[cisco-voip] Changing Windows Local Administrator Account Affects MLA?

Ryan Ratliff rratliff at cisco.com
Thu Jun 22 09:51:24 EDT 2006 

Make sure MLA debugs are enabled, gather them and open a TAC SR.

-Ryan

On Jun 21, 2006, at 5:26 PM, Keith Klevenski wrote:

Thanks for the info Ryan.

Well, I went ahead and disabled MLA on the pub in SQL and I could log
into ccmadmin with the local password no problem.  While I was at that
point I went ahead and changed the local admin password again and
restarted IIS.  I could still log in to ccmadmin just fine.  But when I
reendabled MLA (through SQL) I still could not log in with any MLA
accounts, even ccmadministrator.  Same authentication error.  There
shouldn't be any difference enabling MLA in SQL than from the GUI (I
don't think) so I just reenabled it from SQL since I had EM open.  I
went ahead and reenabled MLA from the GUI, reset the ccmadministrator
password, restarted IIS on both servers in the cluster and still I
cannot log in with ccmadministrator or any MLA account.

So all I did (apparently) to cause MLA logins to fail authentication was
to change the local administrator password and restart the WWW service
on the publisher (but the failure was only on the publisher until I
changed the local admin account on the sub and now it is failing there
too).

How could changing the local admin password cause MLA to fail
authentication?  Now I'm stuck without MLA until I figure out what the
issue is.  I've restarted IIS over and over, enabled/reenabled MLA from
SQL/GUI with no luck.  At least I can get in with MLA disabled, but this
is not desirable for many obvious reasons and I will need to get this
fixed quickly.

Any words of wisdom are welcome.  ;)

Keith

-----Original Message-----
From: Ryan Ratliff [mailto:rratliff at cisco.com]
Sent: Wednesday, June 21, 2006 3:30 PM
To: Keith Klevenski
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Changing Windows Local Administrator Account
Affects MLA?

In CM 4.x the MLA parameters are clusterwide since they are stored in
the database.  In previous versions we actually pointed the CCMAdmin
IIS virtual directory to a new location.  Now it's the behind-the-
scenes authentication that is changed.

As long as you don't restart IIS on the sub no changes to MLA will be
picked up there.

-Ryan

On Jun 21, 2006, at 2:51 PM, Keith Klevenski wrote:

Gotcha, I only restarted WWW.  Since I rebooted the server obviously IIS
was restarted and I did restart it again, but I still cannot get to
ccmadmin with any MLA account from the publisher.  I guess that is my
main question.  Should you disable MLA before changing the local admin
account?  Are there any dependencies between the local admin account and
MLA account?  I haven't seen any specific considerations regarding this.
It worked fine with 3.3.5 (with no MLA) and I only restarted WWW on
those servers.

Any information about the dependencies between the local admin account
and MLA would be welcome if anyone has any info.  I guess at this point
I don't have much choice but to disable MLA from SQL, restart IIS and
see if I can get in with the local admin account.  Then reenable MLA and
hope for the best.  I'm just afraid of locking myself out of ccmadmin as
right now I still have accesses through the sub.  Is there any risk of
locking yourself out of ccmadmin?  Can you disable MLA from the sub?  I
can get to ccmadmin from there and to the MLA parameters.

Thanks!

Keith


-----Original Message-----
From: Ryan Ratliff [mailto:rratliff at cisco.com]
Sent: Wednesday, June 21, 2006 1:37 PM
To: Keith Klevenski
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Changing Windows Local Administrator Account
Affects MLA?

You can disable MLA just by going into the MLAParameters table in the
CCM030X database on the publisher.  The parameter name is similar to
MLAEnabled but should be obvious.  Then simply restart IIS (not just
WWW) and you should be good to go.

If you only restarted WWW and not IISAdmin I'd try bouncing both
before going into SQL to disable MLA.

-Ryan

On Jun 21, 2006, at 2:22 PM, Keith Klevenski wrote:

Hi all,



I have a 4.1.3 cluster that I need to change the local administrator
account to.  No problem on a couple of 3.3.5 clusters that are not
running MLA, but when I changed the local administrator account
password on the 4.1.3 publisher when I went to log in go ccmadmin
with my MLA account access is denied.  Same thing when logging in
with ccmadministrator.  Fortunately I can still get into the
subscriber (2 server cluster), but I'm not sure what the problem is.
I see these errors in the event log when attempting to log in to
ccmadmin with my MLA account:



The server was unable to logon the Windows NT account 'keith' due to
the following error: Logon failure: unknown user name or bad
password.  The data is the error code.

For additional information specific to this message please visit the
Microsoft Online Support site located at: http://www.microsoft.com/
contentredirect.asp.



I'm using the standard procedure for resetting the local
administrator account:



To Change Windows Administrator Password:

=========================================

Please make sure that the Local Administrator password is SAME on all
servers in the

cluster.



To change the password, perform the following steps:



1. Right click My Computer.

2. Select Manage.

3. Go to Local Users and Groups.

4. Go to Users.

5. Right click Administrator.

6. Select Set Password.

7. Type in the password and confirm.



I am also restarting the WWW service after making the change.  I've
rebooted the publisher as well, but I must be missing something.  I
can't find any special instructions on changing local admin account
with MLA running.  Seems like it shouldn't have any affect on MLA.
I've changed the password back to the original and I'm still having
the same problem.  I was thinking about disabling MLA from the
subscriber and seeing if I can log in with local admin account to
ccmadmin, but I don't want to hose myself.



Any ideas?  TIA!!



Keith Klevenski
IP Telephony Engineer

RigNet Inc.
1880 S. Dairy Ashford

Suite 300
Houston, TX 77077

Office:   +1 281.674.0702
Mobile:  +1 713.677.3925

http://www.rig.net



"Extending the power of your knowledge"



_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

More information about the cisco-voip mailing list