cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9598
Views
15
Helpful
20
Replies

LDAP Authenticatin Problem on Call Manager 7.1.3b

michalis1234
Level 1
Level 1

My active directory is syncronized fine...

I can see all the users...

But When I try to login to call manger as user or as an administrator (CCM admin user group), it fails.

I have tick the box on ldap synchronization "use ldap authentication for end users"

1 Accepted Solution

Accepted Solutions

By looking at the packet capture, the problem is still on LDAP side.

Here are the relevant packets:

#4 CUCM sent bindRequest to LDAP.  Username: eurobank\scanner.  Password: scanner1234$$
#5 LDAP sent successful response

#13 CUCM sent bindRequest to LDAP.  Username: CN=MLavrentakis, OU=Cyprus,OU=Employees,DC=Eurobank,DC=efg,DC=gr.  Password: !Log1234!
#14 LDAP sent failed response - "invalidCrdentials"

If you're sure the information was correct in packet #13, you should get your LDAP engineer to explain packet #14.

Thanks!

Michael

View solution in original post

20 Replies 20

David Hailey
VIP Alumni
VIP Alumni

Let's check 1 thing and then offer an alternative for the second and go from there:

1) Best practice is to use a separate account that is not an End User for CCM Admin access.  For these users, you should create an application user and this user will not be associated to users imported in via AD.

2) For End Users, verify that you have the Standard CCM End User group assigned and that you are logging into https:///ccmuser.

Post back with your findings and results.

Hailey

William Bell
VIP Alumni
VIP Alumni

To add a little to Hailey's reply.  The way the authentication process works is as follows:

1. The user/application submits the user ID and password to CUCM (via whatever interface)

2. CUCM identifies the user as an End User (if End User and LDAP auth is enabled, then proceed)

3. CUCM performs an LDAP bind using the CUCM directory services account you configured when setting it up.  The bind attempt is made against the LDAP servers you have specified in the config.  Key point, CUCM has not authenticated the user yet.

4. CUCM queries the LDAP to resolve fully qualified name for the user ID provided in step 1

5. If all is well, LDAP replies with the full context name

6. CUCM then attemps a bind to LDAP using the full context name discovered in step 5 and the password provided in step 1 (binding as the user)

7. If LDAP accepts the credentials then the user is logged in.  From this point forward, LDAP is no longer involved with the user session

So, you need to check your authentication config to ensure the appropriate servers, searchbase, etc. are provided.  Usually, they are set to the same context as your synchronization agreement.  Unless, ofcourse, you have more than one sync agreement.  Then, the authentication user search base must be set at a level that encompasses all sync agreements.

Are using open or secure LDAP?  If secure, have you loaded the certs from LDAP?  If you have loaded the certs, have you restarted the tomcat service?

Are you dealing with multiple trees or child domains?

I would be guessing on other reasons at this point.

HTH.


Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

The application user account I created works perfect.

I have restarted the publisher server...but unfortunately, still I  cannot Login with AD user accounts!!

My integration is with active directory,  with parent and child domains. I am on a chid domain....

I am trying to login at the url:https://x.x.x.x/ccmuser

The strange thing is that the synchronization is fine, even I can search all my users on the corporate directory of the ip phones.

Thank you for your response.

htluo
Level 9
Level 9

Have you restarted the Tomcat service by using CLI command below?

utils service restart Cisco Tomcat

Michael

http://htluo.blogspot.com

Check whether the ccmuserid you are using to login has privelege for end user

Yep, I pointed this out in my earlier post - please verify that the end user accounts are members of the Standard CCM End User group.

Hailey

Certainly they are in the standard CCM End Users Group.

Could you try this?

1) Type the following command in the CUCM CLI (command line interface)

utils service restart Cisco Tomcat

2) Wait until Tomcat started.  Try to log into CCMUser page

3) If it failed, collect "Cisco Tomcat Security" logs.  Make sure the time frame covers the last logon attempt.

Thanks!

Michael

http://htluo.blogspot.com

I have restarted the tomcat service, still the problem persists.

I am pasting the logs from the CUCM:

options: q=quit, n=next, p=prev, b=begin, e=end (lines 1561 - 1576 of 1576) :
[13/Jun/2010:00:00:03 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 67
[13/Jun/2010:00:00:24 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:00:44 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 4
[13/Jun/2010:00:01:05 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 16
[13/Jun/2010:00:01:26 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:01:46 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 2
[13/Jun/2010:00:02:07 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:02:27 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 5
[13/Jun/2010:00:02:47 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 2
[13/Jun/2010:00:03:07 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:03:28 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:03:48 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:04:08 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:04:29 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:04:49 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:05:09 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:05:30 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 2
[13/Jun/2010:00:05:50 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 2
[13/Jun/2010:00:06:10 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:06:31 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3

options: q=quit, n=next, p=prev, b=begin, e=end (lines 1 - 20 of 1576) :
[13/Jun/2010:07:57:14 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ciscologo.gif  HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/console.css  HTTP/1.1 304 - 1
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/vtgblaf_percent.css  HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/HeaderBegLTR.gif  HTTP/1.1 304 - 1
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/HeaderMidLTR.gif  HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/HeaderEndLTR.gif  HTTP/1.1 304 - 1
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/transgif.gif  HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/ciscoLogo12pxMargin.gif  HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/images/masthead.jpg  HTTP/1.1 304 - 0
[13/Jun/2010:07:57:20 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:07:57:23 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/  HTTP/1.1 302 - 117
[13/Jun/2010:07:57:23 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/showHome.do  HTTP/1.1 403 7774 413
[13/Jun/2010:07:57:33 +0300] 213.149.163.227 213.149.163.227 - - 443 POST /ccmuser/WEB-INF/pages/errors/j_security_check  HTTP/1.1 200 8005 793
[13/Jun/2010:07:57:40 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:07:58:01 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:07:58:22 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:07:58:42 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 4
[13/Jun/2010:07:59:02 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3

end of the file reached
options: q=quit, n=next, p=prev, b=begin, e=end (lines 1561 - 1576 of 1576) :

1) We need "Tomcat Security" logs, not "Tomcat" logs.

2) Please don't paste the content of the logs.  Instead use RTMT to collect logs and upload the files.

3) Please make sure the logs cover the time of the login attempt.

Thanks!

Michael

Unfortunately the rtmt didn't work.

But I got the security logs from cli.

I am attaching the file....

Thank you in advance...

Obviously, user "CN=MLavrentakis,OU=Cyprus,OU=Employees,DC=eurobank,DC=efg,DC=gr" failed the authentication.

Questions:

1) Is "CN=MLavrentakis,OU=Cyprus,OU=Employees,DC=eurobank,DC=efg,DC=gr" a valid DN?  Could you go to the command prompt of the domain controller and get the screen output of "dsquery user -samid MLavrentakis"?

2) Could you check if the user account was locked on AD?  Check both "MLavrentakis" and "scanner".

To further investigate the problem, could you do a packet capture from CUCM?  Command as below:

utils network capture file cucm count 1000000 size all host all 10.211.20.127

Start the command above.  Try to log into CCMUser page.  Press Ctrl-C to stop capture.

Then use the commands below to collect logs:

1) Get Packet Capture:

file get activelog platform/cli/cucm.cap

2) Get Tomcat Security:

file get activelog tomcat/logs/security/log4j/security*.*

You'll need a SFTP server (such as http://www.freesshd.com/freeFTPd.exe) to receive the file.

Thanks!

Michael

1)The  output of the command "dsquery user -samid MLavrentakis" was:

CN=MLavrentakis,OU=Cyprus,OU=Employees,DC=eurobank,DC=efg,DC=gr

2) The accounts are not locked..

3) I am attaching the files you requested

Thank you in advance...

Based on packet #14 in the packet capture, LDAP server 10.211.20.127 is rejecting the credential you provided for MLavrentakis.  The error was "Invalid Credentials".  This error from LDAP server instead of Cisco CUCM.

If you're pretty sure the password you entered was correct, you may try the following:

1) Reset MLavrentakis' password to a simple one.  Retry login from CCMUser page.

If that didn't work, you may try:

2) Go to CUCM > System > LDAP > LDAP Authentication.

Change authentication port from 389 to 3268.

Restart Tomcat with CLI command "utils service restart Cisco Tomcat"

Retry login from CCMUser page.

Explanation:

Port 3268  is Global Catalog port and recommended for authentication purpose.

If neither of the above works, please get the packet capture again.  (you don't need Tomcat Security logs because we know the problem is NOT on Tomcat).

Thanks!

Michael

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: