Showing results for 
Search instead for 
Did you mean: 
Walkthrough Wednesdays

uccx single sign on, how to allow users to update their passwords?

I have users synced to an AD, and phones with a SSO services button set up so that users can log directly into uccx without needing to type in username/password. From the ccmusers page a user can see the parameters of this service url, however they can't update the password parameter.

In talking to TAC it was mentioned this was by design, Is there any way a user could update this field to their password themself?

Gajanan Pande

Not sure if I understood you right but are you trying to achieve SSO between CUCM & UCCX App for the users ? If yes, then as of now it's not tested & supported.

Please elaborate if I misunderstood your query & I'll be glad to assist.

If above information helps, pls rate the post.


This is using an IP phone service set up on cucm with the following url, http://contactcenter:6293/ipphone/jsp/sciphonexml/IPAgentLogin.jsp I then created 3 parameters as variables so as to use the service on multiple phones. I was under the impression this was a common uccx express integration.

What I'm looking for is a way for users to update the password parameter on this ip phone service somehow theirselves instead of using CM Administration.

Walter Solano
Rising star

I checked and the end users are able to change the password of the IPPA by using the ccmuser web page, address is http:///ccmuser. Login using the enduser credentials and then go to user options->Device then select phone services and select the service used to login and there you should be able to change the users password


Please rate this post if was helpful

Walter J. Solano

Right, it looks like they should be able to there. The issue is this does not actually update the password there. And in talking to TAC, it was explained that users can't update this. I'm wondering what others might be using this acheive this?


Looks like I found a workaround.. If a user updates the password for their uccx ip phone service via ccmuser it will not work initially, and system will indicate a bad password during login. However, if the admin brings up the users phone's Subscribed Cisco IP Phone Services details, makes no changes but saves the page, it then will allow the user to log.

Although a two step proccess at least this gives users a way to change their password without having a system admin key it in, although does require they indicate to the admin when they have.


The same thing happened to me and working with cisco tac, they said that this is normal behavior. Although I found a workaround, you must go into CUCM and create a new role with the following read-update permission:

Phone services web pages  - Check Read and Update

Go to "user management / user group" and then copy "Standard CCM End users" and create a duplicate called "with Phone Services' or something like that. Add the new role that you created that grants read-update privileges to the phone services web pages.

A little late getting back to this, I tried these steps but still couldn't get it to work for end users. Could you list all the Groups and Roles assigned to a working user?

Go to "user management / user group" and then copy "Standard CCM End users" and create a duplicate called "with Phone Services' or something like that. Add the new role that you created that grants read-update privileges to the phone services web pages. 

I created a role named "Cisco Call Manager Phone Services Self-Service" then added the resource;

Phone Services web pages      read  +   update  

I saved that, then went to "User management, User Group" then copied the standard CCM End users group, creating a new group called "Standard CCM End Users with Services". To this new group, I went under "related links" and selected "add role to user group" and added the role "Cisco call manager Phone services self-service". The other two roles assigned to this group are "Standard CCM End users" and "Standard CCMUSER Administration".

Your users should now have both "Standard CCM End Users" and "Standard CCM End Users with Services" but you really only need the latter. The interesting thing is all users automatically that had the original group had this new group immediately applied, prbably because I copied the original group.

Precisley what I did as well, just isn't working in my case. Might be the version, I'm using

As a test I assigned a user to all roles and found it still doesn't work.


I am a Cisco TAC engineer supporting the contact center platform. If I understand your question properly you have the following setup. Unified Communications Manager is tied to a Microsoft AD domain for users and authentication. You also have Contact Center Express that uses this CUCM for phones and users. You would like your users to use the ccmuser page from CUCM to change their AD password. If I have missed part of this scenario or not stated it correctly, please let me know. If this is what you wish to do then unfortunately, there is no way to do this. When CUCM is tied to AD for user authentication the only thing CUCM contains is the usernames from AD. The actual password is either grayed out or is ignored. When an authentication request comes to CUCM via the UCCX application (either through CAD or IPPA), the physical login takes place in AD. The password provided is hashed using the appropriate method and gets passed to the configured AD authentication server defined in CUCM. Due to this design it just isn't workable to allow the user to change their password .

There is an alternate method of configuring CUCM so that the desired affect is reached. Simply setup CUCM to import users only from the AD servers. This means you just won't configure an authentication lookup in CUCM. The passwords are now stored in CUCM independently of AD so the user can use the ccmuser page to make the changes. They can choose to use the same password on each system, but they are truly independent of each other.

Hopefully this helps you out. Please let me know if you have any additional questions or concerns,


Robert W. Rogier

Customer Service Engineer


Cisco Systems, Inc., Research Triangle Park, NC

Robert W. Rogier
Technical Consulting Engineer – Contact Center Enterprise
E2E Lead | Subject Matter Expert – ECE, CCMP, CCDM
Phone: +1 919 574 5993
Business Hours: 8AM to 5PM ET

No, not my senario at all. I would like to use the ccmuser page to update a "password" parameter on an IP phone service.  In this case the user has already updated their ad password through other means. Now they need to update this parameter to match so the agent can log in. 

There is nothing built in you can use to accomplish this. If you're savvy

you can write some custom code to update the service via AXL.

Tanner Ezell

Yes, there is something built in as Walter pointed out earlier. The point is that it doesn't work, and cisco isn't recognizing it as a problem. 

According to Cisco documentation here,

Under the section User Service Subscription, it states that users may "Enter any available service parameters"

So why are users unable to do so, and why is TAC telling us this is by design in conflict with the documentation?


Could you also please check the the Active Directory->Users->Account->Account options.

What are the settings here for these users , please see if you have enabled the password never expires option and also what about User cannot change password setting.

Although I am not sure but still worth to check.

Hope it helps.


Pls rate helpful posts !!

Content for Community-Ad

Spotlight Awards 2021