Jabber - AD Integrated Accounts Causing Lock Out Problems

asafayan1 · ‎04-04-2019

We sync CUCM to AD every 8 hours. When an AD user passes the 60 day password reset policy, they use Ctl-Alt-Delete and modify their AD password for security compliance purposes. They are the able to login to their PC on the network and Jabber auto-launches with cached credentials.

At this point - AD has their NEW password and CUCM still contains their OLD password because the sync interval is 8 hours. Because their username and password are hard-coded into Jabber, what I've found is often users forget to modify their Jabber password and Jabber will continue to authenticate successfully against CUCM because it contains their OLD password until the 8 hour sync interval has expired. Once AD - CUCM sync has occurred, their Jabber account locks out their AD credential because the CUCM db has their NEW password but they have not modified the previously cached password in their Jabber client.

Has anyone experienced this issue? Has anyone resolved this issue or created a work around ?

TIA,

Amir

Adam Pawlowski · ‎04-05-2019

Off the top of my head, you’d want to move to SSO, or require Jabber to prompt for credential each time you sign in.

I believe SSO in this case can also utilize Kerberos for Windows based machines to make things a bit more transparent.

asafayan1 · ‎04-05-2019

I did your second suggestion as follows by setting the <STARTUP_AUTHENTICATION_REQUIRED>True</STARTUP_AUTHENTICATION_REQUIRED>:

2. Jabber XML File Modifications - These steps 1.Removes voice services 2.Start Jabber automatically 3.Disables Auto-Login
A. Create new jabber-config-chat-only.xml with following entries:
<?xml version="1.0" encoding="utf-8"?>
<config version="1.0">
<Options>
<Start_Client_On_Start_OS>true</Start_Client_On_Start_OS>
<STARTUP_AUTHENTICATION_REQUIRED>True</STARTUP_AUTHENTICATION_REQUIRED>
</Options>
<Policies>
<Telephony_Enabled>false</Telephony_Enabled>
</Policies>
</config>