uccx single sign on, how to allow users to update their passwords?

Unanswered Question
Jan 12th, 2012

I have users synced to an AD, and phones with a SSO services button set up so that users can log directly into uccx without needing to type in username/password. From the ccmusers page a user can see the parameters of this service url, however they can't update the password parameter.

In talking to TAC it was mentioned this was by design, Is there any way a user could update this field to their password themself?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
gapande Fri, 01/13/2012 - 00:56

Not sure if I understood you right but are you trying to achieve SSO between CUCM & UCCX App for the users ? If yes, then as of now it's not tested & supported.

Please elaborate if I misunderstood your query & I'll be glad to assist.

If above information helps, pls rate the post.


GP.

scheived Fri, 01/13/2012 - 07:14

This is using an IP phone service set up on cucm with the following url, http://contactcenter:6293/ipphone/jsp/sciphonexml/IPAgentLogin.jsp I then created 3 parameters as variables so as to use the service on multiple phones. I was under the impression this was a common uccx express integration.

What I'm looking for is a way for users to update the password parameter on this ip phone service somehow theirselves instead of using CM Administration.

Walter Solano Fri, 01/13/2012 - 07:57

I checked and the end users are able to change the password of the IPPA by using the ccmuser web page, address is http:///ccmuser. Login using the enduser credentials and then go to user options->Device then select phone services and select the service used to login and there you should be able to change the users password

HTH

Please rate this post if was helpful

Walter J. Solano

scheived Fri, 01/13/2012 - 08:01

Right, it looks like they should be able to there. The issue is this does not actually update the password there. And in talking to TAC, it was explained that users can't update this. I'm wondering what others might be using this acheive this?

scheived Tue, 01/17/2012 - 11:03

Looks like I found a workaround.. If a user updates the password for their uccx ip phone service via ccmuser it will not work initially, and system will indicate a bad password during login. However, if the admin brings up the users phone's Subscribed Cisco IP Phone Services details, makes no changes but saves the page, it then will allow the user to log.

Although a two step proccess at least this gives users a way to change their password without having a system admin key it in, although does require they indicate to the admin when they have.

druchyun@hotmail.com Wed, 03/28/2012 - 15:30

The same thing happened to me and working with cisco tac, they said that this is normal behavior. Although I found a workaround, you must go into CUCM and create a new role with the following read-update permission:

Phone services web pages  - Check Read and Update

Go to "user management / user group" and then copy "Standard CCM End users" and create a duplicate called "with Phone Services' or something like that. Add the new role that you created that grants read-update privileges to the phone services web pages.

scheived Wed, 04/25/2012 - 09:18

A little late getting back to this, I tried these steps but still couldn't get it to work for end users. Could you list all the Groups and Roles assigned to a working user?

Go to "user management / user group" and then copy "Standard CCM End users" and create a duplicate called "with Phone Services' or something like that. Add the new role that you created that grants read-update privileges to the phone services web pages. 
druchyun@hotmail.com Wed, 04/25/2012 - 12:34

I created a role named "Cisco Call Manager Phone Services Self-Service" then added the resource;

Phone Services web pages      read  +   update  

I saved that, then went to "User management, User Group" then copied the standard CCM End users group, creating a new group called "Standard CCM End Users with Services". To this new group, I went under "related links" and selected "add role to user group" and added the role "Cisco call manager Phone services self-service". The other two roles assigned to this group are "Standard CCM End users" and "Standard CCMUSER Administration".

Your users should now have both "Standard CCM End Users" and "Standard CCM End Users with Services" but you really only need the latter. The interesting thing is all users automatically that had the original group had this new group immediately applied, prbably because I copied the original group.

scheived Fri, 04/27/2012 - 13:46

Precisley what I did as well, just isn't working in my case. Might be the version, I'm using 8.5.1.12900-7

As a test I assigned a user to all roles and found it still doesn't work.

rorogier Sat, 04/28/2012 - 07:24

Hello,

I am a Cisco TAC engineer supporting the contact center platform. If I understand your question properly you have the following setup. Unified Communications Manager is tied to a Microsoft AD domain for users and authentication. You also have Contact Center Express that uses this CUCM for phones and users. You would like your users to use the ccmuser page from CUCM to change their AD password. If I have missed part of this scenario or not stated it correctly, please let me know. If this is what you wish to do then unfortunately, there is no way to do this. When CUCM is tied to AD for user authentication the only thing CUCM contains is the usernames from AD. The actual password is either grayed out or is ignored. When an authentication request comes to CUCM via the UCCX application (either through CAD or IPPA), the physical login takes place in AD. The password provided is hashed using the appropriate method and gets passed to the configured AD authentication server defined in CUCM. Due to this design it just isn't workable to allow the user to change their password .

There is an alternate method of configuring CUCM so that the desired affect is reached. Simply setup CUCM to import users only from the AD servers. This means you just won't configure an authentication lookup in CUCM. The passwords are now stored in CUCM independently of AD so the user can use the ccmuser page to make the changes. They can choose to use the same password on each system, but they are truly independent of each other.

Hopefully this helps you out. Please let me know if you have any additional questions or concerns,

--

Robert W. Rogier

Customer Service Engineer

TAC - UCC

Cisco Systems, Inc., Research Triangle Park, NC

scheived Sat, 04/28/2012 - 15:35

No, not my senario at all. I would like to use the ccmuser page to update a "password" parameter on an IP phone service.  In this case the user has already updated their ad password through other means. Now they need to update this parameter to match so the agent can log in. 

Tanner Ezell Sat, 04/28/2012 - 17:01

There is nothing built in you can use to accomplish this. If you're savvy

you can write some custom code to update the service via AXL.

scheived Sat, 04/28/2012 - 18:50

Yes, there is something built in as Walter pointed out earlier. The point is that it doesn't work, and cisco isn't recognizing it as a problem. 

According to Cisco documentation here,

http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/all_models/xsi/6_0/english/programming/guide/xsi60adm.html

Under the section User Service Subscription, it states that users may "Enter any available service parameters"

So why are users unable to do so, and why is TAC telling us this is by design in conflict with the documentation?

anchoudh Sun, 04/29/2012 - 03:32

HI,

Could you also please check the the Active Directory->Users->Account->Account options.

What are the settings here for these users , please see if you have enabled the password never expires option and also what about User cannot change password setting.

Although I am not sure but still worth to check.

Hope it helps.

Anand

Pls rate helpful posts !!

scheived Sun, 04/29/2012 - 07:42

This has no relivance.  Changing AD passwords is out of the relm of what communications manager does.

anchoudh Sun, 04/29/2012 - 07:58

HI,

As per my knowledge, you can perform password changes directly in the Active Directory and when you perform sync with CUCM it gets synchronized.

I am not aware of changing\updating the passwords in CUCM manually, for the AD users.

Thanks,

Anand

scheived Sun, 04/29/2012 - 08:03
I am not aware of changing\updating the passwords in CUCM manually, for the AD users.

Me neather, and has nothing to do with this thread.

rorogier Sun, 04/29/2012 - 05:14

Hi,

     Let me go back to the original question I posed.  Is what you are trying to accomplish allowing a user to change thier AD password through the IPPA or CUCM system, OR is it that you want users to edit thier own services to put in their current AD passwords.  This makes a big difference.  There is no way to actually have CUCM change the password of a user in AD that I am aware of.  However, if you just want to allow the end users to edit the service parameters for the IPPA system to put in their current AD password so they can hit one button and login, that may be doable and I could likely get that working.

     Please clarify which you want to see happen so that the efforts are correctly focused.  Thank you and I look forward to hearing from  you.

--

Sincerely,

Robert W. Rogier

TAC - UCC

Cisco Systems, Inc - Research Triangle Park, NC

scheived Sun, 04/29/2012 - 07:38

To answer your question again,

NO, not tyring to allowing a user to change thier AD password.

YES, edit thier own services to put in their current AD passwords.

rorogier Sun, 04/29/2012 - 09:34

Ok, I understand exactly what you want to do.  The simple answer is yes this is possible.  I have mocked this up in my lab and given a user a SSO for IPPA to UCCX.  It has the standard 3 parameters, ID, Ext, and Pwd.  When I login to CCMUser page using a non-admin account, I can select my device, see the options and edit them. I would send a screenshot, but it's too small to even read.  However, let me ask this.  When your users login, do they see each of the parameter boxes as editable boxes?  If this is true, then do the users have "Save, Delete, Device, Line Settings,  . . ." at the bottom of their screen?  And if all of this is true, what happens when a user updates their password here and clicks save.  Do you get an error, does it look to update but the password still fails, etc.  Once that is understood we can make some better suggestions.   What Walter stated above should be true and work so if you're not getting this result, there's either a missing setting in CUCM, or a permissions issue, etc.  Thank you and I hope you have a good weekend.

--

Sincerely,

Robert W. Rogier

TAC - UCC

Cisco Systems, Inc - Research Triangle Park, NC

scheived Mon, 04/30/2012 - 07:08

Yes the user sees each of the parameter boxes as editable. Users have "Save, Delete, Device, Line Settings" at the bottom of their screen. When a user updates them and clicks save it appears to update fine, shortly after the phone resets, however the password still fails.

Additionally if a user updates a field, then an admin later views the field it will be the updated value the user entered. However the phone is not using this new value.

rorogier Mon, 04/30/2012 - 07:42

     Vased on what you have said, it sounds like there is a bug somewhere in this mix.  If you can see that the user typed in a value and hit save.  You can open the service parameters for that phone and see the updated value but don't see that the phone is passing that value to the server as a login value, then there's an issue.

     I just recreated this in my UCCX lab and found it really doesn't make a difference what I put in the password field, it will always login.  I'm running UCCX 8.5 and it's an older release of 8.5 since I generally support the UCCE product, but there definately seems to be a bug with the IPPA process.  I think the best option at this point is for you to use the data in this thread to open a service request.  I'll ask around to see what others here see, but I would not have expected to be able to login without any password at all.

scheived Tue, 05/01/2012 - 12:45

I've never experienced CCX allowing login without a valid password, that actually would solve my problem.

druchyun@hotmail.com Tue, 05/01/2012 - 15:54

Have you tried temporarily giving a test user full cucm superuser rights and then testing if it can update its password via CCMUSER? Although I don't recommend this in production it might discern whether or not its a permissions issue or a UI bug. Also, I noticed the phone "blips" the display after the user updates their password in the portal, make sure you wait until after that to test logging in.

I think the best option at this point is for you to use the data in this thread to open a service request

I opened a TAC service request and they referred me to this thread...


scheived Tue, 05/01/2012 - 16:03

Please read thread before posting. To quote myself in ealier posts,

"As a test I assigned a user to all roles and found it still doesn't work."

"...clicks save it appears to update fine, shortly after the phone resets, however the password still fails."

johnhsnow Fri, 06/22/2012 - 07:39

I have been working on solving the same issue,but I dont see a solution here. In TACs' notes above about Non-SSO for IPPA and the urls :

http://:6293/ipphone/jsp/sciphonexml/IPAgentInitial.jsp.

          Service 2 -- IPPA N2: http://:6293/ipphone/jsp/sciphonexml/IPAgentInitial.jsp.

  These are the non-SSO version of IPPA but should prove that your phone can login to IPPA.

This is my url in the IPPA service in cucm (8.5), im not sure the difference?

http://:6293/ipphone/jsp/sciphonexml/IPAgentLogin.jsp

Did you get this working Scheived?

scheived Fri, 06/22/2012 - 07:52

I haven't had time to troubleshoot further. For me the solution was to have the user initiate a remote desktop session with an admin, who uses their workstation to log in to the cucm administration page and has the user type in their AD password to the appropriate field.

scheived Fri, 02/07/2014 - 09:41

The ccmuser page works correctly now in CUCM version 9.1

rorogier Tue, 05/01/2012 - 21:07

I would like to take a moment here to reset some things.  As this is not a formal TAC case I have skipped a couple of steps that would normally be in my first e-mail to you as a customer and for that I apologize.  Below, I have written out what I believe your current solution you wish to implement as well as a description of your current setup.  Finally I have ended this section with a list of the problem statements I see so far.  If we aren't on the same page, please  forgive me and make corrections where necessary.

Current  description of your environment and question: You have CUCM cluster  which is LDAP integrated to a Microsoft Active Directory (AD) for both  User sync and for User Authentication.  As demonstrated by the users  being able to login to the CCMUser page, you are successfully integrated  and there are no known issues here.  You have a UCCX system (have not  yet established whether simplex or HA) which is integrated to this CUCM  cluster.  Resources are properly configured and can login using CAD with  their AD username and password.  You would like to deploy IPPA to your  users to eliminate the need for CAD in certain or all cases (the scope  really makes no difference, just that you are wanting to deploy IPPA.)   With the IPPA deployment, you would like to use the "One Button Login" or  SSO configuration by creating the appropriate service(s) on the CUCM  server.  Finally, you require the ability of your users to update thier  own IPPA SSO passwords to both eliminate the administrative overhead and  maintain security of the passwords.  From this you have the following  issues:

Problem 1.) Users cannot login to IPPA using the SSO defined service at all.

Problem 2.) Users may not be able to login to the CCMUser page at all. 

Problem 3.) Users cannot update their own passwords through  CCMUser. (I believe this would be resolved if Problem 2 is resolved).

Based on the above, I have come up with several tests I would like you to try and reply with the results.

Test1.)  Please try putting the exact URL for the IPPA SSO service defined in your CUCM into the URL of your browser.  You should get something similar to the following:

     <?xml  version="1.0" encoding="ISO-8859-1" ?>

         

                  Error

                  Internal error: Invalid input.

                 

-                

                      OK

                      Init:Services

                      1

               

           

Test 2.)  Please create two phone services with the following URL:

          Service 1 -- IPPA N1:  http://:6293/ipphone/jsp/sciphonexml/IPAgentInitial.jsp.

          Service 2 -- IPPA N2:  http://:6293/ipphone/jsp/sciphonexml/IPAgentInitial.jsp.

  These are the non-SSO version of IPPA but should prove that your phone can login to IPPA.  In addition, you will note that I have changed the hostname to or .  Replace this section with just the IP of the UCCX servers, not the name.  This will come into play in test 3.

Test 3.) Earlier, you have stated in your URL that you used "contactcenter".  From this, I'm not sure if you used the name of the UCCX server or the IP.  If you used the name, please change the service to be the IP of the server(s).  The reason for this is that very few people configure DNS resolvers in their VoIP Subnet (hey why would a phone ever use those...) and then those who do configure the DNS resolvers either forget to add all the necessary static entries (UCCX servers are DDNS compatible last I checked) so that the phones cannot ever resolve the name provided.

Test 4.) Another thought that came to mind is to check your telecaster user setup.  The details for this are in the CAD guides.  Ensure that your CUCM has a telecaster user create (this will likely have to be added to AD for it to sync).  Next, if your AD does not allow the default password of "telecaster", set an appropriate password and then update the UCCX server in the Cisco Desktop Administrator section.  Select the option "CAD Configuration Setup" and scroll down to the section shown below (and truncated for space):

This whole process is laid out in the CAD setup guides and ensure that telecaster is functional.  Telecaster itself does need certain rights which are laid out in the documentation as well.

Finally, as requested earlier here is the relevant section of the configuration of my AD integrated IPPA agent in my lab:

I apologize for the length of this post but wanted to try to cover as much of the issues laid out and how to resolve most of them.  If you still have remaining issues, you know where to find me.  Thank you for choosing Cisco Systems and I hope you have a good evening.

--

Sincerely,

Robert W. Rogier

TAC - UCC

Cisco Systems, Inc - Research Triangle Park, NC

Actions

Login or Register to take actions

This Discussion

Posted January 12, 2012 at 2:19 PM
Stats:
Replies:29 Avg. Rating:
Views:2783 Votes:0
Shares:0

Related Content

Discussions Leaderboard