Solved

Shoretel AD Integration

Posted on 2015-01-29
18
375 Views
Last Modified: 2015-02-11
Hello,
We had this working fine but something has clearly changed. We think director was upgraded to 18.62.7800.0 which has broke AD integration.
I've re-read all the documents out there and tried the IIS, fix etc.
Before we just used LDAP://servername which worked fine and we can see and click show/sync buttons. They now are greyed out.
Ideas/suggestions?
Thanks
0
Comment
Question by:CHI-LTD
  • 10
  • 8
18 Comments
 
LVL 39

Expert Comment

by:footech
ID: 40578802
I'm using Build 19.41.5003.0.  I've got my LDAP string set to something like
LDAP://server.domain.com/OU=Users,OU=Org,DC=domain,DC=com
Haven't experienced any issues during before or after any upgrades.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40579330
Are you using a windows account in the Users OU with permission?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40579344
and are you native 2008 r2 ?
0
 
LVL 39

Expert Comment

by:footech
ID: 40580078
Using a Windows account for what?

Yes, we are 2008 R2 DFL and FFL.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40583508
to make the connection from director to AD.
0
 
LVL 39

Expert Comment

by:footech
ID: 40583615
Unless I'm completely forgetting something, there is no account/setting for this purpose.

If you think there is, please point out exactly where this is set.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40583691
So we have a windows account (in our case) called 'shoreteldirector', of which is also a manually created account in director with the same name.  We have logged into director and windows with this account in order to enter the string LDAP path.
We also have delegated the director computer account the 2x domain controllers...
0
 
LVL 39

Expert Comment

by:footech
ID: 40584395
It doesn't matter what account(s) you specify as having administrator permissions in ShoreTel Director.  They can be either AD users or not.  We have both types in our setup.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40593668
okay.  well i cannot get this to work whatsoever.
whats odd is that even through the 2x fields arent clickable, the windows auth (for communicator) works fine.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 39

Expert Comment

by:footech
ID: 40594122
I would check to make sure the ShoreTel server's membership to the domain is healthy (secure channel isn't broken).  I don't know if this would affect anything else.

Check your firewalls.  TCP 389 needs to be allowed.
I would start a network capture at the ShoreTel machine with traffic to/from the DCs, then try a "Show from AD" and see if the traffic is getting through.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40598107
Right, so wireshark is showing a bind success...
must be something else stopping the 2x buttons from showing...
0
 
LVL 39

Expert Comment

by:footech
ID: 40598972
I just double-checked something.  It does look like when I log in as an admin user which is just a user defined in ShoreTel Director (not AD), that the AD buttons are grayed out.  I could swear I remember this working but honestly it's been so long since I used that account I could be wrong.  Logging in with my AD user allows me to use the buttons.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40600251
thats the thing, we now (for whatever reason) do not see the active directory option (on the right of the login page)
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40600475
woudl you be able to send me your iis authentication method screren, as per http://customers.btxchange.com/Manuals/ShoreTel/ShoreTel%20Active%20Directory%20Integration.pdf

thansk
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40600477
edit, think ive fixed it
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 40601364
My authentication settings are the same as in the document.  All disabled except Windows Integrated.
0
 
LVL 1

Author Closing Comment

by:CHI-LTD
ID: 40602666
mine wasnt!  i have anonymous enabled also.
The IE auth setting was also wrong.

thanks for help.
0
 
LVL 39

Expert Comment

by:footech
ID: 40603712
Glad you got it worked out.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now