Contents

Overview. 1

Requirements/Special Notes. 1

Options. 2

File. 2

Edit 2

View. 2

Logging. 2

Obtaining Updates. 2

Revision History. 2

Overview

The Unity Credentials Mapping application shows all the associations between domain accounts and local Unity subscriber accounts for the purposes of accessing the web based System Administration consol (SA) or the Active Assistant console (AA – called the PCA in 4.0 and later).

 

Starting in Unity 3.0(1) we started keeping a table that mapped the SID of domain accounts in AD/NT with the ObjectID of a subscriber in the local Unity server.  When a user attempts to access a the SA or AA web pages, IIS passes us their SID as part of the authentication process.  Unity then takes that SID and looks it up in this table to see if there’s a match.  If a match is not found the user is rejected, otherwise the local subscriber they are associated with is checked to see if their Class of Service (COS) allows them access to the page they are attempting to load.  If the COS is configured to allow this access they are accepted and the page loads, otherwise they are rejected.

By default every subscriber added as a Unity subscriber is added to this table with what’s called “primary” entry.  In this case their Unity Alias column and the AD Alias column will match.  These entries should never be removed unless you have a special reason to do so.  So long as their COS does not allow access they will not gain entry into the SA or AA pages so there’s no need to remove those entries from this table.

If you’ve used the GrantUnityAccess command line tool to add new associations, they will appear as “non primary” entries and the Unity Alias and the AD Alias will not match (unless you’ve decided to map their directory account to their own Unity account again which would be a little weird).  You can see this in the “tguy” entry in the screen shot above – he has his own Unity-created primary entry and another non primary association to the Installer account. 

By default the Credentials Mapping tool will show all accounts that have Unity Aliases that do not match their AD Alias since these must have been added using the GrantUnityAccess tool, however you can adjust this in the View menu option.  Technically these should all be non primary associations, however there’s been a bug in the Unity setup for some time where the installation account is given an association in the table and it’s marked primary even though the installer does not have a Unity subscriber account.  If you then make a subscriber account for them, when they go to access the SA it will actually have to ask them who they are since more than one entry in the table has their AD SID in it.  This would also happen with the “tguy” account in the screen shot above – if Unity finds more than one match in the table it has no choice other than to ask the user which one they are – this is obviously not ideal.

You can delete association in the table using the Edit | Remove Selected Mapping menu option or by right clicking on the selected entry in the table.  The change takes effect immediately, there’s no replication or restart necessary for this.

Requirements/Special Notes

This utility only works on Unity 3.0(1) and later.  Earlier versions of Unity did not use the credentials mapping scheme employed in 3.0(1).

This utility only works for systems installed with Exchange 5.5 or Exchange 2000.  There is no support for Domino at this point.

Options

File

• Export Grid Info to CSV.  This will take the information currently visible in the table and dump it to a simple CSV file that includes three columns : Domain, AD_Alias and Unity_Alias.   If you have the view options configured such that only some rows are visible in the table, only those rows will be exported to the CSV file.
• Import Grid Info to CSV.  This option is not yet available.  It will allow you to import a CSV file that contains mappings between AD accounts and local subscriber accounts in bulk and add them to the credentials table. For now you must use the GrantUnityAccess tool to make these associations.
• Exit.  If I have to tell you what this means, you need to close this application immediately and walk away…

Edit

• Remove Selected Mapping. This option will remove the currently selected row from the credentials mapping table.  You can only select one row at a time for removal at this point.  You can also right click on a selected row in the table and the same remove and add options will pop up.

• Add New Mapping. This option is not yet available.  It will allow you to navigate the Active Directory containers to find an account you wish to map to a local subscriber record.  Currently you will need to use the GrantUnityAccess tool to add new associations.

View

• Show Only Custom Mappings. This option (on by default) will force the table to only show credential mappings where the Unity alias and the AD Alias columns do not match.  These mappings must have been added by the GrantUnityAccess tool and are considered “custom”.  Typically these mappings are made so non subscribers can gain access to the SA console on the local Unity server.
• Show Primary Mappings.  This option (on by default) allows both non primary and primary associations to be shown.  Primary associations are those made by Unity when new subscribers are added and should typically not be removed.  However there’s been a bug in the Unity setup for some time that makes one primary association for the installation account that can result in two entries for that account if they are then also made a subscriber in the system.  As such primary mappings are shown by default so this will be visible. So long as the “Show Only Custom Mappings” option above is in effect you should safely see only mappings that are legal to remove from the table.

Logging

Every time you run the Credentials viewer an entry is made to the “CredentialsLog.txt” file stored in the installation directory of the application.  Each time you delete an association out of the table it is logged to this file.  The file does not cycle and is not deleted, however since deleting credentials should be a very rare activity this should not be a big problem.

Obtaining Updates

To check for updates to this tool, visit http://www.CiscoUnityTools.com

Revision History

Version 1.0.5

• Updated Unity version checking to allow to application to run on Unity version greater than 4.x

Version 1.0.4

• Forced application to run at low priority

Version 1.0.3

• Updated localization files for the Unity 4.0(2) release

Version 1.0.2

• Made minimum version 3.1(1) due to some differences in the SIDHistory table across 3.0 versions
• Updated to now allow it to run on a Domino system
• Fixed problem when trying to run off box where the application would launch anyway.
• Added logging for deletion events.

Version 1.0.1

• First release of tool

 

© 2003 Cisco Systems, Inc. -- Company Confidential