This document describes the issue when Cisco Agent Desktop (CAD) Release 9.0 fails to authenticate with an Admin Workstation (AW) that runs Microsoft Windows SQL 2008 R2 SP1 if Windows NT authentication is used in the "ICM ADMIN Workstation Database" page.
Cisco recommends that you have knowledge of these topics:
- Cisco Unified Contact Center Enterprise (UCCE)
- Enterprise CAD
The information in this document is based on these software and hardware versions:
- CAD\ Peripheral Gateway (PG) server: Windows 2008 R2 (64 bit)\ CAD Release 9.0 \ SQL 2008 R2
- AW server: Windows 2008 R2 (64 bit) \ SQL 2008 R2 installed
- Create user "CADUser" on the PG and AW server.
- Add this user to the local administrators group.
- Install SQL and CAD on the PG server with the "CADUser" account.
- In the post installation, provide CADUser credentia to authenticate with the AW.
However, after this the CAD Desktop Administrator (CDA) sync did not work and the reason was due to this error seen in the AW server.
Log Name: Application
Date: 7/15/2012 1:38:33 PM
Event ID: 18456
Task Category: Logon
Keywords: Classic,Audit Failure
Login failed for user 'ADMINWORK\CADUser'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: X.X.X.X]
On the AW server through Microsoft SQL Server Management Studio, add the "CADUser" in the Login Properties pane and check the public and sysadmin check boxes.
Background Information on the Real Issue
This is due to the new security feature which was introduced in Windows 2008 User Access Control (UAC).
UAC is a new security feature introduced in Windows Server 2008 (also applies to Windows Server 2008 R2, Windows 7, and Windows Vista). When an administrator logs on to a computer that runs Windows 2008, the user's full administrator access token is split into two access tokens: a full administrator access token and a standard user access token. In the log on process, authorization and access control components that identify an administrator are removed, which results in a standard user access token. The standard user access token is then used to start the desktop, the Explorer.exe process. Because all applications inherit their access control data from the initial launch of the desktop, they all run as a standard user as well.