05-23-2012 12:47 PM - last edited on 03-25-2019 09:46 PM by ciscomoderator
I have just upgraded to CUPS 8.6.4, which resolves the Subject Alternative Name" Certificate issue, and am trying to get Calendar Integration working with Presence. When I look at the Presence Engine logs, It is sending the email address as the log on credentials to OWA. I need it to send domain\username. Is that possible?
Thanks, in advance,
Doug
05-23-2012 04:41 PM
Hey Doug,
There is no configuration where we can change the way CUPS performs EWS queries.
Is there any error message you see in the PE logs with the following syntax in the logs:
EWSCalendarInfo::initiateRecovery
Also if you can tell me that if the impersonation account formatted as "
Is the Exchange 2010 running with AD 2003 or 2008?
Regards,
Jas
05-23-2012 08:03 PM
When I look at the PE logs, I see :
11:47:55.550 |system.pe.pa.owa.backend 1241894 INFO received SUBSCRIBE response for doug.davidson@epl.net: 401 Unauthorized
HTTP/1.1 401 Unauthorized
x-powered-by: ASP.NET
date: Wed, 23 May 2012 16:47:54 GMT
content-length: 0
set-cookie: exchangecookie=895f546a4d8d43f1bd481f052f4e43e7; expires=Thu, 23-May-2013 16:47:55 GMT; path=/; HttpOnly
www-authenticate: Negotiate, NTLM, Basic realm="webmail.epl.net"
server: Microsoft-IIS/7.5
11:47:55.550 |system.pe.pa.owa.backend 1241894 DEBUG <----QMS::SUBSCRIBE doug.davidson@epl.net
11:47:55.550 |system.pe.pa.owa.backend 1241894 DEBUG -->SessionManager::setConnected: webmail.epl.net:443 0
11:47:55.550 |system.pe.pa.owa.backend 1241894 DEBUG <--SessionManager::setConnected 0
11:47:55.550 |system.pe.pa.owa.backend 1241894 ERROR -->EWSSubscription::initiateRecovery: doug.davidson@epl.net POST 3 Authentication failure on server; Could not authenticate to server: ignoring empty Negotiate continuation, rejected NTLM challenge, rejected Basic challenge
11:47:55.550 |system.pe.pa.owa.backend 1241894 DEBUG <--EWSSubscription::clearResubscribe
11:47:55.550 |system.pe.pa.owa.backend 1241894 DEBUG <--EWSSubscription::scheduleResubscribe - interval (secs): 1080
11:47:55.550 |system.pe.pa.owa.backend 1241894 DEBUG <--EWSSubscription::initiateRecovery: POST
11:47:55.550 |system.pe.pa.owa.backend 1241894 DEBUG <--EWSSubscription::processSubscribeRequest
11:47:55.550 |system.pe.pa.owa.backend 1241894 DEBUG <--QMS::SUBSCRIBE
The account in the Exchange gateway is domain\ExCalendar.
We are running AD 2003.
Thanks,
Doug
01-30-2013 09:13 PM
Hi Doug/Jasmeet,
Was there ever a work around to get this working, I've got the exact same problem with Exchange 2010 EWS and on Win2008.
The AD configured email address doesn't match the actual internal address used in Exchange, e.g. john.doe@domain.com is configured in the AD End User information.
However the real Exchange address is jdoe16@domain.internal
Jasmeet, what impact does the format of the impersonation account have?
I have entered our impersonation account for the gateway as domain\cupimacc
Regards,
Mike.
01-31-2013 12:09 AM
Hi Michael
So your 'mail' attribute in CUCM has john.doe@domain.com, or jdoe16@domain.internal?
The format of the imp account in the CUPS config should usually be as you have it - domain\username. That's the default format for OWA/EWS and isn't usually changed.
Aaron
01-31-2013 01:56 AM
Hi Aaron,
The CUCM mail attribute is john.doe@domain.com, this is sync'ed from AD. Our example user id is jdoe16.
The Exchange guys tell me internally to Exchange all the email accounts are @domain.internal, somehow they these two email addresses map to the same user.
Exchange EWS requires the CUP server to subscribe as domain\userid, but debugs are showing john.doe@domain.com not domain\userid
Is there a parameter that will allow me to configure the domain\username for the Exchange EWS?
When we log in to Jabber the we use userid and password, the jabber domain is domain.com.au, which is configured in the CUP server.
Regards,
Mike.
02-11-2013 02:08 AM
Hi,
i have also a problem with calendar status. Looks like yours. See here the PE log:
10:29:13.288 |system.pe.pa.owa.backend 1244158 ERROR -->EWSSubscription::initiateRecovery:
POST 3 Authentication failure on server; Could not authenticate to server: ignoring empty Negotiate continuation, rejected Basic challenge
AD proxy adress for users is -> SMTP:
Impersonation User configuration in CUPS -> domain\user
How could i simply verify impersonation user have the right permissions?
Any suggestions how to fix?
Regards
Thorsten
02-11-2013 03:30 AM
Hi
It's normal to see auth fails, usually followed by another connection where CUPS sends the credentials - it's a bit like when you browse to something password protected; you see the auth dialog in internet explorer as a result of receiving a permissions error, the retry with permissions.
You can use a free SOAP tool to test your impersonation permissions :
Aaron
02-11-2013 06:00 AM
Thx for the Tool. Great. :-)
There was also a problem with impersonate user but i have still a problem with status. I have make a detailed trace now:
14:53:05.723 |system.pe.pa.owa.backend 1243654 INFO received FINDITEM response for
HTTP/1.1 401 Unauthorized
x-powered-by: ASP.NET
date: Mon, 11 Feb 2013 13:52:17 GMT
content-length: 0
www-authenticate: Negotiate, NTLM, Basic realm="
server: Microsoft-IIS/7.0
This is what i got often in the log.
Any suggestion?
02-11-2013 11:06 AM
Hi
So I take it the tool can impersonate this user OK?
Did you specify the same username format that you used in CUPS admin? And did you use basic auth with the test tool?
Aaron
02-11-2013 12:06 PM
Yes, impersonate works.
What do you mean with same user format as CUPS admin? Could you give me an example?
02-11-2013 12:14 PM
Hi
I mean if you can connect with the same CUPS service account, and impersonate the user, then the permissions must be OK.
That kind of leaves 'something else' as the problem - so I'm wondering if you are using the same authentication settings in the SOAP tool that CUPS is using. E.g. ticking the 'force basic auth' option, and specifying the usename as domain\cupsserviceaccount for example?
Aaron
02-11-2013 12:33 PM
Ok. Very good input. I will check tomorrow morning. I have now no access to that machine. :-/
02-11-2013 11:57 PM
Looks also good.
03-20-2013 11:27 AM
Is there any resolution on your issue yet? I'm seeing the same exact issue. We appear to have all of the correct permissions on the Exchange side configured correctly. I can log into OWA using the service account we are using under the Presence gateway for EWS. We are getting the 401 Authorized Failure messages in the debug traces from the CUPS server.
I'm using the SOAP tool to test impersonation, but I'm not 100% sure what URL the presence server is using in the backend to connect to Exchange 2010. If I do the SOAP tool test and have autodiscover fill in the URL, I am getting a success when using GetFolder and Inbox on another user's account. However, the URL it picked is not the same one we have defined in the Presence gateway. We have about 6 CAS servers and 6 mailbox servers in our setup. 3 are in one Data Center and 3 are in another Data Center. We're using F5 load balancers to accomodate all of the servers and their traffic.
The URL we have specified in our Gateway configuration is cupsowa.corp.tmnas.com. Is Presence going to /owa? /exchange? What is the URL it is actually using in the background?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide