This document describes how to resolve an issue identified by the following error message that might appear in the Cisco Unified Contact Center Enterprise (UCCE) Distributor Admin Workstation (AW) logs:
SQL Server message: The server principal <server> is not able to access the database <database> under the current security context.
Cisco Service Account Manager (SAM) was introduced in order to resolve security issues with Cisco Unified Contact Center Enterprise (UCCE) accounts in Microsoft Active Directory. This tool has the capability to check and repair group memberships and permissions within Microsoft Active Directory. However, it lacks capability to check the SQL internal permissions.
When Cisco Intelligent Contact Manager (ICM) accounts, groups, memberships and permissions are corrupted within Active Directory, SAM might repair them to an extent. However, SQL security problems might still persist.
The following error message appears in the Distributor Admin Workstation (AW) log if an SQL security problem exists:
11:41:35:226 dis-uaw Trace: SQL Server message: The server principal
"UC9\UC9-DISTRIB-890859F6" is not able to access the database
"uc9_sideA" under the current security context.
Symptoms of this issue can vary within your environment. One symptom might be that the Configuration Manager is unable to propagate the configuration back to the Distributor as shown in this image:
However, the SAM reports no issues.
Symptoms of this issue can vary within your environment.
Here are the possible solutions to various symptoms.
- If the security issue appears in one of the AW databases, open SQL Management Studio, and verify that the ICM service group has the correct permissions.
- If the security context is corrupt in the SQL database and the AW returns an error in regards to database access, you must delete the ICM service group from both the main security folder and the respective database.
- Enter these commands in order to delete an ICM service group:
- Recreate it with permissions at this location
- Ensure that an ICM service login is a member of GeoTelAdmin database role, on both AW and HDS databases; refer to the image in this section. You need to only make this change on one database; changes to additional databases will be applied automatically.
Since the AW process constantly retries to connect to the database, a restart is not required after changes are made. Once connected, the AW logs display output similar to this example:
11:42:15:309 dis-uaw Trace: Attempting to connect to central
controller database"uc9_sideA" on server "C9-ICM-A"
11:42:15:318 dis-uaw Trace: Connected to SQL Server 10.50.255 on server C9-ICM-A.
11:42:15:336 dis-uaw Trace: Starting incremental copy operation.
11:42:15:337 dis-uaw Trace: Recovery keys: 0.0 (in memory), 7008508770009.0
(local AWControl), 7008508770009.0 (router AWControl).
11:42:15:645 dis-uaw Trace: Nothing to do.
11:42:15:677 dis-uaw Trace: Waiting for new work...
11:42:15:699 dis-uaw Trace: Starting incremental copy operation.
11:42:15:699 dis-uaw Trace: Recovery keys: 7008508770009.0 (in memory),
7008508770009.0 (local AWControl), 7008508770009.0 (router AWControl).
11:42:15:700 dis-uaw Trace: Nothing to do.
11:42:15:700 dis-uaw Trace: Waiting for new work...
11:42:17:310 dis-uaw EMS message forwarding has started.