LDAP Authenticatin Problem on Call Manager 7.1.3b

Answered Question
Jun 11th, 2010
User Badges:

My active directory is syncronized fine...

I can see all the users...


But When I try to login to call manger as user or as an administrator (CCM admin user group), it fails.


I have tick the box on ldap synchronization "use ldap authentication for end users"

Correct Answer by htluo about 6 years 10 months ago

By looking at the packet capture, the problem is still on LDAP side.


Here are the relevant packets:


#4 CUCM sent bindRequest to LDAP.  Username: eurobank\scanner.  Password: scanner1234$$
#5 LDAP sent successful response


#13 CUCM sent bindRequest to LDAP.  Username: CN=MLavrentakis, OU=Cyprus,OU=Employees,DC=Eurobank,DC=efg,DC=gr.  Password: !Log1234!
#14 LDAP sent failed response - "invalidCrdentials"


If you're sure the information was correct in packet #13, you should get your LDAP engineer to explain packet #14.


Thanks!

Michael

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
David Hailey Fri, 06/11/2010 - 10:17
User Badges:
  • Purple, 4500 points or more

Let's check 1 thing and then offer an alternative for the second and go from there:


1) Best practice is to use a separate account that is not an End User for CCM Admin access.  For these users, you should create an application user and this user will not be associated to users imported in via AD.


2) For End Users, verify that you have the Standard CCM End User group assigned and that you are logging into https:///ccmuser.


Post back with your findings and results.


Hailey

William Bell Fri, 06/11/2010 - 10:38
User Badges:
  • Purple, 4500 points or more

To add a little to Hailey's reply.  The way the authentication process works is as follows:


1. The user/application submits the user ID and password to CUCM (via whatever interface)

2. CUCM identifies the user as an End User (if End User and LDAP auth is enabled, then proceed)

3. CUCM performs an LDAP bind using the CUCM directory services account you configured when setting it up.  The bind attempt is made against the LDAP servers you have specified in the config.  Key point, CUCM has not authenticated the user yet.

4. CUCM queries the LDAP to resolve fully qualified name for the user ID provided in step 1

5. If all is well, LDAP replies with the full context name

6. CUCM then attemps a bind to LDAP using the full context name discovered in step 5 and the password provided in step 1 (binding as the user)

7. If LDAP accepts the credentials then the user is logged in.  From this point forward, LDAP is no longer involved with the user session


So, you need to check your authentication config to ensure the appropriate servers, searchbase, etc. are provided.  Usually, they are set to the same context as your synchronization agreement.  Unless, ofcourse, you have more than one sync agreement.  Then, the authentication user search base must be set at a level that encompasses all sync agreements.


Are using open or secure LDAP?  If secure, have you loaded the certs from LDAP?  If you have loaded the certs, have you restarted the tomcat service?


Are you dealing with multiple trees or child domains?


I would be guessing on other reasons at this point.



HTH.


Regards,
Bill

michalis1234 Fri, 06/11/2010 - 22:35
User Badges:

The application user account I created works perfect.


I have restarted the publisher server...but unfortunately, still I  cannot Login with AD user accounts!!


My integration is with active directory,  with parent and child domains. I am on a chid domain....


I am trying to login at the url:https://x.x.x.x/ccmuser


The strange thing is that the synchronization is fine, even I can search all my users on the corporate directory of the ip phones.


Thank you for your response.

htluo Fri, 06/11/2010 - 13:43
User Badges:
  • Red, 2250 points or more

Have you restarted the Tomcat service by using CLI command below?

utils service restart Cisco Tomcat


Michael

http://htluo.blogspot.com

rupam_chakra1983 Fri, 06/11/2010 - 22:47
User Badges:

Check whether the ccmuserid you are using to login has privelege for end user

David Hailey Fri, 06/11/2010 - 23:10
User Badges:
  • Purple, 4500 points or more

Yep, I pointed this out in my earlier post - please verify that the end user accounts are members of the Standard CCM End User group.


Hailey

htluo Sat, 06/12/2010 - 05:44
User Badges:
  • Red, 2250 points or more

Could you try this?


1) Type the following command in the CUCM CLI (command line interface)

utils service restart Cisco Tomcat


2) Wait until Tomcat started.  Try to log into CCMUser page


3) If it failed, collect "Cisco Tomcat Security" logs.  Make sure the time frame covers the last logon attempt.


Thanks!


Michael

http://htluo.blogspot.com

michalis1234 Sat, 06/12/2010 - 22:18
User Badges:

I have restarted the tomcat service, still the problem persists.


I am pasting the logs from the CUCM:


options: q=quit, n=next, p=prev, b=begin, e=end (lines 1561 - 1576 of 1576) :
[13/Jun/2010:00:00:03 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 67
[13/Jun/2010:00:00:24 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:00:44 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 4
[13/Jun/2010:00:01:05 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 16
[13/Jun/2010:00:01:26 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:01:46 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 2
[13/Jun/2010:00:02:07 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:02:27 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 5
[13/Jun/2010:00:02:47 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 2
[13/Jun/2010:00:03:07 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:03:28 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:03:48 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:04:08 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:04:29 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:04:49 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:05:09 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:05:30 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 2
[13/Jun/2010:00:05:50 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 2
[13/Jun/2010:00:06:10 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:06:31 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3

options: q=quit, n=next, p=prev, b=begin, e=end (lines 1 - 20 of 1576) :
[13/Jun/2010:07:57:14 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ciscologo.gif  HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/console.css  HTTP/1.1 304 - 1
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/vtgblaf_percent.css  HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/HeaderBegLTR.gif  HTTP/1.1 304 - 1
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/HeaderMidLTR.gif  HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/HeaderEndLTR.gif  HTTP/1.1 304 - 1
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/transgif.gif  HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/ciscoLogo12pxMargin.gif  HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/images/masthead.jpg  HTTP/1.1 304 - 0
[13/Jun/2010:07:57:20 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:07:57:23 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/  HTTP/1.1 302 - 117
[13/Jun/2010:07:57:23 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/showHome.do  HTTP/1.1 403 7774 413
[13/Jun/2010:07:57:33 +0300] 213.149.163.227 213.149.163.227 - - 443 POST /ccmuser/WEB-INF/pages/errors/j_security_check  HTTP/1.1 200 8005 793
[13/Jun/2010:07:57:40 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:07:58:01 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:07:58:22 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:07:58:42 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 4
[13/Jun/2010:07:59:02 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3

end of the file reached
options: q=quit, n=next, p=prev, b=begin, e=end (lines 1561 - 1576 of 1576) :

htluo Sun, 06/13/2010 - 06:23
User Badges:
  • Red, 2250 points or more

1) We need "Tomcat Security" logs, not "Tomcat" logs.


2) Please don't paste the content of the logs.  Instead use RTMT to collect logs and upload the files.


3) Please make sure the logs cover the time of the login attempt.


Thanks!

Michael

Attachment: 
michalis1234 Sun, 06/13/2010 - 12:27
User Badges:

Unfortunately the rtmt didn't work.

But I got the security logs from cli.

I am attaching the file....


Thank you in advance...

Attachment: 
htluo Sun, 06/13/2010 - 12:51
User Badges:
  • Red, 2250 points or more

Obviously, user "CN=MLavrentakis,OU=Cyprus,OU=Employees,DC=eurobank,DC=efg,DC=gr" failed the authentication.


Questions:


1) Is "CN=MLavrentakis,OU=Cyprus,OU=Employees,DC=eurobank,DC=efg,DC=gr" a valid DN?  Could you go to the command prompt of the domain controller and get the screen output of "dsquery user -samid MLavrentakis"?


2) Could you check if the user account was locked on AD?  Check both "MLavrentakis" and "scanner".


To further investigate the problem, could you do a packet capture from CUCM?  Command as below:

utils network capture file cucm count 1000000 size all host all 10.211.20.127


Start the command above.  Try to log into CCMUser page.  Press Ctrl-C to stop capture.


Then use the commands below to collect logs:

1) Get Packet Capture:

file get activelog platform/cli/cucm.cap

2) Get Tomcat Security:

file get activelog tomcat/logs/security/log4j/security*.*


You'll need a SFTP server (such as http://www.freesshd.com/freeFTPd.exe) to receive the file.


Thanks!

Michael

michalis1234 Mon, 06/14/2010 - 04:35
User Badges:

1)The  output of the command "dsquery user -samid MLavrentakis" was:

CN=MLavrentakis,OU=Cyprus,OU=Employees,DC=eurobank,DC=efg,DC=gr


2) The accounts are not locked..


3) I am attaching the files you requested


Thank you in advance...

htluo Mon, 06/14/2010 - 05:45
User Badges:
  • Red, 2250 points or more

Based on packet #14 in the packet capture, LDAP server 10.211.20.127 is rejecting the credential you provided for MLavrentakis.  The error was "Invalid Credentials".  This error from LDAP server instead of Cisco CUCM.


If you're pretty sure the password you entered was correct, you may try the following:


1) Reset MLavrentakis' password to a simple one.  Retry login from CCMUser page.


If that didn't work, you may try:


2) Go to CUCM > System > LDAP > LDAP Authentication.

Change authentication port from 389 to 3268.

Restart Tomcat with CLI command "utils service restart Cisco Tomcat"

Retry login from CCMUser page.


Explanation:

Port 3268  is Global Catalog port and recommended for authentication purpose.


If neither of the above works, please get the packet capture again.  (you don't need Tomcat Security logs because we know the problem is NOT on Tomcat).


Thanks!

Michael

michalis1234 Tue, 06/15/2010 - 04:44
User Badges:

Unfortunately I did not managed to login.

I am attaching the capture file.

I spoke as well with AD administrator and he told me that the userid I am using, is allowed to login int the cucm server.

Thank you in advance...

Attachment: 
neilobrien Tue, 06/15/2010 - 06:14
User Badges:

an obvious question but have you tried logging into a domain PC with the same credentials?

Correct Answer
htluo Tue, 06/15/2010 - 06:36
User Badges:
  • Red, 2250 points or more

By looking at the packet capture, the problem is still on LDAP side.


Here are the relevant packets:


#4 CUCM sent bindRequest to LDAP.  Username: eurobank\scanner.  Password: scanner1234$$
#5 LDAP sent successful response


#13 CUCM sent bindRequest to LDAP.  Username: CN=MLavrentakis, OU=Cyprus,OU=Employees,DC=Eurobank,DC=efg,DC=gr.  Password: !Log1234!
#14 LDAP sent failed response - "invalidCrdentials"


If you're sure the information was correct in packet #13, you should get your LDAP engineer to explain packet #14.


Thanks!

Michael

michalis1234 Tue, 06/15/2010 - 12:09
User Badges:

You are absolutely rigth!!!

The usernames and passwords are correct!!!

I can login with the same credentials in the domain....

It is obvious that the problem is AD and the permissions of these user accounts....

I need to focus on the AD ...


Your recomendations and troubleshooting were excellent!!!

Thank you very much for your help michael!!!

The reason directory sync works and this doesnt is because end user auth is completely seperate from directory sync. I had a similar problem and the cuase was that the end user was on a child domain that didnt share a root with the auth server i was using. the server was on xyz.com and the user abc.com. The fix for me was changes the user search base from "DC=xyz,DC=com" to "DC=com" and change the port i was using from 389(ldap port) to 3268(global catalog port). This doc also helped.

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/7x/directry.html#wp1070369

neilobrien Sun, 06/13/2010 - 12:44
User Badges:

Have you mapped a different LDAP attribute to the CM User ID.  For example, under LDAP System, if your LDAP attribute for the User ID is set to "telephone number" then your CM login user ID is the telephone number set int he AD user account.


just something to look for....?

Actions

This Discussion