07-21-2011 07:05 AM - edited 03-16-2019 06:03 AM
Hello. We are using an microsoft ldap for the callmanager user authentication (ccm 7.1.5). Almost all the users can login in the ccmuser web page to chech their stuff. We do only have problem with some of the users, this users have restricted, in the microsoft active directory, in witch workstations can make log on (this is a security policy of the customer). We have tried to set the ccm (pubs and subs) ip address and hostnames as valid workstation for the user but it is not working. I have make a packet capture to check why the microsoft server is rejecting the logon request:
LDAPMessage bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 531, v1db0)
If we allow to the users to logon in any workstation it works fine.
Any idea about how to make it works?
Is this supported?
Thanks for your help
07-21-2011 08:17 AM
The problem is that "531 not permitted to logon at this workstation" from
https://www-304.ibm.com/support/docview.wss?rs=688&uid=swg21290631. CUCM still isn't permitted to authenticate the user to LDAP/AD.
09-05-2011 02:37 AM
Hello, we are still trying to make it work with no success. We do not know how to define the ccm as a valid workstation for the users.
09-05-2011 03:01 AM
Hi
See this post from another system integrated to AD: https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=2304
I suspect that if you add the name of the partner DC (or DCs) to the 'allowed workstations' list, it will work.
Customer may raise a concern that the users should not be permitted to log on to the DC, but this could be circumvented by not permitting console logons via group policy. If I recall correctly, only administrators are allowed to log on to DCs interactively anyway..
Aaron
Please rate helpful posts...
09-07-2011 04:02 AM
Hello Aaron. I will try this.
Thanks for your help
09-07-2011 05:28 AM
We have allowed the dc as valid user workstation.
The user can not make log on the ccmuser webpage. In the packet capture we made of the comuniction between the ccm and the dc during the user authentication there is not the field user workstation in the ldap packet. the callmanager is sending the log on request without the userworkstation atribute.
09-07-2011 05:37 AM
Hi
CCM won't send the 'userworkstation' attribute. It's not a Windows device, and even if it did it would not have a corresponding workstation account in AD.
You will need to find the event in the Windows event log that shows the rejection and see what 'workstation' the DC sees this as.
Aaron
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide