Posts Tagged ‘CUPC’

On CUPC > Help > Show Server Health, sometimes you would see failed items with the message “invalid credential”, such as “Presence”, “Desk Phone”, or “Voicemail”.

This is very confusing. Since you already logged into CUPC, why it’s giving you “invalid credential”? What kind of credential it was failing on?

Before we can move further, please take a look at “CUPS and CUPC, father and son? or not“.

CUPS and CUPC’s relationship is not as tight as you thought. CUPC has many features, but CUPS is only relevant in two of them (configuration repository and presence).

When you type username and password on CUPC login window, that is majorly for “Configuration Repository”. If you typed in the wrong password, CUPC won’t be able to download configuration from CUPS. No other functions CUPC can perform without configuration.

However, sucessfully downloading configuration does not guarantee other functionalities. To use other fucntions, a 2nd authentication might be required (either explicitly or implicitly).

Presence – Invalid Credential

For presence feature, 2nd authentication is required on SIP layer. This authentication is implicit. For more details on “Digest Authentication”, please see http://www.ietf.org/rfc/rfc3261.txt.

Why is it implicit? Why does it fail?

To make it implicit is Cisco development’s decision. If they made it explicit, you’d have to provide digest credential (2nd password) after login. This could be annoying since SSO (Single Sign On) was what we preferred.

So Cisco development made CUPS/CUPC worked this way:
1) You (system admin) configure digest credential on CUCM Admin > User Management > End User page.
2) CUPS synchronizes digest credentials from CUCM to CUPS.
3) CUPS transmits digest credential to CUPC during logon.
4) CUPC uses that degest credential to authenticate with SIP proxy.

Step 3 and 4 look funny because it’s like a door keeper gives the key to you and asks you open the door with the key. But keep in mind:
a) The “door keeper” acutally verified your identify (username/password), before giving you the key.
b) The key was encrypted during transmission.
c) The key door keeper gave you might be for a different door (SIP proxy could be on a different server other than the logon server)
d) This is a compromise (or balance) between inconvenience of SSO and SIP protocol requirements.

If there’s no digest credential configured on CUCM (ie. it’s blank), you’ll get “Invalid Credential” for presence. To fix it, take one of the following options:

Option 1: Go to CUCM Admin > User Management > End User, configure a dummy value for “digest credential”. It could be any value. Why? See workflow explained above.

Option 2: Go to CUPS Admin > Cisco Unified Presence > Proxy Server > Incoming ACL. (on CUPS 7.x, it’s “System > Security > Incoming ACL”. Configure an address pattern that covers your CUPC machines. For example, a “all” pattern matches all machines.

This option is considered less secure, because any machine in that address pattern (subnet) would be able to connect to SIP proxy without digest authentication challenge.

Option 3: Go to System > Service Parameters > Cisco UP SIP Proxy. Set “Authentication Module” to “off”. This is the least secure option, which turns off SIP authentication at all.

Desk Phone – Invalid Credential

This usually happens when CUCM was configured to use “LDAP Authentication”.

To control desk phone from CUPC, CTI protocol was used. Before a CTI client (CUPC) can control the phone, it needs to authenticate with CTI server (CTIManager). This authentication is implicit. CUPC would use the same logon username/password to authenticate with CTIManager. CTIManager, in turn, would authenticate that with LDAP.

Question: Why the authentication would fail?
Answer: In short, this is a bug on CUCM.

Question: Any workaround for that before we can upgrade CUCM?
Answer: On CUCM, change LDAP authentication port to 3268 and restart CTIManager.

Question: Why it would fix the problem?
Answer: When LDAP referral happens, CTIManager would fail on authentication. Using 3268 (Global Catalog) port eliminate LDAP referals.

Question: Why it only affects CUPC?
Answer: CUPC is the only application (so far) that uses end user credential to authenticate with CTIManager.

Voicemail – Invalid username/password or account locked

Depending on what Unity edition you’re running (Unity or Unity Connection), the cause could be different.

Before moving on, please take a look at “How to test IMAP connection“.

On Exchange 2007, it’s because IMAP login was disabled on TCP (port 143) by default.

On Unity Connection, make sure you reset “Web Application Password” instead of VoiceMail password.

 (R) 2012
Advertisements