Is is Exchange 2000. What I think happened is that a supscriber got set up by mistake with the admin account, but I am not sure.

Actually... poking around on this today while looking into the GUI tool I was talking about, I discovered that the updated version of GrantUnityAccess (the command line version) for 3.1(2) has the ability to do some of this.

If you run "GrantUnityAccess -L" it'll list all the subscriber/account associations. You can then use the "-d" option to delete associations you don't want.



Jeff Lindborg
Unity Technical Lead/Answer Monkey
Cisco Systems
lindborg@cisco.com
http://www.AnswerMonkey.net (new page for Unity support tools and scripts)

With Exchange 2000 the only way you could be getting presented with a "who are you" list when you access the SA is if you've used GrantUnityAccess to associate AD accounts with local accounts on the Unity box. With Exchange 55 this it's also possible to do this by simply binding the same NT account to multiple Exchange accounts.

The GrantUnityAccess tool stuffs the SID of the account you pass to it into the SidHistory table we maintain locally. This SID is associated with a local subscriber account on the Unity server (i.e. Example Administor or Installer). When you attempt to access the SA we first lookup the token of the user that hit the web page and see if they're a subscriber. We then check their SID in the SidHistory table and see if there's an entry. If there's more than one match here, we present a list... which is likely what you're seeing.

This is done such that sites can have a single domain account that has SA access to multiple machines (i.e. central administration of multiple Unity servers) among other reasons. You shouldn't normally have a local subscriber account ALSO have an entry in the SidHistory table so the list presentation thing should not be the norm.

Unfortunately there's no easy way to go into the SidHistory table and pull out the row(s) you don't want to be in there since all you can see is a binary security descriptor and the ObjectID (GUID looking string) associating that with a local subscriber account. I'll look into making a graphical version of GrantUnityAccess that shows the alias/display names of the accounts and which local subscriber account they're associated with... it will let you add/edit/remove these associations as well. I'm heading out of town here, though, so I wont be able to look at it till next week sometime.


Jeff Lindborg
Unity Technical Lead/Answer Monkey
Cisco Systems
lindborg@cisco.com
http://www.AnswerMonkey.net (new page for Unity support tools and scripts)

Not sure what to tell you... unless something is afoot that isn't on this thread. With AD/Ex2K there is no way to have more than one AD SID map up to a subscriber without using GrantUnityAccess (Ex55 is a different story). If that is showing no associations then a 3rd party migration tool for moving from NT to AD or some such thing must be at play.

The lookup process here is very simple. When a user authenticates at IIS we get their SID (a unique identifier for their account in AD). We then look that SID up in our subscriber table. If a match is found, we should stop (there should never be more than one match since there can never be more than one AD account associated with that SID). If no match is found we proceed to the SID History table (the guy GrantUnityAccess updates). We search THAT table for a SID match. If one or more matches are found (multiples are possible here) then you are presented with a list.

The possibilities include GrantUnityAcess is not kicking out the list properly with the "-L" option. Works OK on my test boxes but you never know. The SQL table subscribers are stored in somehow has a bogus entry in it that has the same SID pointing to two different subscribers... never seen this but I can't rule it out. Some bizare AD corruption is possilbe, too, I suppose.

There is no known problems or configuration issues that are known that I can just toss out for you here. Someone will need to get into your system and have a look around. Best I can suggest is to open a TAC case and get that process rolling.


Jeff Lindborg
Unity Technical Lead/Answer Monkey
Cisco Systems
lindborg@cisco.com
http://www.AnswerMonkey.net (new page for Unity support tools and scripts)

oh... well then you probably have multiple Exchange 5.5 mailbox accounts associated with the same NT account. There's no easy automated way I know of running all such instances down but for the account you're logging in as that's giving you a list to choose from you should be able to track that down. Find the two (or more) accounts in Exchange and make sure they're associated with different NT accounts. Once an Exchange account has been associated with an NT account you can't change it so it's not associated with ANY NT account, although you can create new Exchange accounts that are not associated with any NT account (this is how Example Administrator was setup in 2.x for instance).

You might be able to use the CSV header dump utility in Exchange to drop out all Exchange info and search for duplicates there but I've never done this for the NT account association so I can't say with authority if that's included as a dumpable field or not...

Jeff Lindborg
Unity Technical Lead/Answer Monkey
Cisco Systems
lindborg@cisco.com
http://www.AnswerMonkey.net (new page for Unity support tools and scripts)