11-14-2019 06:32 AM
Hi all, hoping someone can point me in the right direction. I have a few accounts aside from the main appadmin user that need access to UCCX Admin GUI.
Local accounts on CUCM seem to work fine when added into the UCCX Admin Users. I'm trying LDAP accounts though and getting "Invalid User ID or Password". They can log into CUIC though with the same account.
Any ideas? Version 11.5
****I've also posted this in the IP Telephoney forum by mistake, if someone could remove that duplicate that would be great.****
Solved! Go to Solution.
11-14-2019 01:16 PM
11-14-2019 07:12 AM
Most likely, the users do not have permissions to UCCX Administration. Only admins and supervisors can login to the UCCX Administration webpage, however, supervisors have limited permissions compared to admins. Try this...
1. Login to the UCCX Administration webpage via https://uccx-fqdn/appadmin
2. Under Tools > User Management, select "Administrator Capability View"
3. Type the user's User ID into the search box and click 'Search'
NOTE: If the User ID displays under the 'Available Users' search window, then they do not have admin rights
4. Highlight the User ID and then, click on the left arrow to give them admin rights. That's assuming they need access to the UCCX Administration webpage
5. Ask them to login again
11-14-2019 07:46 AM
Sorry Mark I should have stated that I'd done that. They are listed in Admin users.
Also when they fail to log into CCX Admin, that number of failed attempts shows when they next log into CUCM.
11-14-2019 10:04 AM - edited 11-14-2019 10:06 AM
Since the LDAP authentication process seems to be working, I would focus my attention on the Admin permission.
Can you post some screenshots confirming what you've configured and tested? There really isn't any additional "trick" to get this to work.
Can you turn up the AXL logging to debug level and attempt the login?
This is what I see on my system when I login to UCCX with an LDAP account:
2019-11-14 12:02:16,736 INFO [http-bio-443-exec-85562] servletRouters.AXLAlpha - Executing api: doAuthenticateUser in axis 2019-11-14 12:02:16,736 DEBUG [http-bio-443-exec-85562] wrappers.RequestNamespaceWrapper - Inside Request Wrapper 2019-11-14 12:02:16,736 DEBUG [http-bio-443-exec-85562] servletRouters.AXLAlpha - AXL REQUEST : <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.cisco.com/AXL/API/10.0"><SOAP-ENV:Header/><SOAP-ENV:Body><ns:doAuthenticateUser><userid>AHolloway</userid><password>***********</password></ns:doAuthenticateUser></SOAP-ENV:Body></SOAP-ENV:Envelope> 2019-11-14 12:02:16,737 DEBUG [http-bio-443-exec-85562] servletRouters.AXLAlpha - Request processed by AXIS 2019-11-14 12:02:16,738 DEBUG [http-bio-443-exec-85562] axlapiservice.Handler - dbConnector Initialization in handler.java 2019-11-14 12:02:16,739 DEBUG [http-bio-443-exec-85562] axlapiservice.Axl - Connection given to current thread 2019-11-14 12:02:16,851 DEBUG [http-bio-443-exec-85562] axlapiservice.DoHandler - DoAuthenticateUser completed 2019-11-14 12:02:16,851 DEBUG [http-bio-443-exec-85562] axlapiservice.Axl - Connection closed and hashmap entry removed in AXL.java closing connection 2019-11-14 12:02:16,854 DEBUG [http-bio-443-exec-85562] servletRouters.AXLAlpha - <?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><ns:doAuthenticateUserResponse xmlns:ns="http://www.cisco.com/AXL/API/10.0"><return><userAuthenticated>true</userAuthenticated><code>0</code><daysToExpiry>0</daysToExpiry></return></ns:doAuthenticateUserResponse></soapenv:Body></soapenv:Envelope> 2019-11-14 12:02:16,854 DEBUG [http-bio-443-exec-85562] servletRouters.AXLAlpha - Finished processing request
11-14-2019 11:03 AM
11-14-2019 11:25 AM
Did you try to remove, save and then, re-add the user's permissions to UCCX Administration?
11-14-2019 11:33 AM - edited 11-14-2019 11:34 AM
Oh I see, you pulled MADM logs off UCCX. I was pulling AXL logs off of CUCM.
But there is a line above where your logs start which would look like this:
6172671: Nov 14 13:29:25.420 CDT %MADM-LIB_AXL-7-UNK:[MADM_LIB_AXL_CMD_EXECUTOR-20-834-com.cisco.config.axl.CCMUserAuthenticationSOAPAdmin] ExecutionCmd: AXL-ExecutionCmd-6074.CCMUserAuthenticationSOAPAdmin: <?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><ns:doAuthenticateUserResponse xmlns:ns="http://www.cisco.com/AXL/API/10.0"><return><userAuthenticated>false</userAuthenticated><code>1</code><daysToExpiry>0</daysToExpiry></return></ns:doAuthenticateUserResponse></soapenv:Body></soapenv:Envelope>
In that above example log line, I intentionally typed my password wrong.
11-14-2019 12:09 PM
Hi Anthony yes, a few lines above I see:
1402461: Nov 14 18:50:28.579 GMT %MADM-LIB_AXL-7-UNK:[MADM_LIB_AXL_CMD_EXECUTIOR-21-3134-com.cisco.config.axl.CCMUserAuthenticationSOAPAdmin] ExecutionCmd: AXL-ExecutionCmd-19250.CCMUserAuthenticationSOAPAdmin: <?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><ns:doAuthenticateUserResponse xmlns:ns="http://www.cisco.com/AXL/API/10.0"><return><userAuthenticated>false</userAuthenticated><code>1</code><daysToExpiry>0</daysToExpiry></return></ns:doAuthenticateUserResponse></soapenv:Body></soapenv:Envelope>
Is this a credentials issue then? Wouldn't that effect CUCM as well though? I have tried removing/readding to the CCX Admin User group too.
11-14-2019 01:16 PM
11-14-2019 02:11 PM
Cisco docs say you cannot use a space character at the beginning or end of your User ID and Passwords cannot contain spaces. As noted by Anthony, there's a handful of extended ASCII characters not supported as well. What exactly? I don't recall. Also, each system or application might have a slightly different policy (i.e. character limitations or restrictions) for usernames and passwords... not to mention case sensitivity. Login to CUCM, UCCX and Cisco Finesse but change your User ID by using upper or lower case characters. I believe, Cisco Finesse is case sensitive whereas CUCM, UCCX and CUIC is not case sensitive.
Have you made any changes to the existing LDAP Directory and/or LDAP Authentication settings within CUCM? Do you have multiple LDAP Directories? If so, do they belong to the same Directory? Try this...
Convert the End User to a local account and delete the account from CUCM. Navigate to System > LDAP > LDAP Directory and click on "Perform Full Sync Now". This process might take a few minutes. After you reconfigure the user's profile, login to UCCX and reassign the admin role. What happens?
11-19-2019 02:18 AM
Just a quick update to say a big thanks, this has resovled the issue. I never realised CCX Admin was so fussy on password characters, especially when CUCM/CUC, even CUIC etc are fine with it.
This user in question had the £ and $ characters in his password. He changed pw to alphanumeric and logged in fine.
11-19-2019 06:43 AM
11-19-2019 07:52 AM
All of the special characters under the number keys should be okay, such as; ! @ # $ and so on. The problem was caused by the £ character. Cisco doesn't support most of these extended ASCII characters in the username and/or password.
11-19-2019 07:57 AM - edited 11-19-2019 07:58 AM
The £ is on the number 3 this side of the water :)
Thanks for the info though.
11-19-2019 08:10 AM
Ahh okay. Then it makes sense why $ wouldn't be supported. Good luck.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: