Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2190
Views
5
Helpful
5
Replies

Cisco UCCE Unable to access Diagnostic Portico 403 forbitten error

DJ Kulkarni
Level 1
Level 1

ā€Ž04-06-2016 02:44 PM - edited ā€Ž03-14-2019 03:56 PM

Hi,

I am getting 403 forbitten error 

This error (HTTP 403 Forbidden) means that Internet Explorer was able to connect to the website, but it does not have permission to view the webpage.

When I check the logs I see 

5323: PM-PN-CC01: Apr 06 2016 10:42:18.256 -05:00: %.ctor-INFO-[5581059] ***** NEW REQUEST RECEIVED ***** Request URI: https://localhost:7890/icm-dp/rest/DiagnosticPortal/GetMenu
5324: PM-PN-CC01: Apr 06 2016 10:42:18.257 -05:00: %IsUserAuthorized-WARN-[5581059] Local user 'xxxx\xxxx' authorization failed
5325: PM-PN-CC01: Apr 06 2016 10:42:18.496 -05:00: %.ctor-INFO-[8056294] ***** NEW REQUEST RECEIVED ***** Request URI: https://localhost:7890/icm-dp/rest/DiagnosticPortal/ListProcesses?Random=1459957338507

Just dont know which all access right would be needed as I can use same user account and access the other servers diagnostic portico

Kindly let me know

Regards,

DJ

Labels:
0 Helpful
5 Replies 5

Chintan Gajjar
Level 8
Level 8

ā€Ž04-07-2016 02:56 AM

What type of user are you using to login to portico, looking at the logs looks like its local user.

and by default local users are not authorised to use portico unless you add them to the security group on local machine called ICMDiagnosticframeworkusers.

there might be chances that on other servers the local users are added to the above group but not on this server.

tony.salvador
Level 1
Level 1
In response to Chintan Gajjar

ā€Ž05-17-2017 12:20 PM

Adding a user to this group doesn't make a difference.   I'm guessing there is some parent object that controls this but I don't know which one.

0 Helpful

Ayodeji Okanlawon
VIP Alumni
VIP Alumni
In response to tony.salvador

ā€Ž05-18-2017 07:43 AM

Have you tried login in using a domain user? not the local user on the machine itself. You can use one of the domain admin accounts used to configure icm components

Please rate all useful posts
0 Helpful

geoff
Level 10
Level 10
In response to Ayodeji Okanlawon

ā€Ž05-20-2017 04:44 PM

Exactly. A domain user in the Local Admin group on the box can always run the Portico. I am unsure if there are any other ways: (a) if the domain user is a member of Config under the Cisco_ICM OU, is that sufficient to run the Portico? (b) if the domain user is a member of Setup under the Cisco_ICM OU (and not a Local Admin), is that sufficient to run the Portico? I doubt that either of these are sufficient.

I have never really investigated and rely on being a Local Admin.

The Portico is a nice remote tool to use to look across your ICM boxes to tell you if something is wrong - and you probably then need to go in and fix it, so you would need to have Local Admin to do that (restart a service etc). 

Regards,
Geoff

0 Helpful

Chintan Gajjar
Level 8
Level 8
In response to tony.salvador

ā€Ž05-18-2017 09:31 AM

The local user having member of the ICMDiagnosticframeworkusers works just fine for me.

But i am running PCCE 9.0 in my lab and security may have enhanced in future versions.

You can check log for more detail.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents