cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4841
Views
0
Helpful
12
Replies

Authenticating Movi(Jabber) Accounts with LDAP/AD

Timothy Woods
Level 1
Level 1

Condition: I have a TMS-Control-Expressway setup (VCSs are at x7.0.2, TMS is at 13.1.2). Provisioning is good across the board (manually created Movi accounts are logging in properly and calling functions are good). Within the Provisioning directory, I have the root directory. Within the root directory I have 6 manually created Movi accounts as well as 6 sub directories. I have setup each subdirectory with a Base DN and Relative DN (each sub directory has a different Relative DN).

Result: Each sub directory is importing the AD users it was meant to -- and all fields within each Movi user is populating properly (email, title etc etc). The only field that is not populating (and should be grayed out/disabled) is the password field. This field has a default password populated for every user. Further, the password field is enabled -- meaning it can be changed right there in the TMS Provisioning directory. Obviously the AD lookup to autheticate the password is not happening. Fyi, if the Movi user uses their AD username (domain\name) and the manually entered password, Movi does login.

Secondary attempt: I also went into VCS Control's vcs configuration>authentication>devices>AD lookup and filled in the fields (to add the VCS Control to the domain). I also made sure authetication on the VCS is set to 'local database' but set to 'auto' on the NTLM protocol challanges.

This does not change anything. Movi users logging in cannot use their AD password.

2 Accepted Solutions

Accepted Solutions

Timothy,

Yes, it should work. I don't see any issue with keeping the subzone to "treat as authenticated".  Again the subzone is where all "registration" request will pass through including your presence and phone book.

the initial provisioning subscribe for MOVI/Jabber is always pass through the Default zone which in your case will be challenged for credential.

try it out and if you face any problem then post here.

Thanks

Alok

View solution in original post

Timothy,

I am glad that after the discussion your doubts are cleared...!! and if you face issue any issue do post here.

If your issue resolved then i would appreciate if you marked the thread as answered!:)

Thanks

Alok

View solution in original post

12 Replies 12

Alok Jaiswal
Cisco Employee
Cisco Employee

Hi Timothy,

During the LDAP/AD authentication the VCS control joined to domain challenge the MOVI(JABBER) client for credentials and in back hand verifies the credentials with the domain controller.

Once the VCS join to domain controller you need to set the authentication type to LDAP database and make sure to set the default zone on VCS control is set to "check credentials".

During the AD synch with TMS it doesn't import the AD password under the user directory. Please check the below link page 20.

http://www.cisco.com/en/US/docs/telepresence/infrastructure/tms/config_guide/Cisco_TMS_Provisioning_Deployment_Guide_13-0.pdf

Note: Only user names and those fields shown in Mapping of user fields are synchronized—the user's AD password is NOT imported into the User Directory. Provisioning will automatically assign a user's Movi password. For more details on mapping of user fields between Active Directory and the Provisioning Directory database, see Mapping of user fields.

Also check the below link for the recomended settings for LDAP/AD depolyment method.

https://supportforums.cisco.com/message/3586829#3586829

Thx for the feedback. I would highly appreciate it if you could rate my messages by using the stars below each message!

Thanks

Alok.

Alok,

Thank you very much for the information. So TMS imports the user information and populates the user account in the Provisioning Directory -- but the actual password lookup is performed by the VCS at the time of the Movi login. And if the password field in the provisioning directory has something in it, it does not matter? The AD lookup performed by VCS Control will trump whatever is in the password field? Is that all correct?

My additional questions are:

1) By changing the default subzone to "check credentials" doesn't this disable 'Presence' for Movi? I need to make to VCSE

2) Do I need to set the default traversal subzone to 'check credentials' too? I will have Movi users coming in from the internet. VCSE cannot be added to the domain/sync'ed with LDAP/AD. (I believe I do not need to make any changes to VCSE)

3) Will these changes to the VCS authentication configuration alter how the H323 room systems register to VCS Control?

Timothy,

Presence server accept only authenticated request and if you set the defualt subzone to check credentials then again the VCS challenge the MOVI client for authenitcation and will verify that in back hand to domain.

In this scenario if you try to register a endpoint then you have to specify the authentication credentials for endpoint as well which will be verified again to your domain controller.

You can try to set the default sub zone to "treat as authenticated" that way the presence will work and your endpoint also gets registered to VCS control as the any request coming to this subzone will be treated as authenticated.

Regarding the second question it is always advisable to use proxy authentication on expressway. you need to set the traversal zone on VCS control to "check credentials". This way any request coming in from the internet would be passed by expressway to control and it will verifies the credential to domain controller.

also please ensure that you have proper search rules in place for control to expressway communication and enable proxy authnetication under SIP configuration on the expressway.

Thanks

Alok

Regarding the document link you posted, TMS is configured as the document prescribes.  I also have the Authenticating-Devices-Deployment Guide.  It notes for the VCS Control: Configure 'Active Directory Service' page, plus change the Default Zone, Default Subzone and Traversal Zone to 'Check Credentials'.  Since this will definitely disable the ability to use presence, are you saying AD lookups for Movi users will still work if I set the default subzone to 'treat as authenticated'? (which will allow presence as well as regsitering room systems without authetication)

Thanks Alok. I'm trying to get this straight before I attempt to make these changes. Fyi, everything works (including Traversal calls to/from the internet). I'm just trying to get this AD Movi accounts working.

You mentioned changing 'Device Authentication Configuration' to LDAP Database (from local database). Fyi, the

Authenticating-Devices-Deployment Guide mentions only setting the NTLM Protocol Challeneges to 'Auto' but no mention of changing from 'Local Database' to LDAP Database. Just an FYI that the documentation (pasted below) is missing this step.

<<

Enable NTLM authentication challenges

When Active Directory details have been configured and the VCS has been joined into the AD domain,

VCS can now be configured to challenge Movi (4.2 or later) with NTLM authentication challenges.

1. Go to VCS configuration > Authentication > Devices > Configuration.

2. Ensure that NTLM protocol challenges is set to Auto.

Never use On, as this will send NTLM challenges to devices that may not support NTLM (and

therefore they may crash or otherwise misbehave).

3. Click Save if required.<<

Timothy,

check this document.

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Authenticating_Devices_Deployment_Guide_X7-1.pdf

Now i am unsure of the method you are using. The document talks about two methods.

1) H.350 directory service lookup via LDAP  mehtod outline on page 15.

This require to set the database type as LDAP.

2) Active Directory database (direct)

If Active Directory (direct) authentication has been configured and NTLM protocol challenges is set to Auto, then NTLM authentication challenges are offered to those devices that support NTLM.

This can be enabled same time as local database. in this case the database type is set to Local however if the VCS finds that client supports NTLM it is going to challenge it using the NTLM and verfiy the credential.

So it all depends on which method you are using. Since your post mentioned LDAP i was assuming you are using method 1. Although lot of customers use method 2 defined above for MOVI authentication.

Regarding questions to zone settings.

please note initial provisioning request would be coming from Default zone so setting this to check credential makes VCS to challenge the client for authentication.

Setting subzone to "check credential" will effect all the things. you will see in the document a note mentioning the below

"Note that setting up your VCS’s authentication policy to check credentials will affect all devices (not just Movi) that send provisioning, registration, presence, phone book and call requests to the VCS." so if you set subzone to check credentials it is going to affect all the things.

setting "check credential" on traversal zone is OK.

I hope it clarifies now.

Thanks

Alok

Yes, I have setup Active Directory database (under vcs configuration> authentication>devices>AD lookup).  I am using this specifically because I wanted the mixed authentication usage (authenticating to AD for Movi, autheticating to the local database for the C series room endpoints).

Sorry for asking this again (I'm just not 100% cure).....I can leave the default subzone at 'treat as authenticated', correct? And this will still allow the Movi passwords to be authenticated an AD lookup?

Thanks Alok!

Timothy,

Yes, it should work. I don't see any issue with keeping the subzone to "treat as authenticated".  Again the subzone is where all "registration" request will pass through including your presence and phone book.

the initial provisioning subscribe for MOVI/Jabber is always pass through the Default zone which in your case will be challenged for credential.

try it out and if you face any problem then post here.

Thanks

Alok

Thanks Alok for having patience with me :-). I now feel a lot better if I can leave the default subzone as 'treat as authenticated'...so i can provide presence plus have room systems register to VCS without authenticating.

I'll post results just as soon as I try this......thanks again...

Timothy,

I am glad that after the discussion your doubts are cleared...!! and if you face issue any issue do post here.

If your issue resolved then i would appreciate if you marked the thread as answered!:)

Thanks

Alok

Alok,

Thanks for the help. Leaving the default sub zone at 'treat as authenticated' worked. Presence remained functional and room systems (C series) continued to register to the VCS control without authentication. Fyi, the

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Authenticating_Devices_Deployment_Guide_X7-1.pdf

document specifies changing the default subzone to 'check credentials'. You might want to add language to this document that alters this specification.

Thanks again for your help....

Hi Timothy,

I won't say thats the error in document. The document incorporates best practise where in every message would be challenged by setting default subzone to "check credentials".

But it deployment specific where some wants to authenticate everything or some are OK with keeping the subzone to "treat as authenticated".

Thanks for the feedback and rating the post.

Thanks

Alok

Alok,

It certainly is not a sticking point, however, the deployment guide, to me, does not indicate making the default sub traversal zone 'check credentials' as optional/best practice (page 41). It reads as this is the way it is done. I just would suggest a side note within the deplyment guide that you can, optionally, leave the default sub traversal zone as 'treat as authenticated' for purposes of presence functionality and non authenticated room system registration (also maybe indicate what functionality you lose if you set it at 'treat as authenticated' versus 'check credentials').

Just a friendly suggestion.