Hi, We have UC platform(CM,SM,SMGR

[miky2019]

Hi,
We have UC platform(CM,SM,SMGR,AADS,AAWG,EQ conferencing,AAMS,...etc), using windows equinox client 3.6 for testing phase, if we used manual configuration, everything is going well while in case using auto config, finally we could login automatically to Equinox after modifying the PPM to enterprise instead of Avaya but the issue now that the Equinox client request to enter the extension number and communication profile password, so please any suggestion to enable me to use the AD credentials only once to login to all services(Phone service,Equinox,multimedia and presence) noted that we are configuring the identity in the SMGR xxx.yyy@domain.com , presence/IM user xxx.yyy@domain.com , avaya SIP profile 5555@sip.com.

when login we use the AD credentials then enter Avaya SIP extension 5555 with password of communication profile defined in SMGR.

Any suggestion to use only AD credentials noted that we made a lot of changes in AADS config file(settings file) but without result .

 

[kyle555]

I think in the group setting of AADS, there's a couple of boxes to push the SIP extn/password to the Equinox client.

So, you login to AADS with a LDAP login - AD in your case. At that point, if you're leveraging that setting to push the hashed password to the client, it will be provided and you won't need to enter it.

You can test it with

https://aads.you.com/acs/resources/configurations/

(i believe...) and your browser will prompt for basic authentication and you enter your AD login and you should get a dynamically created text file in your browser that's specific to your user.

Pg152:

https://downloads.avaya.com/css/P8/documents/101059923

Make sure SIPSSO is 0. 1 is only for IPOffice. Default is you're supposed to be automagically logged in.

There's a couple of settings around domain and extension length, but if you get your config via a webbrowser, you should see SET SIPHA1 and stuff.

 

[miky2019]

Hi kyle555 ,

We are using sample settings file 46xxsettings mentioned in AADS doc which include a lot of configs i know that we won't need it but we used it for testing , for couple configuration we already configured under group setting in AADS (COMM_ADDR_HANDLE_TYPE: Avaya SIP , COMM_ADDR_HANLE_LENGTH: 4), but when we tried the AADS test link we got:

## File Generation Notes
## Avaya Dynamic Configuration Service does not recognize User-Agent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36

## SIP details (SIPUSERNAME, SIPDOMAIN, SIPHA1) that satisfies the requirements (COMM_ADDR_HANDLE_TYPE = Avaya SIP and COMM_ADDR_HANDLE_LENGTH = 4) are not found on SMGR.

SET SSOENABLED 1
SET NAME_DISPLAY_ORDER ""
SET DND_SAC_LINK 0
SET NAME_SORT_ORDER ""
SET WINDOWS_IMPROVIDER 1
SET UCCPENABLED 0
SET CONTACT_MATCHING_SEARCH_LOCATION 1
SET DIRIMATTRIBUTE mail
SET FNUSIMRINGDISABLE 02066070508
SET DIRENABLED 0
SET ENABLE_BLIND_TRANSFER 1
SET APPCAST_CHECK_INTERVAL 1
SET DIRTOPDN "dc=domain,dc=com"
SET ACSSSO 1
SET SIPDOMAIN sip.com
SET ENABLE_VIDEO 1
SET RTP_PORT_LOW 5004
SET DIALPLANNATIONALPHONENUMLENGTHLIST ""
SET DIRSRVR 192.168.10.10
SET ESMSRVR 192.168.10.38
SET PHNPBXMAINPREFIX 6607
SET PHNLDLENGTH 10
SET SIPSSO 1
SET PHNOL 9
SET IOS10CALLKIT_ENABLED 1
SET VOIPCALLINGENABLED 1
SET EQUINOX_MEETING_ACCOUNT_DISCOVERY_URL

https://meetings.avaya.com/acs/resources/

SET ESM_PUSH_NOTIFICATION_ENABLED 0
SET ENABLE_CONTACTS 1
SET DIRTYPE ACTIVEDIRECTORY
SET ESMSSO 1
SET MEDIA_ADDR_MODE 4
SET OPUS_PAYLOAD_TYPE 116
SET ESMREFRESH 0
SET MEDIAENCRYPTION "10,1,9"
SET ENABLE_G711U 1
SET DSCPAUD 46
SET SIP_CONTROLLER_LIST 192.168.10.15:5061;transport=tls
SET FNUCFWDDISABLE
SET SHOW_EQUINOX_MEETING_PANEL_IN_TOM 1
SET CESSSO 1
SET DIRSSO 1
SET DIRMAXENTRIES 50
SET VIDEO_MAX_BANDWIDTH_ANY_NETWORK 512
SET ENABLE_PRESENCE 1
SET PHONE_NUMBER_PRIORITY ""
SET DIALPLANAREACODE 20
SET AUTO_AWAY_TIME 10
SET ENABLE_AUTO_ANSWER_SUPPORT 1
SET ANALYTICSENABLED 1
SET STATION_SECURITY_ENABLED 0
SET DIALPLANLOCALCALLPREFIX 0
SET APPCAST_URL ""
SET ENABLE_EQUINOX_MEETING_ACCOUNT_DISCOVERY 1
SET DSCPSIG 24
SET FNUACTIVEAPPEARANCESELECT 02066070512
SET ESMPORT 443
SET FORCE_LOGOUT_AFTER 0
SET ESMENABLED 1
SET EC500ENABLED 0
SET AUTOCONFIG_USESSO 1
SET ENABLE_G711A 1
SET ESMHIDEONDISCONNECT 0
SET ENHDIALSTAT 0
SET PHNIC 00
SET FNUIDLEAPPEARANCESELECT 02066070506
SET TELEPHONY_PUSH_NOTIFICATION_SERVICE_URL ""
SET SETTINGS_FILE_URL ""
SET CONFERENCE_ACCESS_NUMBER ""
SET DISABLE_PASSWORD_STORAGE 0
SET APPLY_DIALINGRULES_TO_PLUS_NUMBERS 0
SET ISO_SYSTEM_LANGUAGE ""
SET HOMESCREENLAYOUT 0
SET UNIFIEDPORTALENABLED 1
SET ENABLE_OPUS 1
SET SIMULTANEOUS_REGISTRATIONS ""
SET DIRSECURE 1
SET DIRTIMEOUT 100
SET PHNDPLENGTH 8
SET RTP_PORT_RANGE 40
SET APPCAST_ENABLED 0
SET DIRUSEIMDOMAIN 1
SET CONFERENCE_FACTORY_URI ""
SET SETTINGS_CHECK_INTERVAL 1
SET REVOCATIONCHECKENABLED 1
SET RECEIVE_ONLY_SHARING_ENABLED 0
SET ACSSECURE 1
SET DSCPVID 34
SET ENABLE_CALL_LOG 1
SET ENABLE_G729 1
SET ENABLE_MEDIA_HTTP_TUNNEL 1
SET ENABLE_TOP_OF_MIND 1
SET PHNCC 91
SET EWSSSO 1
SET VIDEO_MAX_BANDWIDTH_CELLULAR_DATA 512
SET SUPPORTWINDOWSAUTHENTICATION 0
SET PHNLD 0
SET DTMF_PAYLOAD_TYPE 120
SET FNUSIMRINGENABLE 02066070507
SET FORWARD_ERROR_CORRECTION 3
SET BFCP_UDP_MAXIMUM_PORT 5224
SET FNUSACCANCEL 02066070504
SET ACSSRVR 192.168.10.38
SET DIALPLANEXTENSIONLENGTHLIST ""
SET DIRSRVRPRT 389
SET ENCRYPT_SRTCP 0
SET ECHO_CANCELLATION aec
SET BFCP_UDP_MINIMUM_PORT 5204
SET ESMSECURE 1
SET FNE_SETUP_DELAY 3
SET ENFORCE_SIPS_URI 1
SET FNUSACENABLE 02066070505
SET ENABLE_REDIAL 1
SET LOG_VERBOSITY 1
SET UNIFIED_PORTAL_SSO 1
SET TELEPHONY_PUSH_NOTIFICATION_ENABLED 0
SET BFCP_TRANSPORT 0
SET FNUCFWDENABLE 02066070509
SET AUTOAPPLY_ARS_TO_SHORTNUMBERS 1
SET ENABLE_LOCAL_CONTACT 1
SET DIR_CONTACT_RESOLUTION_ENABLED 1
SET EC500VOICEMAILNUMBER ""
SET APPLICATION_AUTO_START 0
SET ENABLE_FAVORITES 1
SET DIRSCOPE LDAP_SCOPE_SUBTREE
SET ACSPORT 443
SET CONFERENCE_PORTAL_URI

https://eqwg1.domain.com/portal/tenants/default/?ID=5003

SET ENABLE_MDA_JOIN 0
SET ACSENABLED 1
SET APPLICATION_CLOSE_WINDOW 2
SET ADDRESS_VALIDATION 0
SET SIPPROXYSRVR 192.168.10.15
SET SIPPORT 5061
SET SIPSECURE 1
SET LOCKED_PREFERENCES "SSOENABLED,NAME_DISPLAY_ORDER,DND_SAC_LINK,NAME_SORT_ORDER,WINDOWS_IMPROVIDER,UCCPENABLED,CONTACT_MATCHING_SEARCH_LOCATION,DIRIMATTRIBUTE,FNUSIMRINGDISABLE,DIRENABLED,ENABLE_BLIND_TRANSFER,APPCAST_CHECK_INTERVAL,DIRTOPDN,ACSSSO,SIPDOMAIN,ENABLE_VIDEO,RTP_PORT_LOW,DIALPLANNATIONALPHONENUMLENGTHLIST,DIRSRVR,ESMSRVR,PHNPBXMAINPREFIX,PHNLDLENGTH,SIPSSO,PHNOL,IOS10CALLKIT_ENABLED,VOIPCALLINGENABLED,EQUINOX_MEETING_ACCOUNT_DISCOVERY_URL,ESM_PUSH_NOTIFICATION_ENABLED,ENABLE_CONTACTS,DIRTYPE,ESMSSO,MEDIA_ADDR_MODE,OPUS_PAYLOAD_TYPE,ESMREFRESH,MEDIAENCRYPTION,ENABLE_G711U,DSCPAUD,SIP_CONTROLLER_LIST,FNUCFWDDISABLE,SHOW_EQUINOX_MEETING_PANEL_IN_TOM,CESSSO,DIRSSO,DIRMAXENTRIES,VIDEO_MAX_BANDWIDTH_ANY_NETWORK,ENABLE_PRESENCE,PHONE_NUMBER_PRIORITY,DIALPLANAREACODE,AUTO_AWAY_TIME,ENABLE_AUTO_ANSWER_SUPPORT,ANALYTICSENABLED,STATION_SECURITY_ENABLED,DIALPLANLOCALCALLPREFIX,APPCAST_URL,ENABLE_EQUINOX_MEETING_ACCOUNT_DISCOVERY,DSCPSIG,FNUACTIVEAPPEARANCESELECT,ESMPORT,FORCE_LOGOUT_AFTER,ESMENABLED,EC500ENABLED,AUTOCONFIG_USESSO,ENABLE_G711A,ESMHIDEONDISCONNECT,ENHDIALSTAT,PHNIC,FNUIDLEAPPEARANCESELECT,TELEPHONY_PUSH_NOTIFICATION_SERVICE_URL,SETTINGS_FILE_URL,CONFERENCE_ACCESS_NUMBER,DISABLE_PASSWORD_STORAGE,APPLY_DIALINGRULES_TO_PLUS_NUMBERS,ISO_SYSTEM_LANGUAGE,HOMESCREENLAYOUT,UNIFIEDPORTALENABLED,ENABLE_OPUS,SIMULTANEOUS_REGISTRATIONS,DIRSECURE,DIRTIMEOUT,PHNDPLENGTH,RTP_PORT_RANGE,APPCAST_ENABLED,DIRUSEIMDOMAIN,CONFERENCE_FACTORY_URI,SETTINGS_CHECK_INTERVAL,REVOCATIONCHECKENABLED,RECEIVE_ONLY_SHARING_ENABLED,ACSSECURE,DSCPVID,ENABLE_CALL_LOG,ENABLE_G729,ENABLE_MEDIA_HTTP_TUNNEL,ENABLE_TOP_OF_MIND,PHNCC,EWSSSO,VIDEO_MAX_BANDWIDTH_CELLULAR_DATA,SUPPORTWINDOWSAUTHENTICATION,PHNLD,DTMF_PAYLOAD_TYPE,FNUSIMRINGENABLE,FORWARD_ERROR_CORRECTION,BFCP_UDP_MAXIMUM_PORT,FNUSACCANCEL,ACSSRVR,DIALPLANEXTENSIONLENGTHLIST,DIRSRVRPRT,ENCRYPT_SRTCP,ECHO_CANCELLATION,BFCP_UDP_MINIMUM_PORT,ESMSECURE,FNE_SETUP_DELAY,ENFORCE_SIPS_URI,FNUSACENABLE,ENABLE_REDIAL,LOG_VERBOSITY,UNIFIED_PORTAL_SSO,TELEPHONY_PUSH_NOTIFICATION_ENABLED,BFCP_TRANSPORT,FNUCFWDENABLE,AUTOAPPLY_ARS_TO_SHORTNUMBERS,ENABLE_LOCAL_CONTACT,DIR_CONTACT_RESOLUTION_ENABLED,EC500VOICEMAILNUMBER,APPLICATION_AUTO_START,ENABLE_FAVORITES,DIRSCOPE,ACSPORT,CONFERENCE_PORTAL_URI,ENABLE_MDA_JOIN,ACSENABLED,APPLICATION_CLOSE_WINDOW,ADDRESS_VALIDATION,SIPPROXYSRVR,SIPPORT,SIPSECURE"
SET OBSCURE_PREFERENCES ""

 

[kyle555]

You're not supposed to use a 'sample' settings file. You're supposed to configure settings relevant to your org in there

Then, when a user asks for that file, they get prompted for a LDAP login, once AADS knows their LDAP info, it will generate and provide settings.

Global settings apply to everyone unless more specific group settings define otherwise unless more specific user settings define otherwise.

So, a user in a LDAP group "WESTCOASTUSERS" would get SET SIP_CONTROLLER_LIST westcluster.you.com if you made a group called WESTCOASTUSERS in AADS and your AD had that user in that group too.

So, if you login with just extension and no + before it, then you're AVAYA SIP and not AVAYA E164. That means you'd want AADS to have the settings COMM_ADDR_HANDLE_TYPE set to Avaya SIP and if you have 5 digit extensions, you'd want SET COMM_ADDR_HANDLE_LENGTH = 5
If AADS knows those 2 parameters, then when kyle555@tek-tips.com logs in with his LDAP and AADS knows he's tied to a user profile in SMGR - probably because in your AADS attribute mapping you made SMGRLogin map to mail in AD
Then AADS basically looks at my Communication Profile tab in SMGR and if I have an Avaya SIP handle and if it's 5 digits in length, AADS will send me SET SIP USERNAME 12345 and SET SIPHA1 of a hash of my password.

You need to make this go away:
## SIP details (SIPUSERNAME, SIPDOMAIN, SIPHA1) that satisfies the requirements (COMM_ADDR_HANDLE_TYPE = Avaya SIP and COMM_ADDR_HANDLE_LENGTH = 4) are not found on SMGR.

So, the data flow is:
-You send LDAP credentials to AADS.
-AADS passes to LDAP and confirms you are really you
-AADS looks in the attribute mapping to find some attribute in AD that's associated to something in Aura - something like SMGRLogin=mail
-Once AADS has a match for what that AD user represents in Aura, it'll feed you settings specific to YOU for Aura (however you've defined them)
-If you got the extn length and handle type right in AADS, then AADS will just send your Equinox what it needs to login

FYI - you need to nuke and wipe your settings in Equinox if you want it to pickup a new password for the SIP login. So, once you get a SET SIPHA1 line in your config and no more of the ## SIP details... like above, nuke Equinox and start over.

 

[miky2019]

we mapped AADS attribute to Aura SMGRLogin=mail but still getting the same result !! any thought or suggestion ?

do you have sample/tested config file to use it ? or you believe that the issue is AADS attribute mapping with AD?

 

[kyle555]

The issue might be attribute mapping.
It might be your config in AADS.

Here's an easy way to check: you manage "exceptions" - like globally, everyone gets SET SIP_CONTROLLER_LIST sm.you.com, but I have a separate SM for my VIPs for no good reason and in those exceptions I specify that those specific users go somewhere else.

What release of AADS are you on? Later/latest ones have the replacement for the utility server in it where you can have a 46xxsettings.txt file for phones

While Equinox clients use many of the same settings, you absolutely need to have AADS dynamically build YOUR config file based on your AD login.

So, if you were configuring your Equinox client from scratch and at the first part you can enter an email or enter a URL, which are you picking, and what's the URL you're going to - either by hand or via the DNS SRV lookup that the 'config by email' uses?

 

[miky2019]

am using AADS 8.0 and using for equinox client only till now however we are using AADS URL/not Email address to login then enter AD credentials

 

[kyle555]

Does the URL end in .txt or is it

https://aads.com/acs/configurations/resources

?

 

[miky2019]

the extension issue fixed and got it automatically once logging in using domain account credentials after modifying the LDAP attribute mapping for
SMGRLoginname----> mail

but after doing it the unified login failed and got an error Equinox username or password is invalid while the phone service worked normally.

## File Generation Notes
## Avaya Dynamic Configuration Service does not recognize User-Agent - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; HCTE; McAfee; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0; wbxapp 1.0.0)

SET SIP_CONTROLLER_LIST 192.168.10.15:5061;transport=TLS
SET SIPPROXYSRVR 192.168.10.15
SET SIPPORT 5061
SET SIPSECURE 1
SET SIPENABLED 1
SET SIPDOMAIN sip.com
SET SIPUSERNAME 1005
SET SIPHA1 cb0d5b35af043cbda5c7331c5288f831
SET CONFERENCE_VIRTUAL_ROOM 2005
SET UNIFIED_PORTAL_SSO 1
SET ESMSSO 1
SET ESG_RESOURCE_URL

https://192.168.10.30:443/csa/resources/configurations

SET SSOENABLED 1
SET UNIFIEDPORTALENABLED 1
SET ACSSECURE 1
SET ESMSRVR 192.168.10.38
SET ACSSRVR aads.domain.com
SET ESMPORT 443
SET ACSPORT 443
SET CONFERENCE_PORTAL_URI

https://wg.domain.com:443/portal

SET ESMENABLED 1
SET ESMSECURE 1
SET SIPSSO 0
SET ACSENABLED 1
SET CONFERENCE_FQDN_SIP_DIAL_LIST wg.domain.com
SET ACSSSO 1
SET LOCKED_PREFERENCES "SIP_CONTROLLER_LIST,SIPPROXYSRVR,SIPPORT,SIPSECURE,SIPENABLED,SIPDOMAIN,SIPUSERNAME,SIPHA1,CONFERENCE_VIRTUAL_ROOM,UNIFIED_PORTAL_SSO,ESMSSO,ESG_RESOURCE_URL,SSOENABLED,UNIFIEDPORTALENABLED,ACSSECURE,ESMSRVR,ACSSRVR,ESMPORT,ACSPORT,CONFERENCE_PORTAL_URI,ESMENABLED,ESMSECURE,SIPSSO,ACSENABLED,CONFERENCE_FQDN_SIP_DIAL_LIST,ACSSSO"
SET OBSCURE_PREFERENCES ""

 

[kyle555]

Here's an easy way to test:

You have all these SSO fields for different services

Tweak your config to NOT define Conference Portal, equinox conferencing, SSO, etc

You can strip off 1 item at a time that your client uses, reset the config, and see when and where you get a single LDAP login to get you in.

Determine which service - like AMM (inside Presence 8.0 or standalone), Conferencing, etc, is not jiving and report back.

 

[miky2019]

We disabled all SSO except ACSSO and the equinox account logged in successfully, tried to login to multimedia manually using the AD credentials but failed
noted that we are using authentication mechanism Enterprise(not Avaya) option with PMM , then enabled ESMSSO and did the same test but got Equinox account
failed to login so it's appearing that it's Multimedia login issue however it was working normally previously with manually option when configure PPM to
use Avaya asauthentication mechanism (not Enterprise) .

here under the config of REST in Presence service:

Enable Client REST Services True
Authentication Mechanism Enterprise
Enterprise Realm (unchecked/not enabled)
Directory URL ldap://IP address:389
Directory User DN (empty)
Directory User Password (empty)
User Search Base dc=domain,dc=com
User Mapping Directory Attribute mail
User Identity Directory Attribute mail

 

[kyle555]

OK, now you're jogging my memory.

Yeah, so AMM when it was standalone needed LDAP auth. Now that it's in Presence, you can do either integrated a-la Presence or LDAP.

So... when I did it, I used the on-board OpenLDAP of AADS and I was trying to make a single PIN for everything - AADS LDAP, Comm Profile, Equinox Moderator bridge code, voicemail password, etc -
Because why have a numeric PIN for every Aura service if they can't be the same, right?


With Unified SSO and ESMSSO enabled, I would always send my LDAP password to AMM. In my case, I was just being tricky and made my LDAP login/PW on AADS = my comm profile password, so my Equinox client thought it needed to send LDAP creds to AMM - and did
And AMM looked at it as Avaya login and it happeed to have the same password and worked.

So, if manual config is working for "everything" - does that include AMM? If so, are you entering DOMAIN\user as the account for AMM in your Equinox client or are you entering your email address?

 

[miky2019]

manually everything is working normally even AMM(noted that am using Presence plugin not standalone AMM), we are configuring SMGR identity and Presence/IM communication
profile is identical matching the user Email(xxxx.yyyy@domain.com), so any suggestion or thoughts?

 

[kyle555]

https://downloads.avaya.com/css/P8/documents/101058218

pg 328. You need an account on LDAP for AMM to use globally so it can talk to LDAP. It's not just forwarding the end user's credentials.

I can't explain why it works manually but not with SSO, but there are certainly config steps you're missing.

 

[miky2019]

the user needed to be created should have admin privillage? i tried using some user but git the same rsult

i saw some case like our case

https://www.tek-tips.com/viewthread.cfm?qid=1794188

, he just mentioned that he changed the config
of authentication mechanism from Avaya to Enterprise ...do you have any more details or how contact him to get some advise

 

[kyle555]

No, I think the user created is just one that AMM uses to read the directory and it wants to see the users in LDAP as part of a group associated to people who use AMM.

Same basic stuff as if you were using standalone AMM.

 

[miky2019]

Hi..
Is there even a reason you need to login with Enterprise for AMM? Why can't you use the other option Avaya SIP or
whatever and let your SIP login to SM log you in to not just Presence but AMM too?

how can do my login to SIP in SM to log me in as well in AMM?

if am using manual login option for AMM, the equinox will request the AMM credentials, so the customer will be obligated to enter his credentials
twice.

 

[kyle555]

chapter 11

https://downloads.avaya.com/css/P8/documents/101058218

 

[miky2019]

yes, this is already our reference but our concern , in case using Avaya Digest, the customer will enter two credentials(one for equinox unified
login(excluding AMM )and second one for AMM), this is the challenge .for this reason we need to use the unified login.

 

[kyle555]

And it tells you how to configure Avaya authentication on page 328.

On 329 it tells you how to setup the service attributes to hook in to a LDAP. Have you completed the configuration steps on pg 329?