As Execute authentication requires a Global User with device association, I know that one way to allow an app to Execute to any/every device would be to have it do authentication as a Global User that is associated with every device. However, in environments where the devices number 3000+, doing this can take a long while (and CM appears to lack the resources to do this number of associations in one 'update', anyway). Either way, the maintenance of such a user's associations is the part that gives me overhead-ache just thinking about it.
I know you could also hack c:\CiscoWebs\IPPhoneServices\CCMCIP\authenticate.asp to repsond affirm regardless of authenticator, but as this wouldn't work for 7920s (and surely is not Cisco-supported, anyway), I was wondering:
Any good suggestions to globally authenticate an app to any/all devices during an Execute? Is a redirect-authenticate and proxy like PushAuthenticate the best answer?
yes, you need an authentication proxy. create a web service that mirrors the function of authenticate.asp, and set its URL as the default authentication URL in enterprise parameters. now, when you build applications that require phones to authenticate you can use the authentication proxy instead of the callmanager.
the trick is to build an authentication proxy that also works with other applications that still need callmanager authentication. a good way to do this is to have your applications communicate with the authentication proxy before the phones authenticate. that way, the proxy knows phones are about to authenticate, and can provide the appropriate response. then, if a phone tries to authenticate for an unknown application, the proxy simply passes on the authentication request to the call manager.
there's a trick here: a simple http redirect would be great *except* it doesn't work with all loads of all phones. 7960/7940s have always been fine, but i've had problems with earlier loads on 7912s. don't know if this problem has been fixed yet.
I suppose the proxy itself could make an HTTP request to the normal CallManager auth url,spoof the name=SEP bit, and return the response to the device making the request, so that you don't have to rely on redirect.
What you describe is only applicable for Extension Mobility. I'm pretty sure this user's issue is that they are using the Cisco IP Phone XML 'Execute' command and don't want to have to associate some sort of global user to every phone in the system.
I like the sound of it, but my testing results agree with XmlEquals' assertion.
I used the user that I've been Executing with (who's also associated with a handful of devices - and execution to them is fine). I set the Enable Authentication Proxy Rights as you've described, but the Execute still returns "Protected Object" for un-associated devices. I've tried resetting the device(s).
I am trying to push to more than 1000 phones, and found CCM authentication to be unrelieable. So, I have decided to write my own authentication and use it as proxy - that is for my application use this authentication, and for all other applications, use CCM authentication.
Are you getting this error “Installer User Interface Mode Not Supported. The installer cannot run in this UI mode. To specify the interface mode, use the -i command-line option, followed by the UI mode identifier. The value UI mode identifiers...
The below trick might come handy when you have to add a new node to a cluster but you don't have or is unsure of the security password for the publisher. This procedure has been around for ages.
1) Login into the CLI of the Publisher.