We are in the middle of our update from 2020 R1 Patch 6 to 2021 R1 Patch 3. We just rolled out ICUserApps to some pilot users and discovered that SIP Soft Phone does not work. When provisioning the SIP Soft Phone users get an error that says "The Host Cannot Be Reached." We have confirmed their network connection and that the correct host name is entered etc. According to Genesys Support SIP Soft Phone does not work in 2020 R4 + unless users have "Full Control" rights to C:\Users\User Name>\Interactive Intelligence\Certificates. My organization is going to have a big issue with giving regular users "Full Control" to anything so this is a show stopper for us. Genesys admitted that this issue is not documented on their website so we wouldn't have know about it before proceeding with updating. Just wondering if anyone else has run into this issue and if any of these workarounds worked for you. We are almost 100% SIP Soft Phone.
Below is what I was told by Genesys support:
"Hi Michael,
As we discussed on call there was no documentation for this known issue. Once the fix go live we will update the document into known issues. Please find the SCR IC-160249
On comparing between the path differences between 2019 version and 2020 R4 P4 Version, the one with known issue, they found the below.
Neither version (2019 or 2020) of the SSP has access to the C:\Program Files (x86)\Interactive Intelligence\Certificates\ folder.
During the startup of the SSP, both versions create folders under C:\Users\User Name>\Interactive Intelligence\Certificates\ after failing to create them under C:\Program Files (x86)\Interactive Intelligence.
The difference between the two is that the 2019 version will use the newly created folders and files under C:\Users\etc., but 2020 R4 P4 does not. The 2020 R4 P4 SSP goes back to the folders under C:\Program Files (x86)\ and fails. As seen in the logs, this cycle continues for several cycles until it times out.
The workarounds provided by the DEV team are as follows:
"Add the launching user to the local admins group on the system, add the launching user with "full" rights to the folder or to modify the "Users" group permissions on the folder.
Another workaround would be to use a transform (MST) to modify the "SecureObjects" table...perhaps change the "Users" group permission there or to add "Authenticated Users" with the required permissions. The transform would need to be specified when the MSI is installed (using the TRANSFORMS=<pathToMSTFile> property)."
I've attached the transform to this mail. It will add the "Authenticated Users" group to the "Certificates" share with the same permissions as that given to the installing user.
DEV also found another workaround that is explained at the end of Notes. It is for systems that already run the install without a transform.
DEV tested the transform and applied the MSI, MSP and transform (MST) at the same time and "Authenticated Users" showed up on the folder as expected:
Notes
The transform must be applied when the MSI is installed. After that, it is cached by the installer and will be applied whenever the install is run again (patches, repairs, etc.)
The transform cannot be applied if the MSI has already been run and the product is installed. In that case, either the product needs to be uninstalled and then reinstalled using the transform OR the permissions could be added to the "Certificates" folders using the "icacles" utility.
To use the transform, the "TRANSFORMS" property is used (as seen in the snippet) with the path to the MST file assigned to it. The property name should be in all caps.
2nd workaround
This second workaround could be used instead of the transform on new product installs and could also be used on systems that had the product installed without a transform (thereby saving the uninstall
reinstall with transform steps). This workaround uses the "icacls" Windows utility to set the permissions on the "Certificates" folder after the install is run. I've attached a .txt file with the command lines to use. To see information about the utility, type "icacls /?" at the command line.
In case the transform/mst is used, full path needs to be provided for the msi, msp and mst while running the command). The transform (mst file) attached to this CC is the only transform that needs to be used to circumvent this issue if the product is not already installed(there are no other transforms for this purpose). Alternatively, the icacls utility can be used if the product is already installed without the mst (utility can also be used for new product installs, please refer Mike's detailed comments).
As we discussed in call if you are not acceptable with this work around provided, we can suggest you to downgrade the SSP version that being used before."
Thanks,
Mike Bishop
#sipsoftphone #upgrade #Implementation #2021r1 #SCR
#SIP/VolP------------------------------
Michael Bishop
UnitedHealth Group/Optum
------------------------------