Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Movi LDAP authentication

Hi Guys

I am having an issue with Movi LDAP authentication.

Everything is setup and working to a point.

If I sign into Movi using a LDAP account I can sign in fine. If I try to sign in using a different password to test if the system is working it does not sign in, which is expected but then when I try sign back in using the correct password it won’t allow me to sign back in. Only after about 20-30 min can I then sign back in.

This is only after one attempt using the incorrect password.

Any ideas?

20 REPLIES

Movi LDAP authentication

Haydn,

Sometimes using the wrong password cause the account to lock down in AD and which gets unlocked after time period define under domain policies.

what is the domain policy you have in place for failed attempt. Really interesting to know that you can't log in after a single wrong attempt.

Thanks

Alok

New Member

Movi LDAP authentication

The current AD policy is to lock the account for 5min after 3 failed attempts.

If I change the account password then I can log back in immediately but if I again test with an incorrect password it does the same as before.

Gold

Movi LDAP authentication

Haydn,

what version of Movi/Jabber Video are you using?

As far as I remember, up to and including Movi 4.2, Movi would attempt to provision/register multiple times even when the password did not match the first time, and this could cause the behavior you are seeing.

This should however be fixed in Jabber Video 4.3 so that if provisioning fails with a wrong username/password, Jabber Video will back off and not attempt any further provisioning/registration after that.

-Andreas

New Member

Re: Movi LDAP authentication

We are using Cisco Jabber 4.3

Sent from Cisco Technical Support iPad App

Gold

Movi LDAP authentication

In that case it would probably be necessary to gather a diagnostics log from the VCS (Network log level = DEBUG) to troubleshoot this further, so please raise a TAC case for this if needed.

- Andreas

New Member

Re: Movi LDAP authentication

Thanks.

I emailed TAC to open a case at the same time I posted here. Still waiting for a response.

Sent from Cisco Technical Support iPad App

New Member

Re: Movi LDAP authentication

So It turns out that when signing in on Cisco Jabber it challenges AD 3 times per sign in attempt.

This still happens in 4.3

So when we sign in once with the incorrect password Jabber is actually trying 3 times with the incorrect details in the back ground.

Our companies AD policy is to lock user’s accounts after 3 failed attempts.

This is frustrating for our users because as they see it they have only tried to enter their details once and maybe typing too fast or making a mistake their AD accounts get locked.

Re: Movi LDAP authentication

Haydn,

But your policy is to lock for only 5min. that means it would unlock the account after 5min and then the login should work after that.

However problem description from you suggest that you can't login for 20-30!!!

So what happens after 5min when the account in not locked but you are still not able to login.

Thanks

Alok

Movi LDAP authentication

Just out of curiosity, the topic says LDAP auth but it sound more like the Movi/JabberVideo NTLM auth with AD

integration which you describe.

Btw, on SIP its not uncommon to have multiple auth attempts.

Maybe a workaround could be to increase it to 4 unscuessufll attempts.

I wuold also check if there are capabilities in windows to change the behavior depending on the

server/service which is doing the query or at least based on group membership (like movi users).

Please remember to rate helpful responses and identify

New Member

Movi LDAP authentication

Our security teams will not allow the AD policies to be changed.

There is, according to Cisco TAC, a SIP authentication retry limit that can be set in Movi.

We are awaiting instruction from TAC on how to set this.

They are running test in their Lab.

Movi LDAP authentication

Haydn,

Will you post the information when you get it?

Thanks,

Justin

Thank you,
Justin Ferello
Technical Support Specialist, ScanSource KBZ
New Member

Movi LDAP authentication

@ Justin

On the VCS control you can set the SIP Authentication retry limit using the below command

xConfiguration SIP Authentication Retry Limit:

Default is set to 3

We have changed the limit on our VCS to 1 but this has made no difference.

Users accounts are still getting locked out after they enter the incorrect password once in Jabber.

It seems the Jabber appication itself is retrying mutiple times.

We are awaiting further feedback from TAC.

Movi LDAP authentication

Haydn,

Thank you very much for keeping us updated.  Let us know if you get this resolved and how please.

Thanks,

Justin

Thank you,
Justin Ferello
Technical Support Specialist, ScanSource KBZ

Movi LDAP authentication

Hi Haydn,

just tested this scenario in my lab with below setup.

jabber 4.4 version.

VCS x7.1

with wrong username and password i see only one time request going to domain controller and domain control replies with LOGON_FAILURE.

Apr 17 23:42:32 vcsc1 tvcs: UTCTime="2012-04-17 18:12:32,679" Module="network.rpcnetlogon" Level="DEBUG":  netlogon="rpc authentication request" client id="105" username="alok" domain="" workstation=""

Apr 17 23:42:32 vcsc1 tvcs: UTCTime="2012-04-17 18:12:32,681" Module="network.rpcnetlogon" Level="DEBUG":  netlogon="rpc authentication failure" client id="105" username="alok" domain="" workstation="" result="0" reason code="0x4 - NT supplied reason code" NTreasonCode="0xc000006d" reason string="Logon failure"

Apr 17 23:42:32 vcsc1 tvcs: UTCTime="2012-04-17 18:12:32,681" Module="developer.winbindservice" Level="INFO" CodeLocation="ppcmains/winbindservice/WinbindService.cpp(288)" Method="std::string&, const std::string&, const std::string&, const std::string&, const std::string&, bool, std::string&, bool, std::string&, winbindService_reasonCode_t&, uint32_t&, std::string&, uint32_t)" Thread="0x7fe5bce41700":  Result="0" ReasonCode="0x4 - NT supplied reason code" NTreasonCode="0xc000006d" NTReasonString="Logon failure" Username="alok" Domain="" Workgroup="" Detail="Domain controller did not authenticate user."

also i collected the SIP logs on my jabber video on windows 7 SP1. And i see only one the subscribe and 407 proxy authentication messages.

so i do not see 3 repeated request for failed attempt not on Jabber and not on VCS control.

What is your scenario?

Thanks

Alok

New Member

Movi LDAP authentication

Hi Alok

We are still using Jabber 4.3

I will install 4.4 now and test.

I Will give feedback soon.

New Member

Movi LDAP authentication

Hi Alok

We just tested with Jabber 4.4 and users accounts are still being locked out.

Movi LDAP authentication

Haydn,

I think logs can tell us more now.

Thanks

Alok

New Member

Movi LDAP authentication

Update

Cisco TAC has managed to reproduce my issue in their lab and it seems to be a bug.

I will update as I have more.

New Member

Movi LDAP authentication

Hi Haydn,

We are having the exact same issue here. I have not yet upgraded to later versions of Jabber but interested to hear if 4.4 fixes the issue.

Thanks

Oli

New Member

Movi LDAP authentication

Jabber 4.4 did not fix the issue.

We are trying a new release now still trying to resolve this.

We are also waiting for feedback from the Jabber R&D team.

1281
Views
0
Helpful
20
Replies
CreatePlease to create content