We sync CUCM to AD every 8 hours. When an AD user passes the 60 day password reset policy, they use Ctl-Alt-Delete and modify their AD password for security compliance purposes. They are the able to login to their PC on the network and Jabber auto-launches with cached credentials.
At this point - AD has their NEW password and CUCM still contains their OLD password because the sync interval is 8 hours. Because their username and password are hard-coded into Jabber, what I've found is often users forget to modify their Jabber password and Jabber will continue to authenticate successfully against CUCM because it contains their OLD password until the 8 hour sync interval has expired. Once AD - CUCM sync has occurred, their Jabber account locks out their AD credential because the CUCM db has their NEW password but they have not modified the previously cached password in their Jabber client.
Has anyone experienced this issue? Has anyone resolved this issue or created a work around ?
Off the top of my head, you’d want to move to SSO, or require Jabber to prompt for credential each time you sign in.
I believe SSO in this case can also utilize Kerberos for Windows based machines to make things a bit more transparent.