Mailing List Archive

If the Admin creds are providing the same error and not in ldap(the local cucm provided at setup), I would re-queue the case to another engineer if the best they can provide is NTP out of sync, but the time is really correct….

You may have to escalate the case to get a more seasoned engineer. Have you rebooted or restarted the Cisco tomcat service for cucm? Were slowly moving into the restart/reboot world.

Curious what you find out when fixed.

> On Sep 16, 2021, at 2:56 PM, Jonathan Charles <jonvoip@gmail.com> wrote:
>
> So, users are randomly getting the above error when logging into CUCM UCMUser or CUC Inbox... we are also getting it using AD credentials into admin pages for CUCM/CUC/etc.
>
> For a user, it will work find repeatedly, then you will get the error, close your browser, and reopen, still get the error for a few minutes. Then later it will work. When a user is affected, other users work fine.
>
> TAC is saying it is an NTP issue, however, NTP between CUCM 12.5 and IdP (ADFS 2.0) is fine.
>
> Pings are around 1ms between servers.
>
> Any ideas?
>
>
> Jonathan
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Have you tried to run a SAML Tracer?

Sincerely,
Benjamin M. Turner
________________________________
From: cisco-voip <cisco-voip-bounces@puck.nether.net> on behalf of Jonathan Charles <jonvoip@gmail.com>
Sent: Thursday, September 16, 2021 4:56:48 PM
To: cisco-voip@puck.nether.net <cisco-voip@puck.nether.net>
Subject: [cisco-voip] Error Processing SAML Response

So, users are randomly getting the above error when logging into CUCM UCMUser or CUC Inbox... we are also getting it using AD credentials into admin pages for CUCM/CUC/etc.

For a user, it will work find repeatedly, then you will get the error, close your browser, and reopen, still get the error for a few minutes. Then later it will work. When a user is affected, other users work fine.

TAC is saying it is an NTP issue, however, NTP between CUCM 12.5 and IdP (ADFS 2.0) is fine.

Pings are around 1ms between servers.

Any ideas?


Jonathan

No... TBH, I have never heard of it...

TAC is hyper-asserting that the issue is time mismatch between CUCM/CUC and
ADFS...


Jonathan

On Thu, Sep 16, 2021 at 4:08 PM Benjamin Turner <benmturner@hotmail.com>
wrote:

> Have you tried to run a SAML Tracer?
>
> Sincerely,
> Benjamin M. Turner
> ------------------------------
> *From:* cisco-voip <cisco-voip-bounces@puck.nether.net> on behalf of
> Jonathan Charles <jonvoip@gmail.com>
> *Sent:* Thursday, September 16, 2021 4:56:48 PM
> *To:* cisco-voip@puck.nether.net <cisco-voip@puck.nether.net>
> *Subject:* [cisco-voip] Error Processing SAML Response
>
> So, users are randomly getting the above error when logging into CUCM
> UCMUser or CUC Inbox... we are also getting it using AD credentials into
> admin pages for CUCM/CUC/etc.
>
> For a user, it will work find repeatedly, then you will get the error,
> close your browser, and reopen, still get the error for a few minutes. Then
> later it will work. When a user is affected, other users work fine.
>
> TAC is saying it is an NTP issue, however, NTP between CUCM 12.5 and IdP
> (ADFS 2.0) is fine.
>
> Pings are around 1ms between servers.
>
> Any ideas?
>
>
> Jonathan
>
>
>
>

Have you been able to confirm the time difference?

I’m not trying to take their side of things, but if it’s minutes off, I wouldn’t doubt that’s possible. SSO is highly secure, right? A time difference might be enough to throw it off?

Here’s reference:

https://support.pingidentity.com/s/article/Accounting-for-Time-Drift-Between-SAML-Endpoints50907



From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Jonathan Charles
Sent: Thursday, September 16, 2021 6:23 PM
To: Benjamin Turner <benmturner@hotmail.com>
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] Error Processing SAML Response

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca<mailto:IThelp@uoguelph.ca>

No... TBH, I have never heard of it...

TAC is hyper-asserting that the issue is time mismatch between CUCM/CUC and ADFS...


Jonathan

On Thu, Sep 16, 2021 at 4:08 PM Benjamin Turner <benmturner@hotmail.com<mailto:benmturner@hotmail.com>> wrote:
Have you tried to run a SAML Tracer?

Sincerely,
Benjamin M. Turner
________________________________
From: cisco-voip <cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net>> on behalf of Jonathan Charles <jonvoip@gmail.com<mailto:jonvoip@gmail.com>>
Sent: Thursday, September 16, 2021 4:56:48 PM
To: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>
Subject: [cisco-voip] Error Processing SAML Response

So, users are randomly getting the above error when logging into CUCM UCMUser or CUC Inbox... we are also getting it using AD credentials into admin pages for CUCM/CUC/etc.

For a user, it will work find repeatedly, then you will get the error, close your browser, and reopen, still get the error for a few minutes. Then later it will work. When a user is affected, other users work fine.

TAC is saying it is an NTP issue, however, NTP between CUCM 12.5 and IdP (ADFS 2.0) is fine.

Pings are around 1ms between servers.

Any ideas?


Jonathan

The logs are pretty clear when its a time difference as the error. I’ve not seen it randomly occur but definitely the error will be it’s time and may even show the difference.

Its the 4j log file for sso I believe

Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________

Matthew Loraditch
Sr. Network Engineer
(He/Him/His)
p: 443.541.1518
w: www.heliontechnologies.com | e: MLoraditch@heliontechnologies.com
From: cisco-voip <cisco-voip-bounces@puck.nether.net> on behalf of Lelio Fulgenzi <lelio@uoguelph.ca>
Sent: Thursday, September 16, 2021 4:32:12 PM
To: Jonathan Charles <jonvoip@gmail.com>; Benjamin Turner <benmturner@hotmail.com>
Cc: cisco-voip@puck.nether.net <cisco-voip@puck.nether.net>
Subject: Re: [cisco-voip] Error Processing SAML Response


[EXTERNAL]


Have you been able to confirm the time difference?



I’m not trying to take their side of things, but if it’s minutes off, I wouldn’t doubt that’s possible. SSO is highly secure, right? A time difference might be enough to throw it off?



Here’s reference:



https://support.pingidentity.com/s/article/Accounting-for-Time-Drift-Between-SAML-Endpoints50907







From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Jonathan Charles
Sent: Thursday, September 16, 2021 6:23 PM
To: Benjamin Turner <benmturner@hotmail.com>
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] Error Processing SAML Response



CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca<mailto:IThelp@uoguelph.ca>



No... TBH, I have never heard of it...



TAC is hyper-asserting that the issue is time mismatch between CUCM/CUC and ADFS...





Jonathan



On Thu, Sep 16, 2021 at 4:08 PM Benjamin Turner <benmturner@hotmail.com<mailto:benmturner@hotmail.com>> wrote:

Have you tried to run a SAML Tracer?



Sincerely,
Benjamin M. Turner

________________________________

From: cisco-voip <cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net>> on behalf of Jonathan Charles <jonvoip@gmail.com<mailto:jonvoip@gmail.com>>
Sent: Thursday, September 16, 2021 4:56:48 PM
To: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>
Subject: [cisco-voip] Error Processing SAML Response



So, users are randomly getting the above error when logging into CUCM UCMUser or CUC Inbox... we are also getting it using AD credentials into admin pages for CUCM/CUC/etc.



For a user, it will work find repeatedly, then you will get the error, close your browser, and reopen, still get the error for a few minutes. Then later it will work. When a user is affected, other users work fine.



TAC is saying it is an NTP issue, however, NTP between CUCM 12.5 and IdP (ADFS 2.0) is fine.



Pings are around 1ms between servers.



Any ideas?





Jonathan

Remember he said it also was happening on the CUCM Admin account which has nothing to do with SSO/SAML. So means its most likely internal to cucm...

> On Sep 16, 2021, at 4:36 PM, Matthew Loraditch <MLoraditch@heliontechnologies.com> wrote:
>
> The logs are pretty clear when its a time difference as the error. I’ve not seen it randomly occur but definitely the error will be it’s time and may even show the difference.
>
> Its the 4j log file for sso I believe
>
> Get Outlook for iOS <https://aka.ms/o0ukef>
>
> Matthew Loraditch?
> Sr. Network Engineer
> (He/Him/His)
> p: 443.541.1518 <tel:443.541.1518>
> w: www.heliontechnologies.com <http://www.heliontechnologies.com/> | e: MLoraditch@heliontechnologies.com <mailto:MLoraditch@heliontechnologies.com>
> <image657209.png> <http://www.heliontechnologies.com/>
> <image487691.png> <https://facebook.com/heliontech>
> <image529913.png> <https://twitter.com/heliontech>
> <image776611.png> <https://www.linkedin.com/company/helion-technologies>
> From: cisco-voip <cisco-voip-bounces@puck.nether.net <mailto:cisco-voip-bounces@puck.nether.net>> on behalf of Lelio Fulgenzi <lelio@uoguelph.ca <mailto:lelio@uoguelph.ca>>
> Sent: Thursday, September 16, 2021 4:32:12 PM
> To: Jonathan Charles <jonvoip@gmail.com <mailto:jonvoip@gmail.com>>; Benjamin Turner <benmturner@hotmail.com <mailto:benmturner@hotmail.com>>
> Cc: cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net> <cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net>>
> Subject: Re: [cisco-voip] Error Processing SAML Response
>
>
> [EXTERNAL]
>
>
> Have you been able to confirm the time difference?
>
> I’m not trying to take their side of things, but if it’s minutes off, I wouldn’t doubt that’s possible. SSO is highly secure, right? A time difference might be enough to throw it off?
>
> Here’s reference:
>
> https://support.pingidentity.com/s/article/Accounting-for-Time-Drift-Between-SAML-Endpoints50907 <https://support.pingidentity.com/s/article/Accounting-for-Time-Drift-Between-SAML-Endpoints50907>
>
>
>
> From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Jonathan Charles
> Sent: Thursday, September 16, 2021 6:23 PM
> To: Benjamin Turner <benmturner@hotmail.com>
> Cc: cisco-voip@puck.nether.net
> Subject: Re: [cisco-voip] Error Processing SAML Response
>
> CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca <mailto:IThelp@uoguelph.ca>
>
> No... TBH, I have never heard of it...
>
> TAC is hyper-asserting that the issue is time mismatch between CUCM/CUC and ADFS...
>
>
> Jonathan
>
> On Thu, Sep 16, 2021 at 4:08 PM Benjamin Turner <benmturner@hotmail.com <mailto:benmturner@hotmail.com>> wrote:
> Have you tried to run a SAML Tracer?
>
> Sincerely,
> Benjamin M. Turner
> From: cisco-voip <cisco-voip-bounces@puck.nether.net <mailto:cisco-voip-bounces@puck.nether.net>> on behalf of Jonathan Charles <jonvoip@gmail.com <mailto:jonvoip@gmail.com>>
> Sent: Thursday, September 16, 2021 4:56:48 PM
> To: cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net> <cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net>>
> Subject: [cisco-voip] Error Processing SAML Response
>
> So, users are randomly getting the above error when logging into CUCM UCMUser or CUC Inbox... we are also getting it using AD credentials into admin pages for CUCM/CUC/etc.
>
> For a user, it will work find repeatedly, then you will get the error, close your browser, and reopen, still get the error for a few minutes. Then later it will work. When a user is affected, other users work fine.
>
> TAC is saying it is an NTP issue, however, NTP between CUCM 12.5 and IdP (ADFS 2.0) is fine.
>
> Pings are around 1ms between servers.
>
> Any ideas?
>
>
> Jonathan
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip

Nah, looks like he said logging into CCM Admin pages, with AD accounts, so all areas of the web UI (I believe). The NTP errors that I’ve seen are presented as SAML assertion errors.

I’m curious if this is a new SSO config, or if it was working properly and something’s changed.

From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Kent Roberts
Sent: Thursday, September 16, 2021 8:37 PM
To: Matthew Loraditch <MLoraditch@heliontechnologies.com>
Cc: cisco-voip@puck.nether.net
Subject: [External] Re: [cisco-voip] Error Processing SAML Response

Remember he said it also was happening on the CUCM Admin account which has nothing to do with SSO/SAML. So means its most likely internal to cucm...


On Sep 16, 2021, at 4:36 PM, Matthew Loraditch <MLoraditch@heliontechnologies.com<mailto:MLoraditch@heliontechnologies.com>> wrote:

The logs are pretty clear when its a time difference as the error. I’ve not seen it randomly occur but definitely the error will be it’s time and may even show the difference.

Its the 4j log file for sso I believe

Get Outlook for iOS<https://aka.ms/o0ukef>

Matthew Loraditch?
Sr. Network Engineer
(He/Him/His)
p: 443.541.1518<tel:443.541.1518>
w: www.heliontechnologies.com<http://www.heliontechnologies.com/>
|
e: MLoraditch@heliontechnologies.com<mailto:MLoraditch@heliontechnologies.com>
<image657209.png><http://www.heliontechnologies.com/>
<image487691.png><https://facebook.com/heliontech>
<image529913.png><https://twitter.com/heliontech>
<image776611.png><https://www.linkedin.com/company/helion-technologies>
________________________________
From: cisco-voip <cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net>> on behalf of Lelio Fulgenzi <lelio@uoguelph.ca<mailto:lelio@uoguelph.ca>>
Sent: Thursday, September 16, 2021 4:32:12 PM
To: Jonathan Charles <jonvoip@gmail.com<mailto:jonvoip@gmail.com>>; Benjamin Turner <benmturner@hotmail.com<mailto:benmturner@hotmail.com>>
Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>
Subject: Re: [cisco-voip] Error Processing SAML Response


[EXTERNAL]


Have you been able to confirm the time difference?


I’m not trying to take their side of things, but if it’s minutes off, I wouldn’t doubt that’s possible. SSO is highly secure, right? A time difference might be enough to throw it off?


Here’s reference:


https://support.pingidentity.com/s/article/Accounting-for-Time-Drift-Between-SAML-Endpoints50907






From: cisco-voip <cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net>> On Behalf Of Jonathan Charles
Sent: Thursday, September 16, 2021 6:23 PM
To: Benjamin Turner <benmturner@hotmail.com<mailto:benmturner@hotmail.com>>
Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
Subject: Re: [cisco-voip] Error Processing SAML Response


CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca<mailto:IThelp@uoguelph.ca>


No... TBH, I have never heard of it...


TAC is hyper-asserting that the issue is time mismatch between CUCM/CUC and ADFS...




Jonathan


On Thu, Sep 16, 2021 at 4:08 PM Benjamin Turner <benmturner@hotmail.com<mailto:benmturner@hotmail.com>> wrote:
Have you tried to run a SAML Tracer?


Sincerely,
Benjamin M. Turner
________________________________
From: cisco-voip <cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net>> on behalf of Jonathan Charles <jonvoip@gmail.com<mailto:jonvoip@gmail.com>>
Sent: Thursday, September 16, 2021 4:56:48 PM
To: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>
Subject: [cisco-voip] Error Processing SAML Response


So, users are randomly getting the above error when logging into CUCM UCMUser or CUC Inbox... we are also getting it using AD credentials into admin pages for CUCM/CUC/etc.


For a user, it will work find repeatedly, then you will get the error, close your browser, and reopen, still get the error for a few minutes. Then later it will work. When a user is affected, other users work fine.


TAC is saying it is an NTP issue, however, NTP between CUCM 12.5 and IdP (ADFS 2.0) is fine.


Pings are around 1ms between servers.


Any ideas?




Jonathan






_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

Is there valid TLS trust between UCM and Idp?

> On Sep 16, 2021, at 19:46, Johnson, Tim <johns10t@cmich.edu> wrote:
>
> ?
> Nah, looks like he said logging into CCM Admin pages, with AD accounts, so all areas of the web UI (I believe). The NTP errors that I’ve seen are presented as SAML assertion errors.
>
> I’m curious if this is a new SSO config, or if it was working properly and something’s changed.
>
> From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Kent Roberts
> Sent: Thursday, September 16, 2021 8:37 PM
> To: Matthew Loraditch <MLoraditch@heliontechnologies.com>
> Cc: cisco-voip@puck.nether.net
> Subject: [External] Re: [cisco-voip] Error Processing SAML Response
>
> Remember he said it also was happening on the CUCM Admin account which has nothing to do with SSO/SAML. So means its most likely internal to cucm...
>
>
> On Sep 16, 2021, at 4:36 PM, Matthew Loraditch <MLoraditch@heliontechnologies.com> wrote:
>
> The logs are pretty clear when its a time difference as the error. I’ve not seen it randomly occur but definitely the error will be it’s time and may even show the difference.
>
> Its the 4j log file for sso I believe
>
> Get Outlook for iOS
>
> Matthew Loraditch?
> Sr. Network Engineer
> (He/Him/His)
> p: 443.541.1518
> w: www.heliontechnologies.com
> |
> e: MLoraditch@heliontechnologies.com
> <image657209.png>
> <image487691.png>
> <image529913.png>
> <image776611.png>
> From: cisco-voip <cisco-voip-bounces@puck.nether.net> on behalf of Lelio Fulgenzi <lelio@uoguelph.ca>
> Sent: Thursday, September 16, 2021 4:32:12 PM
> To: Jonathan Charles <jonvoip@gmail.com>; Benjamin Turner <benmturner@hotmail.com>
> Cc: cisco-voip@puck.nether.net <cisco-voip@puck.nether.net>
> Subject: Re: [cisco-voip] Error Processing SAML Response
>
>
> [EXTERNAL]
>
>
> Have you been able to confirm the time difference?
>
> I’m not trying to take their side of things, but if it’s minutes off, I wouldn’t doubt that’s possible. SSO is highly secure, right? A time difference might be enough to throw it off?
>
> Here’s reference:
>
> https://support.pingidentity.com/s/article/Accounting-for-Time-Drift-Between-SAML-Endpoints50907
>
>
>
> From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Jonathan Charles
> Sent: Thursday, September 16, 2021 6:23 PM
> To: Benjamin Turner <benmturner@hotmail.com>
> Cc: cisco-voip@puck.nether.net
> Subject: Re: [cisco-voip] Error Processing SAML Response
>
> CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca
>
> No... TBH, I have never heard of it...
>
> TAC is hyper-asserting that the issue is time mismatch between CUCM/CUC and ADFS...
>
>
> Jonathan
>
> On Thu, Sep 16, 2021 at 4:08 PM Benjamin Turner <benmturner@hotmail.com> wrote:
> Have you tried to run a SAML Tracer?
>
> Sincerely,
> Benjamin M. Turner
> From: cisco-voip <cisco-voip-bounces@puck.nether.net> on behalf of Jonathan Charles <jonvoip@gmail.com>
> Sent: Thursday, September 16, 2021 4:56:48 PM
> To: cisco-voip@puck.nether.net <cisco-voip@puck.nether.net>
> Subject: [cisco-voip] Error Processing SAML Response
>
> So, users are randomly getting the above error when logging into CUCM UCMUser or CUC Inbox... we are also getting it using AD credentials into admin pages for CUCM/CUC/etc.
>
> For a user, it will work find repeatedly, then you will get the error, close your browser, and reopen, still get the error for a few minutes. Then later it will work. When a user is affected, other users work fine.
>
> TAC is saying it is an NTP issue, however, NTP between CUCM 12.5 and IdP (ADFS 2.0) is fine.
>
> Pings are around 1ms between servers.
>
> Any ideas?
>
>
> Jonathan
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip