HI,

As per my knowledge, you can perform password changes directly in the Active Directory and when you perform sync with CUCM it gets synchronized.

I am not aware of changing\updating the passwords in CUCM manually, for the AD users.

Thanks,

Anand

I am not aware of changing\updating the passwords in CUCM manually, for the AD users.

Me neather, and has nothing to do with this thread.

Hi,

     Let me go back to the original question I posed.  Is what you are trying to accomplish allowing a user to change thier AD password through the IPPA or CUCM system, OR is it that you want users to edit thier own services to put in their current AD passwords.  This makes a big difference.  There is no way to actually have CUCM change the password of a user in AD that I am aware of.  However, if you just want to allow the end users to edit the service parameters for the IPPA system to put in their current AD password so they can hit one button and login, that may be doable and I could likely get that working.

     Please clarify which you want to see happen so that the efforts are correctly focused.  Thank you and I look forward to hearing from  you.

--

Sincerely,

Robert W. Rogier

TAC - UCC

Cisco Systems, Inc - Research Triangle Park, NC

To answer your question again,

NO, not tyring to allowing a user to change thier AD password.

YES, edit thier own services to put in their current AD passwords.

Ok, I understand exactly what you want to do.  The simple answer is yes this is possible.  I have mocked this up in my lab and given a user a SSO for IPPA to UCCX.  It has the standard 3 parameters, ID, Ext, and Pwd.  When I login to CCMUser page using a non-admin account, I can select my device, see the options and edit them. I would send a screenshot, but it's too small to even read.  However, let me ask this.  When your users login, do they see each of the parameter boxes as editable boxes?  If this is true, then do the users have "Save, Delete, Device, Line Settings,  . . ." at the bottom of their screen?  And if all of this is true, what happens when a user updates their password here and clicks save.  Do you get an error, does it look to update but the password still fails, etc.  Once that is understood we can make some better suggestions.   What Walter stated above should be true and work so if you're not getting this result, there's either a missing setting in CUCM, or a permissions issue, etc.  Thank you and I hope you have a good weekend.

--

Sincerely,

Robert W. Rogier

TAC - UCC

Cisco Systems, Inc - Research Triangle Park, NC

Yes the user sees each of the parameter boxes as editable. Users have "Save, Delete, Device, Line Settings" at the bottom of their screen. When a user updates them and clicks save it appears to update fine, shortly after the phone resets, however the password still fails.

Additionally if a user updates a field, then an admin later views the field it will be the updated value the user entered. However the phone is not using this new value.

     Vased on what you have said, it sounds like there is a bug somewhere in this mix.  If you can see that the user typed in a value and hit save.  You can open the service parameters for that phone and see the updated value but don't see that the phone is passing that value to the server as a login value, then there's an issue.

     I just recreated this in my UCCX lab and found it really doesn't make a difference what I put in the password field, it will always login.  I'm running UCCX 8.5 and it's an older release of 8.5 since I generally support the UCCE product, but there definately seems to be a bug with the IPPA process.  I think the best option at this point is for you to use the data in this thread to open a service request.  I'll ask around to see what others here see, but I would not have expected to be able to login without any password at all.

I've never experienced CCX allowing login without a valid password, that actually would solve my problem.

I would like to take a moment here to reset some things.  As this is not a formal TAC case I have skipped a couple of steps that would normally be in my first e-mail to you as a customer and for that I apologize.  Below, I have written out what I believe your current solution you wish to implement as well as a description of your current setup.  Finally I have ended this section with a list of the problem statements I see so far.  If we aren't on the same page, please  forgive me and make corrections where necessary.

Current  description of your environment and question: You have CUCM cluster  which is LDAP integrated to a Microsoft Active Directory (AD) for both  User sync and for User Authentication.  As demonstrated by the users  being able to login to the CCMUser page, you are successfully integrated  and there are no known issues here.  You have a UCCX system (have not  yet established whether simplex or HA) which is integrated to this CUCM  cluster.  Resources are properly configured and can login using CAD with  their AD username and password.  You would like to deploy IPPA to your  users to eliminate the need for CAD in certain or all cases (the scope  really makes no difference, just that you are wanting to deploy IPPA.)   With the IPPA deployment, you would like to use the "One Button Login" or  SSO configuration by creating the appropriate service(s) on the CUCM  server.  Finally, you require the ability of your users to update thier  own IPPA SSO passwords to both eliminate the administrative overhead and  maintain security of the passwords.  From this you have the following  issues:

Problem 1.) Users cannot login to IPPA using the SSO defined service at all.

Problem 2.) Users may not be able to login to the CCMUser page at all. 

Problem 3.) Users cannot update their own passwords through  CCMUser. (I believe this would be resolved if Problem 2 is resolved).

Based on the above, I have come up with several tests I would like you to try and reply with the results.

Test1.)  Please try putting the exact URL for the IPPA SSO service defined in your CUCM into the URL of your browser.  You should get something similar to the following:

Test 2.)  Please create two phone services with the following URL:

          Service 1 -- IPPA N1:  http://:6293/ipphone/jsp/sciphonexml/IPAgentInitial.jsp.

          Service 2 -- IPPA N2:  http://:6293/ipphone/jsp/sciphonexml/IPAgentInitial.jsp.

  These are the non-SSO version of IPPA but should prove that your phone can login to IPPA.  In addition, you will note that I have changed the hostname to or .  Replace this section with just the IP of the UCCX servers, not the name.  This will come into play in test 3.

Test 3.) Earlier, you have stated in your URL that you used "contactcenter".  From this, I'm not sure if you used the name of the UCCX server or the IP.  If you used the name, please change the service to be the IP of the server(s).  The reason for this is that very few people configure DNS resolvers in their VoIP Subnet (hey why would a phone ever use those...) and then those who do configure the DNS resolvers either forget to add all the necessary static entries (UCCX servers are DDNS compatible last I checked) so that the phones cannot ever resolve the name provided.

Test 4.) Another thought that came to mind is to check your telecaster user setup.  The details for this are in the CAD guides.  Ensure that your CUCM has a telecaster user create (this will likely have to be added to AD for it to sync).  Next, if your AD does not allow the default password of "telecaster", set an appropriate password and then update the UCCX server in the Cisco Desktop Administrator section.  Select the option "CAD Configuration Setup" and scroll down to the section shown below (and truncated for space):

This whole process is laid out in the CAD setup guides and ensure that telecaster is functional.  Telecaster itself does need certain rights which are laid out in the documentation as well.

Finally, as requested earlier here is the relevant section of the configuration of my AD integrated IPPA agent in my lab:

I apologize for the length of this post but wanted to try to cover as much of the issues laid out and how to resolve most of them.  If you still have remaining issues, you know where to find me.  Thank you for choosing Cisco Systems and I hope you have a good evening.

--

Sincerely,

Robert W. Rogier

TAC - UCC

Cisco Systems, Inc - Research Triangle Park, NC

Please read thread before posting. To quote myself in ealier posts,

"As a test I assigned a user to all roles and found it still doesn't work."

"...clicks save it appears to update fine, shortly after the phone resets, however the password still fails."

I have been working on solving the same issue,but I dont see a solution here. In TACs' notes above about Non-SSO for IPPA and the urls :

http://:6293/ipphone/jsp/sciphonexml/IPAgentInitial.jsp.

          Service 2 -- IPPA N2: http://:6293/ipphone/jsp/sciphonexml/IPAgentInitial.jsp.

  These are the non-SSO version of IPPA but should prove that your phone can login to IPPA.

This is my url in the IPPA service in cucm (8.5), im not sure the difference?

http://:6293/ipphone/jsp/sciphonexml/IPAgentLogin.jsp

Did you get this working Scheived?

I haven't had time to troubleshoot further. For me the solution was to have the user initiate a remote desktop session with an admin, who uses their workstation to log in to the cucm administration page and has the user type in their AD password to the appropriate field.

The ccmuser page works correctly now in CUCM version 9.1