Tuesday, June 03, 2014

Cisco Unity Connection Single Inbox 401 Authentication Errors - User Name Limitation

This is another variation of things that cause 401 Authentication Errors when setting up Unity Connection Single Inbox.  Another example is here: http://webmaxtor.blogspot.com/2013/11/cisco-unity-connection-single-inbox-401.html

After setting up a new Unity Connection 9 cluster to integrate with Exchange 2010, I ran into an issue with the authentication failures when running the test on individual Unified Messaging Accounts.  Running the test against the Unified Messaging Service passed, but this typically only verifies basic network access, domain name resolution and access to the Exchange EWS interface.  The Single Inbox feature will fail if the users' Unified Messaging Accounts can't authenticate to Exchange.

The "Unified Messaging Guide for Cisco Unity Connection Release 9.x" integration guide is quite good and covers about all the scenarios I've ever run into. Follow the guide, and all of the guide, and you should be in good shape.

Following that , I had an issue where testing the Unified Messaging Accounts failed with a "Failed accessing xxx@ayz.com Diagnostic=[] Verb =[] url=[] request=[] response[]" message.  It is a 401 error, pointing to basic authentication against Exchange issues.

Basic troubleshooting steps, found in just about every Unity Connection guide are:

Check the authentication method on both sides. Check settings in Internet Information Services (IIS) for both AutoDiscover and EWS.
- This was confirmed to be NTLM and HTTPS, under both EWS and Autodiscovery

Try different UM messaging account name formats (i.e. NAME, DOMAIN\NAME, NAME@DOMAIN).
- Tried every combination of names
Reset the UM messaging account password, and enter the password again on Unity Connection.
- Verified name and password via OWA
The UM account should not have a mailbox.
- Verified no Exchange mailbox with admin.
- Another nice method to confirm this again using OWA to check the username and password above.  You should be returned an error indicating there is no mailbox for the user.

This technique provided the clue I overlooked a dozen times.  There was indeed no mailbox for the user ConnectionUMServices.

Ultimately the issue was that when the UM user account name was created, to keep it obvious and consistent over time, we used a reference straight out the Cisco Unified Messaging Guide. The username for the account we created was ConnectionUMServicesAcct, an example name from the integration guide. The problem here is that when Unity Connection attempts to authenticate against Exchange to synchronize mailboxes, it uses the pre-Windows 2000 logon name format. That format has a 20 character limitation, so the appropritate name entry in Unity Connection is then ConnectionUMServices, not ConnectionUMServicesAcct.

Change the UM Messaging account name in Unity Connection to the pre-Windows 2000 (shorter) name and bingo, you are good.

No comments:

Post a Comment