Cisco CallManager 3.3(2) spA and later versions have been modified to increase the level of security for the Windows NT services that comprise the system. Many of the services that ran as a local system in prior releases are run as local Windows NT user accounts and services.
These are the affected accounts:
By default, during installation an account is created without local logon access. The local NT password is set using a 128-bit encryption algorithm that creates a unique 15-character password for each account within the Cisco CallManager cluster.
By default, the passwords are generated using the publisher database name. In addition, they meet all four classes of the Microsoft complex password rules. These rules state that passwords must contain characters from at least three of these four classes:
Note: Due to the complexity of Cisco CallManager interoperability relationships, administrators and installers should not manually change any CallManager passwords or services.
If you decide to change these passwords, use these caveats with the Cisco provided AdminUtility.exe:
When you run this utility on the publisher, you receive this error message:
You can only execute this utility on the Publisher.
Complete these steps to resolve this issue:
All systems that constitute the Cisco CallManager cluster should be in a single identical workgroup and not a Windows NT or Active Directory domain.
AdminUtility.exe is unable to successfully synchronize Cisco CallManager passwords and services in a mixed workgroup and domain environment. If this occurs, configure the subscriber into the same workgroup as the publisher and re-run the utility.
Local security account policies for these accounts cannot enforce password history, maximum password age, minimum password age and account lockout.
Note: Some of these caveats are not applicable to Cisco CallManager 4.0.
Starting with Cisco CallManager version 3.3(3), the passwords are generated using the private password phrase provided by the user during the publisher's installation. Remember this password phrase, as you will have to use the same phrase for any further subscriber installations.
If the phrase does not match, the subscriber installation fails. If the private password phrase is lost, run the AdminUtility procedure as described on the publisher so that a new password can be generated for the service accounts with a new private password phrase. The newly used password phrase can then be used during the subscriber installation. In Cisco CallManager 4.x, the Set Default Password option in AdminUtility is no longer available.
These are special instructions for the ICS platform:
The AdminUtility will not function in the ICS7700 platform because of the local security policy setting. On an ICS platform, the minimum password age and the enforce password history are both set to 2. This means that in an ICS platform, the password can be changed only after 2 days of age and the new password cannot be the same as the previous two old passwords.
For the AdminUtility to function properly on the ICS platform, the administrator has to reset this 2 policy setting to 0.
Complete these steps before you execute the AdminUtility on an ICS 7700 platform:
Note: The administrator decides whether the security policies are to have their original value after changing the passwords using the AdminUtility.
As with any installation or upgrade, execute the AdminUtility during off peak hours. This utility changes the affected local NT accounts, services and virtual directories. If all accounts on all systems within the cluster are changed, all call processing is terminated until the entire cluster is updated. Depending on the number of servers within the cluster and the call volume at the time this utility is executed, the update process can take several minutes per server.
Verify that the service account passwords are synchronized with the AdminUtility.
Complete these steps to resolve this issue:
Within the User Password field, input the local administrator password and click OK.
For SQLSVc password related issues, refer to these documents:
For more information, refer to these Cisco Technical Assistance Center (TAC) Case Collection cases:
What is the difference between the SQL SA account and the SQLSvc account and how do you change their passwords?
For more information, refer to these documents: