Solved: Re: Jabber MRA - Unity Voice Mail Integration Issue

Slavik Bialik · ‎10-08-2017

Hi people, I'm trying to integrate Cisco Jabber over MRA with Cisco Unity. This is not my first time, and I basically know how to do it only now I'm probably missing something and can't get it to work.

My Deployment contains:

Expressway-C & Expressway-E (dual NIC)
CUCM 11.5 SU3
IM&P 11.5 SU3
Unity 11.5 SU3
Cisco Jabber 11.9.1

The issue is that when I'm logging to my softphone it always prompts me:

In fact, when I'm pressing "Update" and then filling manually the credentials it is working fine, but I need to make it automatically based on my login credentials.

Another fact that may be important, is that this is a multi domain deployment, means the internal domain is: domain.local and the external domain is domain.com. MRA of course is working fine, and there's the "VoiceServiceDomain" parameter in the jabber-config.xml file that is set to domain.com. My previous deployments where it worked are single domain, so that's why I raised this thing, because it may has something to do with my issue.

Anyway, for your information I configured:

Unity as a UC Service and associated it to a Service Profile, also it is very important to note that I ticked: "Unified CM - IM and Presence" as a source credentials in the service profile settings.
Associated the above Service Profile to my End User.
Added Cisco Unity in my Expressway-C.
Changed the relevant settings in Unity according to the standard guide:
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/11_5/CJAB_BK_D00D8CBD_00_deployment-installation-guide-cisco-jabber115/CJAB_BK_D00D8CBD_00_deployment-installation-guide-cisco-jabber115_chapter_0101.html#JABW_TK_C290FF8A_00
Integrated LDAP connection and authentication from Unity Connection, and synced my user as LDAP user in Unity with my internal extension.

I checked the Expressway event logs and I cannot see any errors that has to do with with Unity or voice mail services.

Another thing I've noticed is that when I'm logging in, there is no traffic that the Expressway-C is trying to send to Unity (mostly to port 7080 - JETTY service). Only when I put manually the credentials I see that Expressway-C initiates traffic over TCP/7080 to Unity, and it logs in fine. So looks like Cisco Jabber doesn't initiate anything towards Unity. Makes any sense?

Help guys? What am I missing here? :)

Best regards,

Slavik Bialik.

Slavik Bialik · ‎10-10-2017

OK, finally I found a solution. So I'm sharing it with all of you, because I'm 100% sure you'll get across it in your next MRA deployments.

When working with OAuth authentication in Expressway and CUCM (because CUCM is the OAuth Server, Expressway is the OAuth Client), when you're logging in in Cisco Jabber over MRA, and this feature is enabled, instead of sending Unity Connection the credential authentication it also sends the OAuth token, but Unity at first don't know what to do with it. So the solution is to connect Unity to CUCM in order for it to sync the OAuth tokens from the CUCM.

How to do it?

Go to Unity Connection
Go to System Settings -> Authz Servers
Add your CUCM (the OAuth Server) with the administrator credentials

and... That's it! Next time, when Unity will get the token from Expressway-C, it knows to which user to associate it and log you in to your voice mail box.

**bleep**, took me two whole days to understand it, it's not documented anywhere :(

View solution in original post

Slavik Bialik · ‎10-10-2017

OK, I sort of solved this issue, but not a final resolution, and I'll explain.

I found out that it happens when "Authorize by OAuth token with refresh" is enabled on Expressway-C, which means it tell the authentication process to work with OAuth tokens and not with authentication with credentials. So when I disabled it, and enabled "Authorize by user credential" on the Expressway-C, it logged in to the Voice Mail services right away.

But, after reading about the new authentication with the OAuth tokens, I really want to use it as it has it's benefits. So, according to the above findings, does anyone have an idea?

Thanks,

Slavik.

venparaj · ‎08-20-2019

It worked perfectly by disable "Authorize by OAuth token with refresh" and enabled "Authorize by user credential" on the Expressway-C

Thank you.

Slavik Bialik · ‎10-10-2017

OK, finally I found a solution. So I'm sharing it with all of you, because I'm 100% sure you'll get across it in your next MRA deployments.

When working with OAuth authentication in Expressway and CUCM (because CUCM is the OAuth Server, Expressway is the OAuth Client), when you're logging in in Cisco Jabber over MRA, and this feature is enabled, instead of sending Unity Connection the credential authentication it also sends the OAuth token, but Unity at first don't know what to do with it. So the solution is to connect Unity to CUCM in order for it to sync the OAuth tokens from the CUCM.

How to do it?

Go to Unity Connection
Go to System Settings -> Authz Servers
Add your CUCM (the OAuth Server) with the administrator credentials

and... That's it! Next time, when Unity will get the token from Expressway-C, it knows to which user to associate it and log you in to your voice mail box.

**bleep**, took me two whole days to understand it, it's not documented anywhere :(

greg.burmeister · ‎01-21-2018

Great find Slavik! This saved me a ton of time on the exact same issue!

orlandoguy82 · ‎04-19-2018

This was very helpful for me. Thank you.

milfredo · ‎05-08-2018

We've had MRA offline all weekend and most of this morning. Cisco managed to assist in getting user logged back in but Voicemail was still offline. I added the auth server and the service came back up on my Jabber client instantly!

All the steps Cisco need to document are as follows:

CUCM - OAuth with Refresh Login Flow = Enabled

CUCM - Enable Caching = True - (undocumented but True by default... we were False)

Unity - OAuth with Refresh Login Flow = Enabled

Unity - System Settings -> Authz Servers = CUCM Publisher - (undocumented)

Exp-C - Authorize by OAuth token with refresh = On

Exp-C - Check for internal authentication availability = Yes

Exp-C – configuration\ CUCM& Unity\ Refresh CUCM & Unity servers - (undocumented)

Slavik Bialik · ‎05-08-2018

I am glad that it is working now :)

Cisco always misses the juicy parts, heh.

jacob.mariant · ‎02-22-2019

Hi All!

I'm having a similar problem with my SSO/OAuth deployment. I'd greatly appreciate any advice!

Infra:

Webex Messenger (Cloud IM)

CUCM 11.5 SU3

Unity 11.5 SU3

Expressway 8.11.4

IdP: ADFS (Messenger and CUCM/Unity are using same IdP - this is required per Cisco docs)

Problem 1: When my Jabber client is NOT going through expressway, phone services connects on sign-in every time. Voicemail however keeps asking for username/password and I have to manually enter. Very rarely VM does connect with OAuth/SSO but I cannot identify any pattern. Once authenticated, I can transition to MRA/Expressway with no problems at all. Refresh occurs as expected. Has anyone seen this? What was the solution? I do have the Authz server added on Unity.

Problem 2 is that 100% of the time when I initiate a new connection (reset Jabber then sign-in) over MRA/Expressway, I am only prompted to manually enter my credentials for both phone services and voicemail. OAuth/SSO is not working on MRA at all on the initial connection. MRA only works if I first connect directly to CUCM/Unity then transition to MRA.

Please let me know if you have seen this before and have any advice. Thank you!

Alessandro Bertacco · ‎06-05-2020

Hello Great for me your solution shared, solved also my issue.

Thjank you very much for sharing.

Have a great day

Regards

Alessandro

bryanjones · ‎05-12-2023

Just to chime in... this fixed our problem, too. MRA over expressway on 12.5. It's VERY vaguely documented in the Oauth section of the MRA setup guide... but we'd never have found it.

aubreyengland · ‎10-20-2020

This helped me as well. thanks!!!