Problem Description:
Cisco Communication Manager version 12.5.1.15900-66 (post upgrade)
Cisco Communication Manager version 11.5.1.21900-40 (pre upgrade)
Not able to login using DNS SRV record/alias URL (https://ipt.example.net/), after CUCM upgrade from version 11.5 to 12.5 SU5. The FQDN directs the webpage to CM login, but fails to login successfully and gives the following error:
Access to the requested resource has been denied.
The attempted action was a violation of security protocols and will not be allowed. Please try another action.
Workaround:
With CUCM version 12.5 SU5, it will now validate the IP address or hostname present in the Host header with the servers configured in the Unified CM cluster first before allowing access to Unified CM. We must also configure the DNS alias used to access the Unified CM under the Trusted List of Hosts configuration.
For example, if your server is, cucm.example.net and you use ipt.example.net to access the server, you must add ipt.example.net to the Trusted List of Hosts configuration. ANY address or hostname/DNS alias/SAN used to access the CUCM's GUI must be added to this configuration if it is different from the IP address or machine name assigned to the server.
This is documented in the Bug CSCwa20316
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa20316
The DNS alias being used to access the CUCM GUI will need to be configured under System > Enterprise Parameters > Trusted List of Hosts in HTTP Referer/Host Header, and then restart the Cisco Tomcat service.
