cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2194
Views
5
Helpful
16
Replies

TMSPE - User Provisioning

Simon Battye
Explorer
Explorer

Hi,

Has anyone had any issues with the new Cisco TMS Provisioning extension, where Cisco Movi/Jabber for TP users are being provisioned and are able to register to the relevant VCS using their provisioning credentials, but are not being shown as active in TMS?

All provisioning diagnostics are displaying as ok, all services defined under the VCS in navigator are displaying ok; and i can locate the provisioned user under the VCS Provisioning Extension Services on the VCS itself.

If i navigate to the user in TMS under the provisioning directory, under provisioned devices it says: "No provisioned devices  found for this user..."; user is not displayed as active under devices also despite it being registered.

Thanks, Si



16 Replies 16

daleritc
Cisco Employee
Cisco Employee

In TMS, select the VCS and then select the Provisioning tab. Is the Device service enabled? If so, is it reporting any problem? Base group correct?  If it's not reporting any problem, have you tried doing a 'Perform Full Synchronization' ? Are the TMSPE Diagnostics reporting any problem?

Dale,

The answer to all your questions, yes - everything is reporting as OK.

Just to add - some users are provisioning ok, i.e. they can log into Jabber/Movi, register to the VCS and TMS is seeing them as active under device. This is only happening for certain users, all under the same provisioning directory folder though.

I thought it may have been the templates/schemas, as different versions of Movi are being run, but i am running the correct templates/schemas for the relevant versions of Movi now.

Thanks, Si

Hi Simon,

Are you utilizing FindMe (Video Address Pattern) and the Device Address Pattern? Or are you using just the Device Address Pattern? If your only using the Device Address Pattern, then this could be due to either users logging onto Movi/Jabber on the same device or the 'identification' of the device (e.g. laptop or PC) has been cloned...meaning when a two users use the same device (or the device has been cloned), then the device associated with that particular user can only be used and related to one user at time. Therefore, and in your case and if you are only using Device Address Pattern, then my theory is that the device association is actually 'jumping' from one user to the other.

cheers,

Dale

Dale,

In this scenario, we are not using FindMe.

Root folder is configured as {username}.{device.model}@domain.com for the Device Address Pattern. Subfolder/group in which users are located under, also has the above pattern configured for Device Address Pattern.

Said user; who is not showing as provisioned, but is able to log in, uses their own machine to log into Movi and this is not a shared desktop/device - not sure how the device association would be jumping from one user to another?

Cheers, Si

If I remember it right the device is generated under windows from some unique system variable.

If that is not unique (like if you cloned an windows install for multiple computer instead of gernalizing the windows install image),

it might explain what you see.

Could this be your issue here?

Please remember to rate helpful responses and identify

Simon,

the behavior which Dale is describing could happen if multiple computers within the same environment share the same SID, e.g if multiple computers have gotten Windows installed with a cloned image where sysprep has not been run to generate a unique SID for each computer.

Cheers,

Andreas

Since you've confirmed that your only using the Device Address Pattern, then "ditto" on both what Martin and Andreas are saying with regards to multiple computers possibly having the same SID. Thanks for jumping in and adding your comments guys

Thanks guys, i'll check this with my client and see what they come back with.

Thanks, Si

On a side note, can I use TMSPE to send provisioning information to a VCS Expressway?

I seem to have a issue with getting my iPad registering to my expressway buit works fine to the control.

Sent from Cisco Technical Support iPad App

Hi Richard,

To answer your question, using a VCS Expressway is not recommended as a best practice when using the TMSPE provisioning solution, although it can be done. However, note what we say within the TMSPE Deployment Guide concerning this:

In a network which only has Cisco VCS Expressways, you can configure your system with provisioning enabled on the Cisco VCS Expressway, however, you should consider the security aspects of storing user data on an appliance that is located in a the Public network or  DMZ.

User accounts can only reside on one Cisco VCS (or Cisco VCS cluster). Therefore if your network has a combination of Cisco VCS Expressways and Cisco VCS Controls (where some endpoints - such as soft clients - may register to either the Control or the Expressway), we recommend that you configure and enable provisioning only on the Cisco VCS Control (or Control cluster). If a soft client or other endpoint registers to a Cisco VCS Expressway, provisioning requests will be routed (using search rules) to the Cisco VCS Control associated with the Expressway via the appropriate traversal zone.

With that said, my guess is that you don't have your VCS Expressway configured correctly so has to proxy these types of requests to the VCS Control. Recommend you double check the TMSPE deployment guide for the correct configurations, etc:

https://www.cisco.com/en/US/docs/telepresence/infrastructure/tmspe/install_guide/Cisco_TMSPE_Deployment_Guide_1-0.pdf

Hi All,

If I am unable to confirm whether the computers were built using a cloned image where sysprep was not run to generate a unique SID, are there any logs/traces i can run on the infrastructure that would possibly identify what SID they are presenting to VCS/TMS? Or is there something I can check locally on the machines?

Thanks, Si

Simon,

the Jabber Video client will provide its SID in the SUBSCRIBE request sent to the VCS (Which is sent when 'Sign in' is clicked on the client).

An example of a SUBSCRIBE request such as this is:

2012-08-15T14:21:34+02:00 vcs06 tvcs: UTCTime="2012-08-15 12:21:34,659" Module="network.sip" Level="DEBUG":  Src-ip="X"  Src-port="57541"

SIPMSG:

|SUBSCRIBE sip:andreas@cisco.com SIP/2.0

Via: SIP/2.0/TLS X:57541;branch=z9hG4bKef51b26ed48f06ba54597708d204c18c.1;received=X;rport=57541

Call-ID: a1c71da4d4a48473@127.0.0.1

CSeq: 201 SUBSCRIBE

Contact:

From: <>andreas@cisco.com>;tag=c27e174ea1886787

To: <>provisioning@cisco.com>

Max-Forwards: 70

Route:

User-Agent: TANDBERG/773 (MCX 4.4.3.14479) - Windows

Expires: 300

Event: ua-profile;model=movi;vendor=tandberg.com;profile-type=user;version=4.4.3.14479;clientid="S-1-5-21-789685965-2171981172-3425090153";connectivity=0

Accept: application/pidf+xml

Content-Length: 0

As I've highlighted above, the SID can be found in the 'Event' header, in the 'clientid' parameter, which in this case is

S-1-5-21-789685965-2171981172-3425090153.

By taking a diagnostics log (With Network log level set to DEBUG) you can collect SUBSCRIBE requests from Jabber Video clients on different computers, find their corresponding SUBSCRIBE requests and compare the SID's.

Hope this helps,

Andreas

Thanks Andreas, should help me troubleshoot this.

Andreas, is there any way to get a live dump (like is the dump written to a temp. file)?

I really miss the netlog 2 as you could easily see what was going on in the network and even

do some filtering on the console.

Besides that, the SID should be visible on the device info in the TMS as well.

If its the same showing once for the one and then later on the other account

you know it as well.

Also your system admin who has set up the systems should know if and how the sid is generated.

Maybe that helps as well :

http://pcsupport.about.com/od/registry/ht/find-user-security-identifier.htm

Please remember to rate helpful responses and identify

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers