[cisco-voip] Voicemail failing over MRA when using SSO

Mon Jan 18 17:32:43 EST 2016

Yea, it's saying to use the original admin account rather than a separate
account just for the MRA setup.

So what's the format you have of the Unity Connection server defined under
the Unified Communications configuration?  Does it match the CN or one of
those SANs?

On Mon, Jan 18, 2016 at 5:21 PM, Hank Keleher (AM) <
hank.keleher at dimensiondata.com> wrote:

> Is this talking about when configuring the Unity Connection servers on the
> Expressway-C under Unified Communications? I changed that and it made no
> difference. However, I did get the following in the logs on the
> Expressway-C (names and IP’s changed to protect the innocent):
>
> edgeconfigprovisioning: Level="ERROR
> <https://10.137.3.25/eventlog?all_text=TGV2ZWw9IkVSUk9SIg==>" Detail="Certificate
> verify failure
> <https://10.137.3.25/eventlog?all_text=RGV0YWlsPSJDZXJ0aWZpY2F0ZSB2ZXJpZnkgZmFpbHVyZSI=>"
> Server=“X.X.X.X" Reason="Neither common name nor subject alternate name
> match
> <https://10.137.3.25/eventlog?all_text=UmVhc29uPSJOZWl0aGVyIGNvbW1vbiBuYW1lIG5vciBzdWJqZWN0IGFsdGVybmF0ZSBuYW1lIG1hdGNoIg==>"
> CN=“hostname.corp.domain.com" SAN=“set([‘www.hostname.corp.domain.com’,’
> corp.domain.com’,’hostname.corp.hostname.com’])" UTCTime="2016-01-18
> 22:05:35,993
> <https://10.137.3.25/eventlog?all_text=VVRDVGltZT0iMjAxNi0wMS0xOCAyMjowNTozNSw5OTMi>
> ”
>
>
> I’ve checked and double checked that the certificate is correct on the
> Unity Connection server and we don’t have any issues anywhere but here. I’m
> not completely confident that the certs are good but this is the first time
> we’ve seen an issue (if it’s even related) but I don’t know a great deal
> about certs, et al. These were issued using Entrust (for both internal and
> external certs) and all root and intermediate CA certs have been uploaded
> of course.
>
> Thanks!
> Hank
>
>
> From: <bmeade90 at gmail.com> on behalf of Brian Meade <bmeade90 at vt.edu>
> Date: Monday, January 18, 2016 at 17:01
> To: "Hank.Keleher" <hank.keleher at us.didata.com>
> Cc: "cisco-voip at puck.nether.net" <cisco-voip at puck.nether.net>
> Subject: Re: [cisco-voip] Voicemail failing over MRA when using SSO
>
>
>
> Sounds like this bug- https://tools.cisco.com/bugsearch/bug/CSCux52984
>
> On Mon, Jan 18, 2016 at 4:51 PM, Hank Keleher (AM) <
> hank.keleher at dimensiondata.com> wrote:
>
>> I’ve searched far and wide for an answer to this and so far only found
>> one Cisco supportforums post with no answer, hopefully someone here has
>> experienced this and can provide some direction.
>>
>> I currently have 10.5.2 CUCM, CUC and IM&P configured with 8.7 Expressway
>> with MRA and 11.1.2 Windows Jabber. All are configured with SSO against
>> ADFS and this works across the board, except the voicemail account when
>> logging in externally through the Expressway with an SSO enabled account.
>> Under Connection Status is shows the voicemail is not connected. Everything
>> else is fine, phone services as well as IM and presence.
>>
>> However, the client works fine on the internal network as well if I use a
>> CUCM/CUC local account on an external Jabber client I’m able to provide my
>> CUC credentials and voicemail works, this at least confirms to me that the
>> Expressway is configured to allow Unity Connection to work externally
>> (though why didn’t it use the same login for phone service and IM like it
>> does internally, I’m not sure?) We’re using FQDN with all devices and
>> services and everything is working with the exception of the Unity
>> Connection on external Jabber clients (I’m seeing the issue on Windows, Mac
>> and iPhone external clients.)
>>
>> On the Expressway-C under SSO statistics I see that all Unity Connection
>> Server Proxy Authorizations failed and there are 0 OAuth tokens (whereas
>> there are many for Unified CM.) Nothing is really standing out in the logs
>> as far as I can see either. I have the Unity Connection server configured
>> under Unified Communications on the Expressway-C with TLS verify on and
>> it’s connected and in the Auto-configured allow list with FQDN and IP
>> address. Just to make sure I even added the server to the HTTP server allow
>> list manually even though that shouldn’t be necessary on this version.
>>
>> Any thoughts or ideas?
>>
>> Thanks!
>> Hank
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
>
> itevomcid
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20160118/f4935462/attachment.html>