06-11-2010 10:09 AM - edited 03-15-2019 11:12 PM
My active directory is syncronized fine...
I can see all the users...
But When I try to login to call manger as user or as an administrator (CCM admin user group), it fails.
I have tick the box on ldap synchronization "use ldap authentication for end users"
Solved! Go to Solution.
06-15-2010 06:36 AM
By looking at the packet capture, the problem is still on LDAP side.
Here are the relevant packets:
#4 CUCM sent bindRequest to LDAP. Username: eurobank\scanner. Password: scanner1234$$
#5 LDAP sent successful response
#13 CUCM sent bindRequest to LDAP. Username: CN=MLavrentakis, OU=Cyprus,OU=Employees,DC=Eurobank,DC=efg,DC=gr. Password: !Log1234!
#14 LDAP sent failed response - "invalidCrdentials"
If you're sure the information was correct in packet #13, you should get your LDAP engineer to explain packet #14.
Thanks!
Michael
06-11-2010 10:17 AM
Let's check 1 thing and then offer an alternative for the second and go from there:
1) Best practice is to use a separate account that is not an End User for CCM Admin access. For these users, you should create an application user and this user will not be associated to users imported in via AD.
2) For End Users, verify that you have the Standard CCM End User group assigned and that you are logging into https://
Post back with your findings and results.
Hailey
06-11-2010 10:38 AM
To add a little to Hailey's reply. The way the authentication process works is as follows:
1. The user/application submits the user ID and password to CUCM (via whatever interface)
2. CUCM identifies the user as an End User (if End User and LDAP auth is enabled, then proceed)
3. CUCM performs an LDAP bind using the CUCM directory services account you configured when setting it up. The bind attempt is made against the LDAP servers you have specified in the config. Key point, CUCM has not authenticated the user yet.
4. CUCM queries the LDAP to resolve fully qualified name for the user ID provided in step 1
5. If all is well, LDAP replies with the full context name
6. CUCM then attemps a bind to LDAP using the full context name discovered in step 5 and the password provided in step 1 (binding as the user)
7. If LDAP accepts the credentials then the user is logged in. From this point forward, LDAP is no longer involved with the user session
So, you need to check your authentication config to ensure the appropriate servers, searchbase, etc. are provided. Usually, they are set to the same context as your synchronization agreement. Unless, ofcourse, you have more than one sync agreement. Then, the authentication user search base must be set at a level that encompasses all sync agreements.
Are using open or secure LDAP? If secure, have you loaded the certs from LDAP? If you have loaded the certs, have you restarted the tomcat service?
Are you dealing with multiple trees or child domains?
I would be guessing on other reasons at this point.
HTH.
Regards,
Bill
Please remember to rate helpful responses and identify
06-11-2010 10:35 PM
The application user account I created works perfect.
I have restarted the publisher server...but unfortunately, still I cannot Login with AD user accounts!!
My integration is with active directory, with parent and child domains. I am on a chid domain....
I am trying to login at the url:https://x.x.x.x/ccmuser
The strange thing is that the synchronization is fine, even I can search all my users on the corporate directory of the ip phones.
Thank you for your response.
06-11-2010 01:43 PM
Have you restarted the Tomcat service by using CLI command below?
utils service restart Cisco Tomcat
Michael
06-11-2010 10:47 PM
Check whether the ccmuserid you are using to login has privelege for end user
06-11-2010 11:10 PM
Yep, I pointed this out in my earlier post - please verify that the end user accounts are members of the Standard CCM End User group.
Hailey
06-12-2010 03:13 AM
Certainly they are in the standard CCM End Users Group.
06-12-2010 05:44 AM
Could you try this?
1) Type the following command in the CUCM CLI (command line interface)
2) Wait until Tomcat started. Try to log into CCMUser page
3) If it failed, collect "Cisco Tomcat Security" logs. Make sure the time frame covers the last logon attempt.
Thanks!
Michael
06-12-2010 10:18 PM
I have restarted the tomcat service, still the problem persists.
I am pasting the logs from the CUCM:
options: q=quit, n=next, p=prev, b=begin, e=end (lines 1561 - 1576 of 1576) :
[13/Jun/2010:00:00:03 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 67
[13/Jun/2010:00:00:24 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 3
[13/Jun/2010:00:00:44 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 4
[13/Jun/2010:00:01:05 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 16
[13/Jun/2010:00:01:26 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 3
[13/Jun/2010:00:01:46 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 2
[13/Jun/2010:00:02:07 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 3
[13/Jun/2010:00:02:27 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 5
[13/Jun/2010:00:02:47 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 2
[13/Jun/2010:00:03:07 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 3
[13/Jun/2010:00:03:28 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 3
[13/Jun/2010:00:03:48 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 3
[13/Jun/2010:00:04:08 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 3
[13/Jun/2010:00:04:29 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 3
[13/Jun/2010:00:04:49 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 3
[13/Jun/2010:00:05:09 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 3
[13/Jun/2010:00:05:30 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 2
[13/Jun/2010:00:05:50 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 2
[13/Jun/2010:00:06:10 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 3
[13/Jun/2010:00:06:31 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 3
options: q=quit, n=next, p=prev, b=begin, e=end (lines 1 - 20 of 1576) :
[13/Jun/2010:07:57:14 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ciscologo.gif HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/console.css HTTP/1.1 304 - 1
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/vtgblaf_percent.css HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/HeaderBegLTR.gif HTTP/1.1 304 - 1
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/HeaderMidLTR.gif HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/HeaderEndLTR.gif HTTP/1.1 304 - 1
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/transgif.gif HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/ciscoLogo12pxMargin.gif HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/images/masthead.jpg HTTP/1.1 304 - 0
[13/Jun/2010:07:57:20 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 3
[13/Jun/2010:07:57:23 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/ HTTP/1.1 302 - 117
[13/Jun/2010:07:57:23 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/showHome.do HTTP/1.1 403 7774 413
[13/Jun/2010:07:57:33 +0300] 213.149.163.227 213.149.163.227 - - 443 POST /ccmuser/WEB-INF/pages/errors/j_security_check HTTP/1.1 200 8005 793
[13/Jun/2010:07:57:40 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 3
[13/Jun/2010:07:58:01 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 3
[13/Jun/2010:07:58:22 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 3
[13/Jun/2010:07:58:42 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 4
[13/Jun/2010:07:59:02 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list HTTP/1.1 200 1222 3
end of the file reached
options: q=quit, n=next, p=prev, b=begin, e=end (lines 1561 - 1576 of 1576) :
06-13-2010 06:23 AM
06-13-2010 12:27 PM
06-13-2010 12:51 PM
Obviously, user "CN=MLavrentakis,OU=Cyprus,OU=Employees,DC=eurobank,DC=efg,DC=gr" failed the authentication.
Questions:
1) Is "CN=MLavrentakis,OU=Cyprus,OU=Employees,DC=eurobank,DC=efg,DC=gr" a valid DN? Could you go to the command prompt of the domain controller and get the screen output of "dsquery user -samid MLavrentakis"?
2) Could you check if the user account was locked on AD? Check both "MLavrentakis" and "scanner".
To further investigate the problem, could you do a packet capture from CUCM? Command as below:
utils network capture file cucm count 1000000 size all host all 10.211.20.127
Start the command above. Try to log into CCMUser page. Press Ctrl-C to stop capture.
Then use the commands below to collect logs:
1) Get Packet Capture:
file get activelog platform/cli/cucm.cap
2) Get Tomcat Security:
file get activelog tomcat/logs/security/log4j/security*.*
You'll need a SFTP server (such as http://www.freesshd.com/freeFTPd.exe) to receive the file.
Thanks!
Michael
06-14-2010 04:35 AM
06-14-2010 05:45 AM
Based on packet #14 in the packet capture, LDAP server 10.211.20.127 is rejecting the credential you provided for MLavrentakis. The error was "Invalid Credentials". This error from LDAP server instead of Cisco CUCM.
If you're pretty sure the password you entered was correct, you may try the following:
1) Reset MLavrentakis' password to a simple one. Retry login from CCMUser page.
If that didn't work, you may try:
2) Go to CUCM > System > LDAP > LDAP Authentication.
Change authentication port from 389 to 3268.
Restart Tomcat with CLI command "utils service restart Cisco Tomcat"
Retry login from CCMUser page.
Explanation:
Port 3268 is Global Catalog port and recommended for authentication purpose.
If neither of the above works, please get the packet capture again. (you don't need Tomcat Security logs because we know the problem is NOT on Tomcat).
Thanks!
Michael
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: