I am having an issue with Movi LDAP authentication.
Everything is setup and working to a point.
If I sign into Movi using a LDAP account I can sign in fine. If I try to sign in using a different password to test if the system is working it does not sign in, which is expected but then when I try sign back in using the correct password it won’t allow me to sign back in. Only after about 20-30 min can I then sign back in.
This is only after one attempt using the incorrect password.
Sometimes using the wrong password cause the account to lock down in AD and which gets unlocked after time period define under domain policies.
what is the domain policy you have in place for failed attempt. Really interesting to know that you can't log in after a single wrong attempt.
The current AD policy is to lock the account for 5min after 3 failed attempts.
If I change the account password then I can log back in immediately but if I again test with an incorrect password it does the same as before.
what version of Movi/Jabber Video are you using?
As far as I remember, up to and including Movi 4.2, Movi would attempt to provision/register multiple times even when the password did not match the first time, and this could cause the behavior you are seeing.
This should however be fixed in Jabber Video 4.3 so that if provisioning fails with a wrong username/password, Jabber Video will back off and not attempt any further provisioning/registration after that.
In that case it would probably be necessary to gather a diagnostics log from the VCS (Network log level = DEBUG) to troubleshoot this further, so please raise a TAC case for this if needed.
I emailed TAC to open a case at the same time I posted here. Still waiting for a response.
Sent from Cisco Technical Support iPad App
So It turns out that when signing in on Cisco Jabber it challenges AD 3 times per sign in attempt.
This still happens in 4.3
So when we sign in once with the incorrect password Jabber is actually trying 3 times with the incorrect details in the back ground.
Our companies AD policy is to lock user’s accounts after 3 failed attempts.
This is frustrating for our users because as they see it they have only tried to enter their details once and maybe typing too fast or making a mistake their AD accounts get locked.
But your policy is to lock for only 5min. that means it would unlock the account after 5min and then the login should work after that.
However problem description from you suggest that you can't login for 20-30!!!
So what happens after 5min when the account in not locked but you are still not able to login.
Just out of curiosity, the topic says LDAP auth but it sound more like the Movi/JabberVideo NTLM auth with AD
integration which you describe.
Btw, on SIP its not uncommon to have multiple auth attempts.
Maybe a workaround could be to increase it to 4 unscuessufll attempts.
I wuold also check if there are capabilities in windows to change the behavior depending on the
server/service which is doing the query or at least based on group membership (like movi users).
Please remember to rate helpful responses and identify
Our security teams will not allow the AD policies to be changed.
There is, according to Cisco TAC, a SIP authentication retry limit that can be set in Movi.
We are awaiting instruction from TAC on how to set this.
They are running test in their Lab.
On the VCS control you can set the SIP Authentication retry limit using the below command
xConfiguration SIP Authentication Retry Limit:
Default is set to 3
We have changed the limit on our VCS to 1 but this has made no difference.
Users accounts are still getting locked out after they enter the incorrect password once in Jabber.
It seems the Jabber appication itself is retrying mutiple times.
We are awaiting further feedback from TAC.
Thank you very much for keeping us updated. Let us know if you get this resolved and how please.
just tested this scenario in my lab with below setup.
jabber 4.4 version.
with wrong username and password i see only one time request going to domain controller and domain control replies with LOGON_FAILURE.
Apr 17 23:42:32 vcsc1 tvcs: UTCTime="2012-04-17 18:12:32,679" Module="network.rpcnetlogon" Level="DEBUG": netlogon="rpc authentication request" client id="105" username="alok" domain="" workstation=""
Apr 17 23:42:32 vcsc1 tvcs: UTCTime="2012-04-17 18:12:32,681" Module="network.rpcnetlogon" Level="DEBUG": netlogon="rpc authentication failure" client id="105" username="alok" domain="" workstation="" result="0" reason code="0x4 - NT supplied reason code" NTreasonCode="0xc000006d" reason string="Logon failure"
Apr 17 23:42:32 vcsc1 tvcs: UTCTime="2012-04-17 18:12:32,681" Module="developer.winbindservice" Level="INFO" CodeLocation="ppcmains/winbindservice/WinbindService.cpp(288)" Method="std::string&, const std::string&, const std::string&, const std::string&, const std::string&, bool, std::string&, bool, std::string&, winbindService_reasonCode_t&, uint32_t&, std::string&, uint32_t)" Thread="0x7fe5bce41700": Result="0" ReasonCode="0x4 - NT supplied reason code" NTreasonCode="0xc000006d" NTReasonString="Logon failure" Username="alok" Domain="" Workgroup="" Detail="Domain controller did not authenticate user."
also i collected the SIP logs on my jabber video on windows 7 SP1. And i see only one the subscribe and 407 proxy authentication messages.
so i do not see 3 repeated request for failed attempt not on Jabber and not on VCS control.
What is your scenario?
We are having the exact same issue here. I have not yet upgraded to later versions of Jabber but interested to hear if 4.4 fixes the issue.
Jabber 4.4 did not fix the issue.
We are trying a new release now still trying to resolve this.
We are also waiting for feedback from the Jabber R&D team.