cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
825
Views
0
Helpful
7
Replies

PCA web page using web guest account.

raypoon
Level 1
Level 1

My client would like to know what is the minimum user privilege/right for the IUSR_<SERVER_NAME> account in order to support the Cisco PCA web page since they have hardened the OS of the Windows 2000 server and disable lots of right for the guest and web guest accounts. Customer are very concerns with Security.

7 Replies 7

path
Level 1
Level 1

User rights:

Read+Execute on inetpub/wwwroot/Avxml

IIS on win2k

The IIS folders /jakarta and /AvXML must have the Execute permissions set to "Scripts and Executables" on top of the drive folder permissions

IIS on win2k3

The "permissions" (right+click menu) options should also enforce read + execute on both /jakarta and /Avxml on top of what was specified for win2k and the drive folder permissions.

This should get CPCA up and running. for more details on the IIS settings have a look at the Cisco PCA trouble shooting guide.

Unity 4.0(3)

http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_troubleshooting_guide_chapter09186a00801ba5c0.html

Check the IIS configuration section.

PatH

We have followed by your instruction, remove IUSR from the system partition.

Grant the IUSR Read+execute on ../Avxml folder.

and then checked the IIS, "Script and Executables" has already been granted for iis folder Avxml & Jakarta

Test CiscoPCA, it still prompts the "Unable to contact server".

Ah, "Unable to contact server" is covered in the Troubleshooting guide, but here is a quick review.

Find what the actual error is by opening the \commserver\cscoserv\tomcat\logs\ciscopca_event_log.txt file (assuming unity 4.0(3) since you did not mention it).

Look for reported IOException and check for the message explaining the reason.

Usally this is going to be an HTTP status number and reason. Without that I can't go a lot further. Have a look at the Unity 4.0(3) and if you can the Unity 4.0(4) troubleshooting guide the 4.0(4) one has more (updated) details for that condition.

PatH

Here, The Unity 4.0(4) updated tbs guide.

For Unity with Microsoft Exchange:

http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_troubleshooting_guide_book09186a0080228449.html

The CPCA error message section is this link:

http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_troubleshooting_guide_chapter09186a008022b4dc.html#wp1066872

just search for the text "Unable to contact server". Hopefully you will hit a case described there.

PatH

Hi, our customer had already tried the troubleshooting guide. This is not a typical installation since the end user did some Windows harderning on their own before the Unity installation. After some troubleshooting, we now identify that the IUSR_ must be allocated full access right in order for it to work. Do you know what exactly does IUSR does, is it possible to reduce the priviledge on this user for PCA to work correctly?

All the required information was already noted in earlier posts.

Until what they did to "harden" the server is known, I can't speculate on anything more (<-hint).

For how IIS uses the IUSR account, do a search on http://technet.microsoft.com . In short, it is used as the anonymous "on behalf" account when doing security checks in IIS for anonymous (un-authenticated) web accesses. Exactly what CPCA does when sending a request to AvXML. This is where you get the "Unable to contact server" error from (that anonymous request to AvXml fails).

They should follow the instructions and LOOK AT (hopefully they could TELL YOU too) what the IOException message is. they will find that in the \CommServer\cscoserv\tomcat\logs\ciscopca_event_log.txt file. If they really read the TBS they'd know.

Expect an HTTP status code in a message (401, 403, 405, ...). Have them act accordingly (check the \winnt\help\iishelp\common\*.html matching the status number to know what the hell is going on).

As a side note, setting read+execute should leave you with 3 check box checked, those are:

- Read & Execute

- List Folder Contents

- Read

They can't limit those right to authenticated users because the JVM is not an authenticated user. and Yes this is just one big guess since that's the only thing I have to go on. Could be due to permissions (deny) on parent folder(s) in the tree or the wind change in their lab for all I know. Or a global restriction for the use of NTLM on the website/iis server (cpca does not do NTLM auth when sending request to Avxml).

etc. etc.

Not to repeat myself (again), more data is needed.

PatH

PS: if this can't be resolved with their security "expert" get TAC/CPR involved.

Trying to reproduce,

Hi,

I did a few more checks on this end to try and reproduce the observed symptoms on a test system.

General

========

First check was done with just the "Everyone" group/account being used in the folder permissions for the \inetpub folder tree (no other account listed in folder->properties->security).

I found that the "Everyone" group/account access should be left untouched for the whole \inetpub folder (usually on C:\); that's "full control" allowed.

If it is not, no website comes up.

But that's not the symptom reported

The "Everyone" group/account can be denied "write" access on the \inetpub\wwwroot folder without issues.

I then added the IUSR_ account into the mix

and tried various combinations:

1- Added IUSR_UNITY (that's the name on my test system) to the \inetpub\wwwroot folder

NOTE: all folder have the "allow inheritable..." check box checked in the security pane.

2- Verified the access was only Read&Execute (3 checked boxes)

3- Disabled Evryone access to wwwroot (Deny Full control)

--- Cisco PCA does come up nicely, which means that setting can be use. It is just inconvenient.

So I am left with IIS configuration issues.

Make sure IIS as the proper password setup for the anonymous account.

That the top level WWW Service setup does not enforce the "Enable the Windows directory service mapper", it could have some impact; not sure how.

A must-have information is to know what was used to "harden" the IIS configuration and the system in general on top of what ships with Unity.

A must-have information is to know what is the error reported (cpca log files) when ciscopca tries to access the AvXML interfaces.

The reported fact that the IUSR_<*> account needs full control for cpca to work is really odd. I have not found the right combinations of security settings to reproduce that.

PatH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: