Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
790
Views
0
Helpful
2
Replies

Jabber MRA only some users able to login

richard.priest
Level 1
Level 1

‎03-08-2019 02:39 PM

Hi,

 

We have CUCM 10.5 with Expressway C and E setup and working normally for internal users. LDAP integration is configured and all users are imported as is SSO.

 

SSO works perfectly for the windows Jabber application. 

 

However, I'm having issues with Jabber on mobile devices external to the organisation. Within our Org the IT dept are within their own OU. These users, (i.e. myself and my immediate colleagues), can login to Jabber externally without issue,  (not SSO, it's a manual login, but that's fine I'm not worried about SSO for android / Apple users).

 

However every other user within our AD domain cannot login to Jabber when external to our network. The users exist on CUCM and can login normally when internal (either via the windows Jabber app or via android etc.) If I connect their mobile device to our corporate network, then they can login (after being redirected to the ADFS login page 1st) Once disconnected from the corporate network they're disconnected from Jabber.

 

I feel I've missed something pretty obvious, but I can't figure it out!

 

Any hints or pointers as to where to look would be appreciated!

Labels:
0 Helpful
2 Replies 2

richard.priest
Level 1
Level 1

‎03-08-2019 02:51 PM

I should add when the user enters their username (username @ domain) the jabber client goes off and resolves the username fine and prompts for a password.

The Jabber app then reports back that the username / password is incorrect.
0 Helpful

Adam Pawlowski
VIP Alumni
VIP Alumni
In response to richard.priest

‎03-10-2019 04:21 PM

The Expressway event log and the Jabber log should show you where that's failing hopefully, though the Jabber log's messages may be referring to things past the Expressway so it could seem a touch confusing.

Initial sign-in and discovery versus subsequent sign in/authorization seems to be different as to one of them using the full user@domain JID to do a lookup, and the other just using the UID, against UDS, to try and locate the user. That lookup could be failing externally perhaps, and you'd see that in the Expressway log. That's all I can think of as a guess off the top of my head would be to start there. There's also some ways to break it with regard to specification of service domains in the configuration, wacky DNS, etc. SSO would also be required if there's child domains in the forest that you're dealing with - the LDAP auth mechanism doesn't support referral and will fail across domains like that.


0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents