Good time of the day!
We have a CUCM 8.6 integrated with AD 2008 - it pulls users from AD. Some of the users in AD have a specific list of computers they can log on to, others can log on everywhere. I'm trying to configure LDAP authentication so that users could log on to CUCM using their Windows credentials. No problems with users who can log on everywhere, but other users who have a list of PCs they can log on to obviously can't log on to CUCM. Here's the question: is there a way to permit everyone to log on to CUCM without specifying CUCM in a list of PCs for each user? Of course this is an AD 2008 question, but I hope someone did something like this before.
AD permissions have nothing to do with CUCM permissions. If user is in a container specified under LDAP integration and authentication and assigned to CUCM User Group giving them access to CUCM either as an admin or user pages that will be what drives it.
CUCM is really unaware of such configurations, you never use the CUCM server to log and admin the server unless you need to do some specific task via CLI. When CUCM synchs with LDAP is doesn't pull that info as it's not relevant.
You define who can access CUCM via the roles and user groups once the users are synched to CUCM DB.
Then if they can reach the CUCM IP and have valid credentials they can log in to either CCMAdmin or CCMuser.
If this helps, please rate
Ok, here's an example: AD user 'user1' can log on only to 'pc1' (it's set in AD). He is assigned a 'Standart CCM End User' role in CUCM. AD user 'user2' can log on everywhere. He is assigned a 'Standart CCM End User' role in CUCM too. LDAP authentication in CUCM is configured correctly - 'LDAP User Search Base' has both accounts. user2 can log on to 'ccmuser' page without any problems, but user1 is getting the following error message: 'Log on failed'. Packet capture shows the following LDAP error: errorMessage: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 531, v1db1, which translates to 'not permitted to logon at this workstation'. So I need a way to configure AD in such a way that it permits everyone to log on from CUCM. I'm asking it here hoping that someone has run into the same problem and found a solution.
I have seen this before. From what I recall it's because the auth request doesn't have any real AD Computer Account as a source (i.e. the CUCM doesn't have a computer account) and can't have one because it's not capable of domain membership.
If I recall correctly, if you look at the source in the event log of the denied logon, it's probably the Domain Controller that the request was sent to.
So to enable this, you would need to add the DC to the list of PCs that the user can log on to. You'd have to add any DCs that might auth the user, so this would be any that the CUCM has in it's list of DCs for starters.
From what I've read there's no way of doing it centrally through GPO. You should be able to powershell it well enough - i.e. get a list of all users that have the 'logon to' attribute(s) populated and then add the DCs to those accounts. I've never had to try it though.
I'd test this out (I may be wrong) with a test account - check the event logs, see what the source computer shows as, add the DCs to that account and retest.
I had similar problem with CUCM8.5 + AD2008 and users with limited list of computers they can login, could not authenticate in CUCM user page, and in UCXX CAD, CSD applications as well. Adding DCs to their lists solved my problem.
So thank you for your post, it was really helpful.