CiscoIPPhoneError 4 when using /CGI/Screenshot to get phone screenshot

Version 1
    This document was generated from CDN thread

    Created by: Ruwei Liu on 30-09-2009 08:25:07 AM
    Hi,
     
        I was trying to use /CGI/Screenshot to get the screenshot of a physical phone (7961 & 7975).
     
        I always get <CiscoIPPhoneError Number="4"/>. This looks like to be an authorize issue.
     
         I'd be very grateful if anybody from the forum could tell me what else I am possibly missing? I have done the following checks:
             1.  The device's owner UID is correct;
             2.  The owner user belongs to "standard phone administrator" group;
             3.  The owner user's device association has the target phones in the list.
     
    Thanks,
    Ruwei
     
     

    Subject: RE: CiscoIPPhoneError 4 when using /CGI/Screenshot to get phone screenshot
    Replied by: David Staudt on 30-09-2009 01:33:37 PM
    When the phone checks authorization, it will send a request similar to the following to UCM:
     
    http://10.88.131.133/ccmcip/authenticate.jsp?UserID=dstaudt&Password=password&devicename=SEP00070EB9C4B4
     
    You can use a regular browser to check this request (substituting your actual values,) you should get 'AUTHORIZED' if all is ok.  If not, check:
     
    - Username/password are correct
    - Check that the user is associated to the device in UCM web admin
    - Check if a custom authentication URL has been configured.  This can be set in Enterprise Parameters or on the individual phone's configuration screen.

    Subject: RE: CiscoIPPhoneError 4 when using /CGI/Screenshot to get phone screenshot
    Replied by: Ruwei Liu on 01-10-2009 09:00:19 AM
    Thanks David.
     
    I checked out the URL, it does return "AUTHORIZED", but I still get " <CiscoIPPhoneError Number="4" /> " when running the /CGI/Screenshot.
     
    Any idea what might have gone wrong?
     
    Best Regards,
    Ruwei
     

    Subject: RE: CiscoIPPhoneError 4 when using /CGI/Screenshot to get phone screenshot
    Replied by: Muhammad Sabir on 01-10-2009 01:12:28 PM
    I have seen occasional problems with authentication. Sometimes just rebooting the phone fixes the problem.
     

    Subject: RE: CiscoIPPhoneError 4 when using /CGI/Screenshot to get phone screenshot
    Replied by: David Staudt on 01-10-2009 01:21:04 PM
    I would next suspect that the authentication URL the phone is actually using is not the one you expect. 
     
    You can see in more detail what exactly the phone is doing via a network packet capture: connect a PC to the phone's extra switch port and use Wireshark to capture the network traffic during a test.  Inspecting the HTTP packets should tell you exactly what request the phone is making and what the response is.
     
    Feel free to attach the file here if you can't spot the problem.

    Subject: RE: CiscoIPPhoneError 4 when using /CGI/Screenshot to get phone screenshot
    Replied by: Ruwei Liu on 13-10-2009 08:31:23 AM
    Thanks folks.
     
          Checked the authentication URL, it was configured to use a host name that my local DNS server doesnot recognize. So, there's no more <CiscoIPPhoneError Number="4" />.
     
          But I still didn't get the screenshot. I got
    <CiscoIPPhoneError Number="0" /> now.
     
    Please kindly help.
     
    Thanks,
    Ruwei
     

    Subject: RE: CiscoIPPhoneError 4 when using /CGI/Screenshot to get phone screenshot
    Replied by: David Staudt on 13-10-2009 07:16:35 PM
    Please ensure that the latest firmware load available on Cisco.com is running on the phone.  If you can reproduce this on a 7975, please grab a network packet capture - from the phone's extra PC switch port, via Wireshark - and attach here.

    Subject: RE: CiscoIPPhoneError 4 when using /CGI/Screenshot to get phone screenshot
    Replied by: Ergin GUZEL on 18-07-2012 05:02:02 AM
    Hi All

    By Refering to this link:
    http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a0080af1d1b.shtml


    Cisco expects developers to use the exact link format as given below:

    http://<phoneIP>/CGI/Screenshot


    If you use a url like http://<phoneIP>/CGI/ScreenShot     you can have an error with a 0 error code. We all think that url is case insensitive but unfortunately the expected url must be on right case for every character. Seems stupid, but this is the truth =)


    Again, ensure that you are using the correct url given below.

    http://<phoneIP>/CGI/Screenshot

    Regards
    Ergin

    Subject: RE: CiscoIPPhoneError 4 when using /CGI/Screenshot to get phone screenshot
    Replied by: Jeffrey Ness on 25-07-2012 07:08:52 PM
    In CUCM 8.x with Secure URLs and the corresponding phone loads you need to to make sure the phones can validate the web server SSL certificate. Whether it is a self signed certificate or not doesn't matter. If you are using CTL tokens for security you will need to update your CTL file once you have installed the certificate. You can load the PUBLIC certificate to CUCM in OS Administration > Security > Certificate Management and add the certificate to the Phone-CTL-trust. It must be the public certificate from the web server not the Certificate Authority certificate which issued the Server Authentication certificate. The Trust Verification Service (TVS) handles phone HTTPS validation for phones that are not using a CTL.

    Subject: RE: CiscoIPPhoneError 4 when using /CGI/Screenshot to get phone screenshot
    Replied by: David Roberts on 25-07-2012 05:53:02 PM
    Hi,
    I used to have this authentication bypass working fine but it now appears broken.  I can't say if it's a firmware change or what. 

    Test Phone (BTW, same result with different phones):  7970G
    Firmare: SCCP70.9-2-1S
    CUCM: 8.5.1.13900-5

    AUTHURLs tried
      http://172.17.8.10/authenticate.htm
      https://172.17.8.10/authenticate.htm
      https://172.17.8.10/authenticate.jsp
      https://10.30.10.14/authenticate.jsp

    When I open a browser to any of those variations I get 'AUTHORIZED'.  The file authenticate.htm or .jsp simply contains the word 'AUTHORIZED' with no other tags. 

    The phone can most certainly reach this IP from its network.   I put a tcpdump on the webserver and verified the incoming request.

    Confirmed the phone is using the proper auth url by looking at it's phone web page.

    At one point, I checked the Console Logs on the phone said there was a handshake problem TLS with the server.  The sniffer trace also shows an issue with TLSv1 Handshake failure (for the case when I use https).

    I'm suspicious something changed where HTTPS is now required for this authentication URL and that the server must not be self-signed (where opening a browser gives you that 'okay to continue' message.

    In all cases, I get a    <CiscoIPPhoneError Number="4" /> error. 

    Can someone please help?