Monday, January 26, 2009

Mysterious "Invalid Crdentials" on CUPC

On CUPC > Help > Show Server Health, sometimes you would see failed items with the message "invalid credential", such as "Presence", "Desk Phone", or "Voicemail".

This is very confusing. Since you already logged into CUPC, why it's giving you "invalid credential"? What kind of credential it was failing on?

Before we can move further, please take a look at "CUPS and CUPC, father and son? or not".

CUPS and CUPC's relationship is not as tight as you thought. CUPC has many features, but CUPS is only relevant in two of them (configuration repository and presence).

When you type username and password on CUPC login window, that is majorly for "Configuration Repository". If you typed in the wrong password, CUPC won't be able to download configuration from CUPS. No other functions CUPC can perform without configuration.

However, sucessfully downloading configuration does not guarantee other functionalities. To use other fucntions, a 2nd authentication might be required (either explicitly or implicitly).

Presence - Invalid Credential

For presence feature, 2nd authentication is required on SIP layer. This authentication is implicit. For more details on "Digest Authentication", please see http://www.ietf.org/rfc/rfc3261.txt.

Why is it implicit? Why does it fail?

To make it implicit is Cisco development's decision. If they made it explicit, you'd have to provide digest credential (2nd password) after login. This could be annoying since SSO (Single Sign On) was what we preferred.

So Cisco development made CUPS/CUPC worked this way:
1) You (system admin) configure digest credential on CUCM Admin > User Management > End User page.
2) CUPS synchronizes digest credentials from CUCM to CUPS.
3) CUPS transmits digest credential to CUPC during logon.
4) CUPC uses that degest credential to authenticate with SIP proxy.

Step 3 and 4 look funny because it's like a door keeper gives the key to you and asks you open the door with the key. But keep in mind:
a) The "door keeper" acutally verified your identify (username/password), before giving you the key.
b) The key was encrypted during transmission.
c) The key door keeper gave you might be for a different door (SIP proxy could be on a different server other than the logon server)
d) This is a compromise (or balance) between inconvenience of SSO and SIP protocol requirements.

If there's no digest credential configured on CUCM (ie. it's blank), you'll get "Invalid Credential" for presence. To fix it, take one of the following options:

Option 1: Go to CUCM Admin > User Management > End User, configure a dummy value for "digest credential". It could be any value. Why? See workflow explained above.

Option 2: Go to CUPS Admin > Cisco Unified Presence > Proxy Server > Incoming ACL. (on CUPS 7.x, it's "System > Security > Incoming ACL". Configure an address pattern that covers your CUPC machines. For example, a "all" pattern matches all machines.

This option is considered less secure, because any machine in that address pattern (subnet) would be able to connect to SIP proxy without digest authentication challenge.

Option 3: Go to System > Service Parameters > Cisco UP SIP Proxy. Set "Authentication Module" to "off". This is the least secure option, which turns off SIP authentication at all.

Desk Phone - Invalid Credential

This usually happens when CUCM was configured to use "LDAP Authentication".

To control desk phone from CUPC, CTI protocol was used. Before a CTI client (CUPC) can control the phone, it needs to authenticate with CTI server (CTIManager). This authentication is implicit. CUPC would use the same logon username/password to authenticate with CTIManager. CTIManager, in turn, would authenticate that with LDAP.


Question: Why the authentication would fail?
Answer: In short, this is a bug on CUCM.

Question: Any workaround for that before we can upgrade CUCM?
Answer: On CUCM, change LDAP authentication port to 3268 and restart CTIManager.

Question: Why it would fix the problem?
Answer: When LDAP referral happens, CTIManager would fail on authentication. Using 3268 (Global Catalog) port eliminate LDAP referals.

Question: Why it only affects CUPC?
Answer: CUPC is the only application (so far) that uses end user credential to authenticate with CTIManager.

Voicemail - Invalid username/password or account locked

Depending on what Unity edition you're running (Unity or Unity Connection), the cause could be different.

Before moving on, please take a look at "How to test IMAP connection".

On Exchange 2007, it's because IMAP login was disabled on TCP (port 143) by default.

On Unity Connection, make sure you reset "Web Application Password" instead of VoiceMail password.

16 comments:

  1. Excellent posting. I had a previously working Presence install, and we just integrated with LDAP, and my desk phone control stopped working. Changing the ldap authentication port to 3268 on cucm worked like a champ. Thanks for the info posted here.

    ReplyDelete
  2. Just used the aforementioned fix to resolve a longstanding Desk Phone issue with the CUP Client - thanks Michael!

    ReplyDelete
  3. I made some changes to our End User accounts and afterwards the CTI control of our Desk Phones stopped working. We do not use LDAP Sync or Authenticatition. I've tried resetting passwords, pins, but I haven't had any luck. Could you describe how CUPC would authenticate against the CTI Manager whenever your not using LDAP?

    ReplyDelete
  4. Desk Phone control could fail for different reasons.

    CUPC logs would be good starting point. CTIManager logs would be helpful as well.

    ReplyDelete
  5. I should need to develop my log interpreting skills. It ended up begin an issue with our Default Credential Policy. We updated it so that it DID NOT force the user to change at next login and afterwards reset the passwords. Thank you...TAC and your book have been life savers.

    ReplyDelete
  6. This procedure is the same although you have deployed a Business Edition with Unity Connection integrated on the same box?. I have followed your steps but for the voicemail integration I receive Failed to Connect - Invalid credentials or account locked.... and I'm using the Web password for the users. Any idea about what's happening?

    ReplyDelete
  7. Check credential policy. Make sure "user must change password on next logon" was NOT checked.

    ReplyDelete
  8. Is there anyway to integrate CUPS with Exchange 2007 UM for Voicemail, e.g. without using a Cisco Unity server have CUPS reach out and retrieve messages for CUPC from Exchange 2007 UM. We currently use Exchange as our voicemail system and would love to allow our CUPC users to be able to retrieve their voicemails directly from the CUPC client.

    ReplyDelete
  9. So far, CUPC only supports Unity and Unity Connection (for obvious reason).

    For the same reason, MOC supports Exchange UM. :)

    ReplyDelete
  10. Has anyone successfully installed a working CUPc/CUPS build using VMware. I have installed both CUCM and CUPS on VM and everything is working according to the CUPS system dashboard. I have tried everything on this post but still cannot log in and get the error Login Failed. Make sure your username and password are correct.

    ReplyDelete
  11. Try to log into http://ip-of-cucm/ccmuser and http://ip-of-cups/ccmuser. You'll see where the problem was. Also try to restart Cisco Tomcat on CUPS.

    ReplyDelete
  12. Hi Micahel,
    I have CUPS 8.5.1, and CUPC client is working fine, when i try CUPC 8.5 its registers but voice mail shows error in Show status in CUPC.
    with error- "Host/Network reports server unavailable." The parameters for Unity and Mailbox store are all correct.
    My xpc connection manager service and Authentication service is up running.
    Could you please advice.

    ReplyDelete
  13. Make sure the "mailbox store" was configured to point to the actual mailstore - for Unity, it's the Exchange server.

    ReplyDelete
  14. Is there a bug ID for the Desk Phone - Invalid Credential Problem, I'm using an ADAM instance using ssl so I dont have a GC port to change to. Everything works fine if i disable LDAP auth on cucm, same goes for Unity Connection if i leave LDAP auth on it rejects user credentials.
    Any feedback for this would be appreciated.

    Thanks

    ReplyDelete
    Replies
    1. I have same problem here. using ADAM so no GC port present.
      if you found the solution plesae let me know.

      Delete
  15. Thanks for such an informative post. The whole blog is A+ grade

    ReplyDelete