05-29-2012 03:47 AM - edited 03-16-2019 11:23 AM
Good time of the day!
We have a CUCM 8.6 integrated with AD 2008 - it pulls users from AD. Some of the users in AD have a specific list of computers they can log on to, others can log on everywhere. I'm trying to configure LDAP authentication so that users could log on to CUCM using their Windows credentials. No problems with users who can log on everywhere, but other users who have a list of PCs they can log on to obviously can't log on to CUCM. Here's the question: is there a way to permit everyone to log on to CUCM without specifying CUCM in a list of PCs for each user? Of course this is an AD 2008 question, but I hope someone did something like this before.
Thanks!
05-29-2012 07:58 AM
AD permissions have nothing to do with CUCM permissions. If user is in a container specified under LDAP integration and authentication and assigned to CUCM User Group giving them access to CUCM either as an admin or user pages that will be what drives it.
HTH,
Chris
05-29-2012 08:01 AM
CUCM is really unaware of such configurations, you never use the CUCM server to log and admin the server unless you need to do some specific task via CLI. When CUCM synchs with LDAP is doesn't pull that info as it's not relevant.
You define who can access CUCM via the roles and user groups once the users are synched to CUCM DB.
Then if they can reach the CUCM IP and have valid credentials they can log in to either CCMAdmin or CCMuser.
HTH
java
If this helps, please rate
www.cisco.com/go/pdihelpdesk
05-29-2012 11:03 PM
Ok, here's an example: AD user 'user1' can log on only to 'pc1' (it's set in AD). He is assigned a 'Standart CCM End User' role in CUCM. AD user 'user2' can log on everywhere. He is assigned a 'Standart CCM End User' role in CUCM too. LDAP authentication in CUCM is configured correctly - 'LDAP User Search Base' has both accounts. user2 can log on to 'ccmuser' page without any problems, but user1 is getting the following error message: 'Log on failed'. Packet capture shows the following LDAP error: errorMessage: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 531, v1db1, which translates to 'not permitted to logon at this workstation'. So I need a way to configure AD in such a way that it permits everyone to log on from CUCM. I'm asking it here hoping that someone has run into the same problem and found a solution.
05-29-2012 11:42 PM
Hi Alexander
I have seen this before. From what I recall it's because the auth request doesn't have any real AD Computer Account as a source (i.e. the CUCM doesn't have a computer account) and can't have one because it's not capable of domain membership.
If I recall correctly, if you look at the source in the event log of the denied logon, it's probably the Domain Controller that the request was sent to.
So to enable this, you would need to add the DC to the list of PCs that the user can log on to. You'd have to add any DCs that might auth the user, so this would be any that the CUCM has in it's list of DCs for starters.
From what I've read there's no way of doing it centrally through GPO. You should be able to powershell it well enough - i.e. get a list of all users that have the 'logon to' attribute(s) populated and then add the DCs to those accounts. I've never had to try it though.
I'd test this out (I may be wrong) with a test account - check the event logs, see what the source computer shows as, add the DCs to that account and retest.
Regards
Aaron
08-01-2012 04:43 AM
Hi Aaron.
I had similar problem with CUCM8.5 + AD2008 and users with limited list of computers they can login, could not authenticate in CUCM user page, and in UCXX CAD, CSD applications as well. Adding DCs to their lists solved my problem.
So thank you for your post, it was really helpful.
08-01-2012 04:48 AM
Hi
Glad it helped you out!
Please remember to rate helpful posts to help identify useful content...
Principal Engineer at Logicalis UK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide