Core Issue

Cisco CallManager 3.3(2) spA and later versions have been modified to increase the level of security for the Windows NT services that comprise the system. Many of the services that ran as a local system in prior releases are run as local Windows NT user accounts and services.

These are the affected accounts:

• CCMServiceRW 
• CCMService
• CCMEML
• CCMCDR
• CCMUser
• SQLSvc 
• BackAdmin

By default, during installation an account is created without local logon access. The local NT password is set using a 128-bit encryption algorithm that creates a unique 15-character password for each account within the Cisco CallManager cluster.

By default, the passwords are generated using the publisher database name. In addition, they meet all four classes of the Microsoft complex password rules. These rules state that passwords must contain characters from at least three of these four classes:

• At least six characters in length that contain English lowercase letters
  
  
• English uppercase letters
   
• Westernized Arabic numerals
   
• Non-alphanumeric (special characters) 

Note: Due to the complexity of Cisco CallManager interoperability relationships, administrators and installers should not manually change any CallManager passwords or services.

If you decide to change these passwords, use these caveats with the Cisco provided AdminUtility.exe:

• If you need to add or replace a subscriber system after using the AdminUtility.exe to change passwords from defaults, reset the passwords for all accounts and services back to the ones generated by the default system. This needs to be done before attempting the installation, otherwise subscriber installation fails.
  
  
• The local administrator account passwords must be identical for every Cisco CallManager system within the cluster.
  
  
• Always log on with the local administrator account to run the AdminUtility.exe utility.
  
  
• The AdminUtility.exe is located in the C:\Program Files\Cisco\Bin directory and must be run using the local administrator account on the publisher server. It cannot be successfully executed on subscriber servers.

When you run this utility on the publisher, you receive this error message:

You can only execute this utility on the Publisher.

Complete these steps to resolve this issue:

1. Go to the Cisco CallManager Administration page.
    
2. Select System > Server from the menu.
    
3. Click on the Publisher within the list on the left hand list.
   
   
4. Change the Publisher DNS/IP Address setting from IP Address to DNS name.
   
   
5. Click Update.
   
   
6. Re-run the AdminUtility.exe utility.

All systems that constitute the Cisco CallManager cluster should be in a single identical workgroup and not a Windows NT or Active Directory domain.

AdminUtility.exe is unable to successfully synchronize Cisco CallManager passwords and services in a mixed workgroup and domain environment. If this occurs, configure the subscriber into the same workgroup as the publisher and re-run the utility.

Local security account policies for these accounts cannot enforce password history, maximum password age, minimum password age and account lockout.

Note: Some of these caveats are not applicable to Cisco CallManager 4.0.

Starting with Cisco CallManager version 3.3(3), the passwords are generated using the private password phrase provided by the user during the publisher's installation. Remember this password phrase, as you will have to use the same phrase for any further subscriber installations.

If the phrase does not match, the subscriber installation fails. If the private password phrase is lost, run the AdminUtility procedure as described on the publisher so that a new password can be generated for the service accounts with a new private password phrase. The newly used password phrase can then be used during the subscriber installation. In Cisco CallManager 4.x, the Set Default Password option in AdminUtility is no longer available.

These are special instructions for the ICS platform:

The AdminUtility will not function in the ICS7700 platform because of the local security policy setting. On an ICS platform, the minimum password age and the enforce password history are both set to 2. This means that in an ICS platform, the password can be changed only after 2 days of age and the new password cannot be the same as the previous two old passwords.

For the AdminUtility to function properly on the ICS platform, the administrator has to reset this 2 policy setting to 0.

Complete these steps before you execute the AdminUtility on an ICS 7700 platform:

1. Click Start, select Program Files, select Administrative Tools and click Local Security Policies.
   
   
2. In the console tree, double-click the Account Policies and double click Password Policy.
   
   
3. In the detail pane, double-click the Enforce password history configuration setting.
   
   
4. In the Enhance password history pop-up template, change the password remembered value to 0 and click OK.
   
   
5. Perform steps 3 and 4 for setting the password, which can be changed after value to 0 day.

   
   Note: The administrator decides whether the security policies are to have their original value after changing the passwords using the AdminUtility.

      

Resolution

As with any installation or upgrade, execute the AdminUtility during off peak hours. This utility changes the affected local NT accounts, services and virtual directories. If all accounts on all systems within the cluster are changed, all call processing is terminated until the entire cluster is updated. Depending on the number of servers within the cluster and the call volume at the time this utility is executed, the update process can take several minutes per server.

Verify that the service account passwords are synchronized with the AdminUtility.

Complete these steps to resolve this issue:

1. Log on as the local administrator on the publisher.
    
2. Using Explorer, browse to C:\Program Files\Cisco\Bin and launch the AdminUtility.exe.
    

3. Within the User Password field, input the local administrator password and click OK.

      
4. Select the checkbox at the top of the tree that correlates to the Domain Name System (DNS) of the publisher.
    
5. Select Options from the menu and Set New Password.
    
6. Input the 1 to 15 character alphanumeric password phrase to be used for the generation of complex passwords for each local account and service.
    
7. Re-enter the string within the next field for verification and click OK.
    
8. Highlight all systems within the cluster and click Update Server Password.
   
   A warning message is received that states this process takes down all the systems with the cluster and could take a significant amount of time. Click OK.
    
9. When completed, you are able to see that the update was successful for each system. When all systems within the cluster have successfully updated, click Exit.
    
10. Close the AdminUtility window.

For SQLSVc password related issues, refer to these documents:

• Check Password Synchronization with the Admin Utility in the Cisco CallManager Cluster
  
  
• Cisco CallManager: Detecting and Solving SQLSvc Password Problems
  

For more information, refer to these Cisco Technical Assistance Center (TAC) Case Collection cases:

What is the difference between the SQL SA account and the SQLSvc account and how do you change their passwords?

• The difference between the SQL SA account and the SQLSvc account, and how to change the passwords
  

• Changing the Windows Administrator password for Cisco CallManager
   
• Cisco CallManager subscriber installation fails with The passwords that you entered do not match error at the Private password phrase screen

For more information, refer to these documents:

• Recovering an SQLSvc Account Password