions are:

1) Is there a way to allow for a single login to administer multiple Unity servers all in the same AD? Please note that this is a Unity only domain for VM, and not the customers domain? and;

2) Is there a way to stop the second popup for credentials?

Thanks for the help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
navinger Tue, 11/06/2007 - 17:17


For the 1st issue: On each Unity server, create one subscriber account that has the COS that allows for Password resets only. Then run GrantUnityAccess on each Unity server, and associate the Windows/AD account of each user that will be doing the password resets with the subscriber account. See the "Granting Administrative Rights to Other Cisco Unity Servers" section for details:


For the 2nd issue, likely the "Prompt for user name and password" setting is enabled in IE.

1. Stop Unity if making the change. Leave Unity running if you're seeing if you need to make the change.

2. Open Internet Explorer.

3. Click Tools > Internet Options.

4. Click the Security tab.

5. If the Unity server is in the Local Intranet zone, click that icon. If the Unity server has been added as a trusted site, click the Trusted Sites icon.

6. Click Custom Level.

7. Scroll down to the end of the list. If under the "User Authentication > Logon" section, "Prompt for user name and password" is enabled, change that to the applicable "Automatic logon..."


nordendale Wed, 11/07/2007 - 14:34

Ok, I have tested GrantUnityAccess and have identified an issue. Yes this works in as much as a single ID can be used across all servers. Users are still presented with a screen pop for login credentials when moving between servers, however. Avoiding having to re-enter credentials was really the hope/goal in having a single login... although that may not have been clear from reading my post.

Any thoughts here?

navinger Wed, 11/07/2007 - 19:05


Are the users logged onto a Unity server when they access the SA? Or are the users logged onto their workstations? In my previous response I was thinking about being logged onto the Unity server itself.

If the users are logged onto their workstations, are the workstations in the same domain as the Unity servers? In IE on each user's workstation, is the security setting set to "Automatic logon..." for either the local Intranet or Trusted Site?

Also, I'm assuming that you're using Integrated Windows authentication because that's the default. In this case, it's not Unity asking for credentials, it's IIS. So it matters what computer the user is logged onto. And it matters how IE is configured for that user (the IE Internet Options are configured on a per-user basis).

If the user's workstation is in the same domain as the Unity servers, and IE is set to "Automatic logon..." then they shouldn't be getting prompted.

Here's more info about authentication methods used to access the SA:



nordendale Thu, 11/08/2007 - 09:38

To be clear, the users are logging in via IE from a separate and untrusted domain. I will review the authentication methods link but are you saying that if Unity Trusted the corporate domain would that resolve the issue?

navinger Thu, 11/08/2007 - 12:14


OK, untrusted domains explains why the users are getting prompted for credentials. You'll need to create a two-way trust between the domains, and then run grantunityaccess to associate the users with a subscriber with the appropriate COS system-access setting.

After running grantunityaccess, you should be able to remove one of the trusts. You'll need to keep the trust where the Unity domain trusts the Corporate domain. The reason for the two-way trust when running grantunityaccess is due to the defect CSCsi68156. Following is the release note enclosure for it:


GrantUnityAccess.exe fails granting access between two domains in separate AD forest roots.


When a one way trust is established using the Cisco documented procedure between domains in two different forest roots, GrantUnityAccess.exe fails granting rights to the remote domain account as it is not able to get the SID for that remote account.


Establish a temporary two-way trust between the two domains in the different AD forest roots. GrantUnityAccess.exe will then be able to complete the GrantUnityAccess.exe process properly. Once the AD accounts are granted Unity access, the trust can be reverted back to the documented one-way trust to tighten security. If GrantUnityAccess.exe is going to be run again, the two-way trust will have to be re-established.

Further Problem Description:

Please note: If the one-way trust is established in the wrong direction, GrantUnityAccess.exe will succeed in associating the AD account to the Unity subscriber; however when using the remote domains AD credentials to access Unity resources the authentication will fail. This is important as it could be confusing when setting up the trust direction.

The Cisco documented procedure is to have a 'Voice Mail' domain trust the 'Corporate' domain can be found here: http://www.cisco.com/univercd/cc/td/doc/product/voice/c_unity/whitpapr/c_access.htm#34909

and also here:



This Discussion