Showing results for 
Search instead for 
Did you mean: 

Centralised IM and Presence


We have installed a Centralised CM and IM&P cluster, but have hit a wall with Jabber sign in.


For service discovery, our UDS SRV record points to our SME for the Home cluster.

Our SME cluster is the Hub of our ILS network, with all leaf clusters, including the Centralised CM and IM&P cluster are Spoke clusters. 


We have SSO configured throughout all clusters, using FQDN multi-SAN single agreement SAML trusts, with OAuth Refresh Logins enabled for each cluster.


Some errors we receive in Jabber log and SSO log on IM&P:


2018-05-16 16:34:53,855 DEBUG [IMPServices] [CSFUnified::IMPStackCap::Login::OnLoginError] - Entry

2018-05-16 16:34:53,855 DEBUG [IMPServices] [CSFUnified::IMPStackCap::Login::OnLoginError] - ****************************************************************

2018-05-16 16:34:53,855 DEBUG [IMPServices] [CSFUnified::Outage::onServerDisconnection] - ****************ATTENTION********************

2018-05-16 16:34:53,855 INFO [IMPServices] [CSFUnified::IMPStackCap::Login::OnLoginError] - OnLoginError: LERR_CUP_SSOTOKEN_INVALID <28>:

2018-05-16 16:34:53,855 DEBUG [IMPServices] [CSFUnified::IMPStackCap::Login::OnLoginError] - ****************************************************************

2018-05-16 16:34:53,855 DEBUG [IMPServices] [CSFUnified::LoginEventListenerImpl::OnLoginCredentialInvalid] - Login Credential Invalid


SSO log:

2018-05-16 16:34:53,389 INFO [http-bio-443-exec-19] servlet.OauthServlet - doPost :: POST request for servletPath:/token/validate
2018-05-16 16:34:53,389 INFO [http-bio-443-exec-19] handlers.ValidateTokenHandler - processRequest
2018-05-16 16:34:53,390 ERROR [http-bio-443-exec-19] token.TokenV2Manager - JWS Token header error or signing key mismatch: {"alg":"RS256","typ":"JWT","kid":"..."}


We had a case open with TAC, but couldn't be resolved and case was closed. This is set up in a lab environment so couldn't escalate to developers.


Anyone else working on this?





7 Replies 7


Hi, I am getting the same error for a single user, what did TAC suggest

Sorry there was no solution and closed the case.
Please let me know if you get it working 😊

Restart the Cisco sync agent service and check . During the issue validate the same user can be visible in IMP server too

We restarted services, servers, and clusters, without success.
Thanks anyway, we have moved on from this.

I meet the issue after upgrading from 12.0 to 12.5. Everything is working normally if I disable OAuth with Refresh Login Flow. I guess the issue related to IM&P cannot fetch the OAuth token keys from CUCM.

This didn't do much to help us at the time, but try checking if the authz keys match on each node, and regenerate if needed.

show key authz signing
show key authz encryption

set key regen authz signing
set key regen authz encryption

Thanks ! 


That did it for one of my customers.


For some reason the sync on tickets had stopped. 

renewing fixed it.



CCIE-Collaboration #24527
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: