EQUINOX + AADS + LDAP Issue 1

[MisterRobot_imported]

hello to all,

after setting up AVAYA AURA CORE R8.0.1 + Equinox CONFERENCING + AADS , we try to use automatic configuration using URL of AADS.

when connecting equinox client for windows, successfully logged in with phone service using windows credential , but , on Equinox services and AMM , its return invalid username and password ,

what suggestion do you propose to resolve this issue ? thank you

 

[kyle555]

There's a field for unified login that uses the same account for everything.

I'd reckon if you want your LDAP login to work, then your SMGR Identity must be your.name@email.com and you'd need to make sure your AMM LDAP config for 'username' matches the email attribute in AD

Are you able to login to everything individually and manually?

 

[MisterRobot_imported]

yes , im able to login everything manually and all services (Phone, EQUINOX MEETING, AMM) are working fine,

but the customer wants to implement equinox clients automatically with their windows credential.

where can i find the AMM LDAP config for the matching the username

 

[kyle555]

Are you using a dedicated AMM OVA? I believe at 8.0.1 that AMM is baked into the Presence snap-in now.
I don't think it should change much as far as login.

If you do everything manually, is it your email/windows pw for AMM that works for you? Or is it like userPrincipalName? Like kyle555@tek-tips.com or TEK-TIPS\kyle555?
In the AMM LDAP setup you define what attributes match in AAM like "login name" to an LDAP attribute.

So, if you're using "unified login" with a single LDAP credential - like email address - you'd have to make sure that each service uses each the same LDAP attribute.

Just a thought.
What's your AADS autoconfig file look like? ESMSSO enabled?

 

[MisterRobot_imported]

for the deployement of AMM service , yes we are switching to PMM since the AMM OVA doesnt exist anymore,

on manually , i dont need to connect with email or windows credential, only with the extension number , example : 2050@domain.com (without any configuration of the LDAP integration) but when moving to unified login (using windows credential) , equinox client can get phone service but there is warning about Equinox services and Multimedia Messaging (invalid password or username).

So what i need to know it the best practice about the integration , is there some attributes on LDAP config for each services (Multimedia Messaging and Equinox meeting ) that should be same on SMGR user name ?

 

[MisterRobot_imported]

## File Generation Notes
## Avaya Dynamic Configuration Service does not recognize User-Agent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36

SET SIP_CONTROLLER_LIST "192.28.9.20:5061;transport=TLS,192.28.9.20:5060;transport=TCP,192.28.9.20:5060;transport=UDP,192.28.9.18:5061;transport=TLS,192.28.9.18:5060;transport=TCP,192.28.9.18:5060;transport=UDP"
SET SIPPROXYSRVR 192.28.9.20
SET SIPPORT 5061
SET SIPSECURE 1
SET SIPENABLED 1
SET SIPDOMAIN domain.com
SET SIPUSERNAME 3030
SET SIPHA1 67de9fdc71ad1bdbce4f49cbe7adb922
SET UNIFIED_PORTAL_SSO 1
SET ESMSSO 1
SET ESG_RESOURCE_URL

https://avayawebgateway.domain.com:443/csa/resources/tenants/...

SET UNIFIEDPORTALENABLED 1
SET ACSSECURE 1
SET ESMSRVR 192.28.9.30
SET ACSSRVR avayaaads.domain.com
SET ESMPORT 443
SET ACSPORT 443
SET CONFERENCE_PORTAL_URI

https://avayawebgateway.domain.com:443/portal

SET ESMENABLED 1
SET ESMSECURE 1
SET ACSENABLED 1
SET CONFERENCE_FQDN_SIP_DIAL_LIST avayawebgateway.domain.com
SET ACSSSO 1
SET LOCKED_PREFERENCES "SIP_CONTROLLER_LIST,SIPPROXYSRVR,SIPPORT,SIPSECURE,SIPENABLED,SIPDOMAIN,SIPUSERNAME,SIPHA1,UNIFIED_PORTAL_SSO,ESMSSO,ESG_RESOURCE_URL,UNIFIEDPORTALENABLED,ACSSECURE,ESMSRVR,ACSSRVR,ESMPORT,ACSPORT,CONFERENCE_PORTAL_URI,ESMENABLED,ESMSECURE,ACSENABLED,CONFERENCE_FQDN_SIP_DIAL_LIST,ACSSSO"
SET OBSCURE_PREFERENCES

 

[kyle555]

I haven't done the AADS in PS yet. It would appear that there's a default of "SIP handle + comm profile password" for PS+AMM. PS always was that way.

I think the 'best practice' flies in the face of what us PBX guys do. You get a system to build, maybe with DIDs or an extension range and if you're SIP, they all need SMGR Logins, so you make 555-555-1234@customer.com.

It's a bit tougher to get to first.last@customer.com when you don't know which extensions are going to which people.

If you rejig your account to have XMPP handle for Presence and AMM = email address, I wonder if logging in to AADS with Unified Login with your email+Windows Credentials gets AADS to say "Hey PS and AMM, I authenticated MisterRobot@lab.com!" and then PS and AMM see they have a guy named MisterRobot@lab.com and let you in easily.

I'm guessing 'best practice' probably revolves around SMGR login, SM handle, PS handle all = email address. Maybe you can get away with adding a second XMPP handle atop 2050@domain.com with MisterRobot@domain.com.

 

[kyle555]

* didn't see your file... reading it now

 

[kyle555]

Now, are your settings in AADS 'global'? You can set them per LDAP group and per user agent - like, safari on ios gets the iPhone settings which can be specific and different.

https://downloads.avaya.com/css/P8/documents/101041244

ctrl+f ESMSRVR

ESMSRVR = the AMM server it should try to connect to. Maybe it's more a config and less an authentication problem?

 

[MisterRobot_imported]

the settings are applicable for LDAP Group already

 

[kyle555]

If you switch over to manual config, is the AMM server populated? ESMSRVR should be a value provided by AADS.

You can go in the support part of the app and flush the settings to grab em again from AADS.

 

[jimbojimbo]

There are two distinct methodologies for Equinox client logins

1. Unified Login - allows customer to enter a single login/password value to attach to each service enabled for Unified Login
2. SSO - Kerberos ticketing. End user does not need to provide credentials for services. Requires SPN creation and import or Kerberos ticket into AADS.

Both of these have significant dependencies on exactly how each service is configured and of course the authentication domain used.

Many users do not have the same authentication value as e-mail value and e-mail value may not be configured int he authentication domain.
So did the System Manager/Presence/AMM get configured to use the userPrincipleName value from AD or mail?

I'm also assuming you are not using O365 EWS with MFA which will not work on the current release of Equinox.

While it is in the AADS documentation, you really need to have a strong background in Microsoft AD to catch all the nuances.

 

[MisterRobot_imported]

the issue resolved by changing authentification type on PMM (from AVAYA to Entreprise) .

Now, we have only one issue , is the entreprise directory search on Avaya Equinox Client using Unified Login cannot retrive any of contacts , PMM and Equinox Conferencing working fine with Unified Login , only the search for contacts is unavailable i dnt know why !!

 

[kyle555]

If you're logged in to AADS, you search AADS. If you ALSO have enterprise directory configured, you'll search that too.

But, AADS will scour SMGR and the LDAP source and consolidate that. It's why your SMGR login names and email addresses and attribute mapping are so important - otherwise AADS won't tie together SMGR+LDAP contacts.

To search the enterprise directory from the equinox client - to say, your equinox client hits up a LDAP on 389, you need to configure a user to search the directory - and your syntax for that would be a distinguished name.

Like, CN=kyle555,dc=tek-tips,dc=com and with my LDAP password. Or, some anonymous DN if you allow anonymous binds.

But, why? AADS lets you configure multiple LDAPs, and formerly supported only one for authentication. So, you could have LDAP msAD.customer.com with base DN for authentication as CN=UsersOfEquinox,dc=Users,dc=Tek-tips,dc=com
and add a 2nd directory for searching of msAD.customer.com with base DN dc=users,dc=tek-tips,dc=com and AADS would be the entity that's doing the searching in LDAP.

Be careful - the matching rules are different client side vs AADS side.

So, Equinox matches things it searched from LDAP vs AADS differently than the stuff AADS searches from SMGR and LDAP. If you're not e164 across the board, you'll get weird and double results.

 

[MisterRobot_imported]

Issue resolved , we created the group AADSUSers on Ldap and applied for the users , nd then setting up the User role on AADS LDAP CONFig , now the users able to search for Ldap contact successfully


BEST REGARDS