Solved: CUCM Self care portal LDAP authentication fail

Difan Zhao · ‎11-17-2016

Hi experts,

I am playing with the self-portal page. I have users sync'ed with Windows AD via the LDAP Directory config. I have also configured LDAP authentication with the same settings as in the LDAP directory setting in regards to LDAP DN, password, Search base, ...etc

My users are sync'ed with AD successfully. The users have access control group "Standard CCM End users" assigned.

The problem is that I can't log in the self care portal with my AD credential... Here is my URL. The error I got was "Username or password is incorrect. Please try again."

https://ucmpub01-00/ucmuser/

Where did I do wrong and how do I troubleshoot this problem?

[edited] I ran RTMT realtime traces and here is what I see from the "tomcat security log". This is one error I see.

2016-11-17 11:35:50,997 ERROR [http-bio-443-exec-15] impl.AuthenticationLDAP - verifyHostName:Exception.javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '<my ldap server hostname>' does not match the hostname in the server's certificate.

...

2016-11-17 11:35:51,002 ERROR [http-bio-443-exec-15] controller.AuthenticationController - IO exception while parsing file
java.nio.file.NoSuchFileException: /usr/local/platform/conf/cli/loginWarning.txt

<then some java error logs>

I did have to install the certificate of the LDAP server in the tomcat cert store to get the "LDAP directory" sync working. Are they not using the same certificate stores?

Thanks,

Difan

Aseem Anand · ‎11-19-2016

Hi,

You need to make sure that the certificate CN should have the exact name of the server (FQDN) and not just the domain. Alternatively you can make use of subject alt name to have the FQDN of the server.

At the moment CUCM does not support wild card certificates. Refer to the bug below which is still not resolved:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCta14114/?referring_site=bugquickviewredir

Aseem

(Please rate if useful)

View solution in original post

Jaime Valencia · ‎11-17-2016

Try adding cucm admin permissions to one user and try on ccmadmin, if it still fails, I'd doublecheck the LDAP authentication config, and the LDAP sync, just to be on the safe side.

HTH

java

if this helps, please rate

Difan Zhao · ‎11-17-2016

Thanks Jaime. I added "Standard CCM Admin Users" access control group to my user then I tried both https://ucmpub01-00/ccmadmin/ and https://ucmpub01-00/ucmuser/ and both failed with error "username or password incorrect"...

Quick question, when I log in with my username, do I need to prepend the domain name with a \ in the front or append @domain.name at the end?

I also did the RTMT trace of the tomcat security log and I see this

2016-11-17 11:53:49,211 ERROR [http-bio-443-exec-21] impl.AuthenticationLDAP - verifyHostName:Exception.javax.net.ssl.SSLPeerUnverifiedException: hostname of the server 'it-na-lda-pro-01-00f.int.pason.com' does not match the hostname in the server's certificate.

My certificate has a subject like "*.my.domain.name", instead of the "hostname.my.domain.name".. Does it matter? Again the LDAP directory thing works.. So the LDAP authen should also work, should it not?

Thanks,

Difan

Aseem Anand · ‎11-19-2016

Hi,

You need to make sure that the certificate CN should have the exact name of the server (FQDN) and not just the domain. Alternatively you can make use of subject alt name to have the FQDN of the server.

At the moment CUCM does not support wild card certificates. Refer to the bug below which is still not resolved:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCta14114/?referring_site=bugquickviewredir

Aseem

(Please rate if useful)

Difan Zhao · ‎11-21-2016

Thanks Aseem.

I will request to have a specific certificate and try again later.

Interesting part is that obviously the ldap directory thing does not require it while the ldap auth thing does

rogerholdman · ‎03-16-2018

This was it. I added the CA root cert to the tomcat-trust and restarted tomcat. LDAP is done. CUC is next.

markelb · ‎03-28-2018

I had this same issue and it took me a bit to understand what was happening. Maybe this will save someone the trouble.

My specific scenario is a UC 9.1.1 cluster is working. Jabber softphone clients and CCMuser logins are working with LDAP authentication. Administrator's LDAP account logins to CCMAdmin are working OK too.

LDAP Sync and LDAP Authentication are both pointing to "LDAP.example.com" with SSL enabled.

On a new UC 11.5.1.13901-3 system I setup the same Sync and Auth settings. I can sync users OK but not authenticate.

Cisco Tomcat Security log has the same entry you referenced.

[http-bio-443-exec-10] impl.AuthenticationLDAP - verifyHostName:Exception.javax.net.ssl.SSLPeerUnverifiedException: hostname of the server 'ldap.example.com' does not match the hostname in the server's certificate.

Browsing to the LDAP server let me take a peek at the certificate it is presenting.

Subject: CN = *.example.com

Subject Alternative Name: DNS Name=*.example.com
DNS Name=example.com

This explains what is happing. Past 10.5.2SU2 FQDN validation is enforced during TLS handshake. Because the CN and/or Subject Alternative Name in the certificate does not match the FQDN of the LDAP server the SSL handshake fails.

https://www.cisco.com/c/en/us/support/docs/ip/lightweight-directory-access-protocol-ldap/200562-Secure-LDAP-Problems-After-an-Upgrade-to.pdf

I'm struggling to have the LDAP administrator install a certificate with the FQDN of the LDAP server included in it's certificate. I was able to work-around this with the instructions in CSCux83666.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux83666/

Publisher CLI:
admin:utils ldap config status
utils ldap config fqdn configured
admin:
admin:utils ldap config ipaddr
Now configured to use IP address
admin:
admin:utils ldap config status
utils ldap config ipaddress configured
admin: