Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1894
Views
5
Helpful
6
Replies

Ldap directory

yosoypako
Level 1
Level 1

‎07-21-2011 07:05 AM - edited ‎03-16-2019 06:03 AM

Hello. We are using an microsoft ldap for the callmanager user authentication (ccm 7.1.5). Almost all the users can login in the ccmuser web page to chech their stuff. We do only have problem with some of the users, this users have restricted, in the microsoft active directory, in witch workstations can make log on (this is a security policy of the customer). We have tried to set the ccm (pubs and subs) ip address and hostnames as valid workstation for the user but it is not working. I have make a packet capture to check why the microsoft server is rejecting the logon request:

LDAPMessage bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 531, v1db0)

If we allow to the users to logon in any workstation it works fine.

Any idea about how to make it works?

Is this supported?

Thanks for your help

Labels:
0 Helpful
6 Replies 6

Joseph Martini
Cisco Employee
Cisco Employee

‎07-21-2011 08:17 AM

The problem is that "531 not permitted to logon at this workstation" from

https://www-304.ibm.com/support/docview.wss?rs=688&uid=swg21290631.  CUCM still isn't permitted to authenticate the user to LDAP/AD.

yosoypako
Level 1
Level 1
In response to Joseph Martini

‎09-05-2011 02:37 AM

Hello, we are still trying to make it work with no success. We do not know how to define the ccm as a valid workstation for the users. 

0 Helpful

Aaron Harrison
VIP Alumni
VIP Alumni
In response to yosoypako

‎09-05-2011 03:01 AM

Hi

See this post from another system integrated to AD: https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=2304

I suspect that if you add the name of the partner DC (or DCs) to the 'allowed workstations' list, it will work.

Customer may raise a concern that the users should not be permitted to log on to the DC, but this could be circumvented by not permitting console logons via group policy. If I recall correctly, only administrators are allowed to log on to DCs interactively anyway..

Aaron

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
0 Helpful

yosoypako
Level 1
Level 1
In response to Aaron Harrison

‎09-07-2011 04:02 AM

Hello Aaron. I will try this.

Thanks for your help

0 Helpful

yosoypako
Level 1
Level 1
In response to Aaron Harrison

‎09-07-2011 05:28 AM

We have allowed the dc as valid user workstation.

The user can not make log on the ccmuser webpage. In the packet capture we made of the comuniction between the ccm and the dc during the user authentication  there is not the field user workstation in the ldap packet. the callmanager is sending the log on request without the userworkstation atribute.

0 Helpful

Aaron Harrison
VIP Alumni
VIP Alumni
In response to yosoypako

‎09-07-2011 05:37 AM

Hi

CCM won't send the 'userworkstation' attribute. It's not a Windows device, and even if it did it would not have a corresponding workstation account in AD.

You will need to find the event in the Windows event log that shows the rejection and see what 'workstation' the DC sees this as.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents