[cisco-voip] CM 6.13 AD Sync'd - Failed logins

Wes Sisk wsisk at cisco.com
Mon Jun 15 16:02:54 EDT 2009 

IPCC is going to authenticate via CTI.  You will want to check the IMS 
(identity management session) trace lines inside of the CTI SDI traces 
(checkbox in RTMT)

CCMUser authentication goes through Tomcat.  Tomcat has its own hooks to 
IMS.  Tomcat logs for IMS:
admin:file list activelog tomcat/logs/security/log4j/*
security.bin                            security00001.log
security00002.log                       security00003.log
security00004.log                       security00005.log
security00006.log                       security00007.log
security00008.log                       security00009.log
security00010.log                      
dir count = 0, file count = 11

IMS is primarily the informix database.  It tracks authentication and 
attempts.  For LDAP sync IMS stores the md5hash of the password from AD 
in the informix database. 


All that said we are seeing many authentication failures when informix 
gets too busy.  Informix may eventually return but not before timeouts.  
Unfortunately there is no way to identify what is causing informix to be 
too busy.  This need is captured by
Need an Informix profiler built into CLI , Open CSCsz67357

which is also in the hot issues list.

When people are encountering this issue the IMS cache usually offers 
some reprieve.  You can enable IMS cache with the enterprise parameter 
"Enable Caching".  With this the user must authenticate successfully 
once and then the successful attributes will be cached.    In real world 
terms that means you must experience a timeout at least once even after 
enabling the cache.  But so long as that auth request was successful 
then subsequent logins will be expedient.

HTH

/Wes


On Monday, June 15, 2009 3:06:15 PM, Carter, Bill <bcarter at sentinel.com> 
wrote:
>
> I have a CM 6.13 cluster synched to AD. We are also using AD for 
> Authentication. There is an IPCC Express Call Center connected to the 
> cluster.
>
>  
>
> We are getting reports that occasionally Call Center users can not 
> login to CAD. When this happens, they immediately try to login to the 
> CCMuser web page and this also fails. After a few minutes they are 
> able to login.
>
>  
>
> This seems to happen in a cluster, were 2-4 users have the same 
> problem at the same time.
>
>  
>
> On CM, what trace files can I use to look at LDAP authentication? I 
> have debug traces on DirSync but I don't know if this will also show 
> authentication problems.
>
>  
>
> CM is configured with 2 servers for LDAP authentication.
>
>  
>
>  
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20090615/1771c88d/attachment.html>

More information about the cisco-voip mailing list