Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CUPC DeskPhone Invalid Credentials

I have an end users that when he tries to set his deskphone for audio get the error notifications

     Device Error. Invalid credentials [801]

The user is able to login to CCMUser on the CM and CUPS without an issue.  We are using LDAP Authentication and have changed the port to use 3268 and restarted CTIManager.  The wireshark  capture shows

     7.1.5.30000-1.Directory login failed - credential has been locked due to no activity

Since we are using LDAP authentication there is no option to unlock credential on the CM and the user is not locked in AD.  Any suggestions?

25 REPLIES
Cisco Employee

Re: CUPC DeskPhone Invalid Credentials

Usually the invalid credentials for CUPC deskphone control is due to missing digest credentials on on call manager's end user configuration page.  Even if you see ******* in the field set it to anything you want, it's all used behind the scenes between servers, save it, exit CUPC and log back in.  Let me know if that fixes it for you.  Also if you change the port to the global catalog like you have try restarting the Sync Agent on CUPS to make sure the change is pulled over too.

New Member

Re: CUPC DeskPhone Invalid Credentials

Still no go,  I did restart the Sync Agent on CUPS after changing the LDAP port.  I aslo re-entered a digest credential for the user, it already did have ****** but I put in a new string and then restarted the Sync Agent Service but the user is still getting Invalid Credentials and Wireshark capture shows "credential has been locked due to no activity" when trying to use a deskphone.  The user has no issue using the CSF softphone.  I have loaded the latest CUPC v8 client but still can't this this one user to be able to use his deskphone.

Cisco Employee

Re: CUPC DeskPhone Invalid Credentials

Does this end user happen to have "User Must Change at Next Login" set on their AD account?  Is this only happening for one user?

New Member

Re: CUPC DeskPhone Invalid Credentials

No he does not have the option checked under his AD account and this is only user that I'm aware of that is having this problem. We are just starting to deploy CUPC to our end users.

Cisco Employee

Re: CUPC DeskPhone Invalid Credentials

How's your database replication look on the call manager side?  You follow this to check, using the Cisco Unified Reporting Tool https://supportforums.cisco.com/docs/DOC-13672.

New Member

Re: CUPC DeskPhone Invalid Credentials

The CM Replication status is 2 on the Pub and the Subs, doesn't look like there is an issue on the db.

Red

Re: CUPC DeskPhone Invalid Credentials

1) This problem has nothing to do with Digest Credentials

Digest Credentials are used for SIP authentication only.  Desk Phone control has nothing to do with SIP.  It's CTI.

2) This problem has nothing do do with Database Replication.

The authentication is between CTIManager and LDAP.

3) This problem has nothing to do with "User Must Change Password On Next Longon".

If this had been enabled on LDAP, you won't be able to authenticate the CUCM/CUPC logon at all.  Since you could log onto CUPC, this is out of the picture.

Ok, then what was the problem?  It's the caveat on CTIManager when using LDAP authentication.  Many people said they had change the port to 3268 and restarted CTIManager.  However, what really happened was:

1) They change the port number on the wrong place.  It's should be at "CUCM > System > LDAP > LDAP Authentication" instead of "CUCM > System > LDAP > LDAP Directory".

or

2) The restarted the CTIManager on the wrong box.  Make sure you restarted the one CUPC was using for Desk Phone control.  If you are not sure which one, restart CTIManager on every box in the CM cluster.

Michael

http://htluo.blogspot.com

New Member

Re: CUPC DeskPhone Invalid Credentials

The LDAP port was changed in the correct location, actually we have it set to port 3268 in both locations.  I restarted CTIManager on our 3 CM and restarted the UP Sync Agent on the CUPS.  But this users is still failing with Invalid Credentials and Wireshark capture shows "credential has been locked due to no activity" when trying to use a deskphone.

Red

Re: CUPC DeskPhone Invalid Credentials

Where the packet capture was taken?  From the client PC or from the CUCM (CTIManager)?

We need the one who's taken from CUCM.  So we can see the response from LDAP regarding authentication.

Would you mind upload the packet capture here?

Thanks!

Michael

http://htluo.blogspot.com

New Member

Re: CUPC DeskPhone Invalid Credentials

Michael - ran a capture from both the client (10.86.80.58) and CUCM Subscriber (10.86.97.131) and attached the files.  I did not see any LDAP queries on the CUCM, should I have run the capture on the Publisher?  CUPC show that the failed credentials is coming from 10.86.97.131.

Red

Re: CUPC DeskPhone Invalid Credentials

Ya, I saw that at 14:23:14 CST.

It's very strange that you didn't capture any LDAP traffic on subscriber.  Could you get the CTIManager logs from subscriber around 14:13:14 CST, 11/8/2010?  -/+ 5 minutes should be good enough, assuming CTIManager trace was set to detailed level before.

Let me know the user ID.

Michael

New Member

Re: CUPC DeskPhone Invalid Credentials

Attached are the CTIManager logs from the Subscriber,  the user that is having problems is renaghanmg

Red

Re: CUPC DeskPhone Invalid Credentials

Per the logs, user renaghanmg was authenticating against local DB instead of LDAP.

You'd better check CUCM > User Management > Application Users.  See if there's a user 'renaghanmg' there.  If yes, please delete it.

Michael

http://htluo.blogspot.com

New Member

Re: CUPC DeskPhone Invalid Credentials

Checked all CMs and there is no Application User configured with the name "renaghanmg".

Is there a way to delete a single End User from the database when using LDAP Authentication and then have the End User be recreated automatically on the next sync cycle?   The LDAP Sync Status for this end user is showing Active on the CMs.

Red

Re: CUPC DeskPhone Invalid Credentials

Try to use the publisher CTIManager for desk phone control.  See if you got the same problem?

Michael

New Member

Re: CUPC DeskPhone Invalid Credentials

On CUPS, changed the CTI Gateway Profile to move the CM Publisher up as the Primary CTI Gateway Server and moved the CM Subscriber as the backup server.  Restarted the Sync Agent.  But still same problem, the capture is showing the ip address of the Publisher now but same error.

Red

Re: CUPC DeskPhone Invalid Credentials

Looks like something's wrong with this particular user in the CM database.

Try to run the following SQL query from the CM command line:

run sql select status from enduser where userid='renaghanmg'

Then run it against a good user:

run sql select status from enduser where userid='mooretm'

Michael

New Member

Re: CUPC DeskPhone Invalid Credentials

Ran the commands on the CM Publisher.  The 'mooretm' AD account is in all uppercase so when I ran it in lower case it did not give a status.  I ran another userid that I know works which is in all lower case in AD, all report Status=1.

admin:run sql select status from enduser where userid='renaghanmg'
status
======
1
admin:run sql select status from enduser where userid='mooretm'
status
======
admin:run sql select status from enduser where userid='MOORETM'
status
======
1
admin:run sql select status from enduser where userid='perryv'
status
======
1

Red

Re: CUPC DeskPhone Invalid Credentials

You may tried to disable LDAP, delete the problem user, then re-enable LDAP.

Or you may open a TAC case and quote the following messages from CTIManager SDI logs:

11/08/2010 14:46:39.603 CTI|userid is renaghanmg|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.603 CTI|CCMEncryption::DecryptText:enter|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.603 CTI|CCMEncryption::DecryptText (Exit) (Success))|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.603 CTI|AuthenticationImpl::login (Auth with password. Calling authenticateUserWithPassword)|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.603 CTI|authenticationDB::authenticateUserWithPassword():enter|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.603 CTI|Credential Length is: 32|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.603 CTI|authenticationConnector::getReadDSN:enter|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.603 CTI|authenticationConnector  ReadDSN is:DSN=ccm2;uid=dbims|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.603 CTI|authenticationConnector  WriteDSN is:DSN=ccm;uid=dbims|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.620 CTI|Setting Fields|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.620 CTI|userType is: 1|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.621 CTI|timeOfLockout is: 0|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.621 CTI|timeHackedLockout is: 0|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.621 CTI|hackCount is: 0|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.621 CTI|daysToExpiry is: -216|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.621 CTI|doesNotExpire is: 0|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.621 CTI|useExpiryWarning is: 1|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.621 CTI|isInactive is: 1|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.621 CTI|userMustChange is: 1|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>
11/08/2010 14:46:39.621 CTI|endUserStatus is: 1|<:STANDALONECLUSTER><:10.86.97.131><:ALL><:FFFF>

Michael

New Member

Re: CUPC DeskPhone Invalid Credentials

Michael - Thanks for your assistance.

I may try and disable LDAP over the weekend and if no success will open a TAC case.

New Member

Re: CUPC DeskPhone Invalid Credentials

I'm having the same problem with CUCILync with one of my users.  Did you ever find a solution?

New Member

Re: CUPC DeskPhone Invalid Credentials

We have more than 800 users running CUPC 8.0.3 here and we got a lot of this 801 error.

Very often it is due to complex password (containing accents or special characters). It is a known bug of the CTIManager of CUCM. CUCM 8.5 seems to fix this issue.

Another possible cause is a corruption of the local cache on the workstation. Deleting all files from user profile fixes the issue of failing call control.

Delete all Cisco folders in ApplicationData, LocalSettings/ApplicationData.

I hope that CUPC 8.5 will solve all these issues.

Yorick

New Member

Re: CUPC DeskPhone Invalid Credentials

Check the users password characters.  We had a user with an = sign that caused the deskphone to be grayed out.

Neck

New Member

Re: CUPC DeskPhone Invalid Credentials

Hi,

Did anyone find out what the problem was here?

I'm facing the same issue.

and I don't have any special characters in the password.

And it's not Microsoft AD, it's AD LDS - ADAM integration .

So I don't have global catalogue port. from what I understand it's a bug on CUCM.

Please let me know.

New Member

CUPC DeskPhone Invalid Credentials

Same situation with Jabber and LDS, have you solved an issue?

3779
Views
0
Helpful
25
Replies