Solved: Cisco jabber for windows, "use windows credentials"

Juan Gerardo Hernandez · ‎10-19-2012

Hi all,

I've configured my jaber for windowss to use the parameter of windows credential on the jabber-config.xml file, I wanted to know If I should better put a plain text ID and password for lldap search (Microsoft Active Directory), Or leave the option of windows credentials.

and que very important question.

Does it option have security consequences? for examble, travel de windows credentials in plain text to from the jabber client to LDAP server, through the network? (because it is a big security problem)

How does it work?

reggards

Here es my working configuration.,

<?xml version="1.0" encoding="utf-8"?>

<ConnectionType>1</ConnectionType>

<SearchBase1>ou=usuarios,dc=emp,dc=mycompany,dc=com</SearchBase1>

</Directory>

</config>

should I use "SSL"?

I hope you could give me some advise,

Thanks

Jonathan Schulenberg · ‎10-24-2012

If you use EDI and Windows Credentials Jabber will utilize the native ADSI API to perform the query. This is the most preferred option both from a scale (the most appropriate DC for this user is queried based on the AD Sites design) and security perspective (the user has an active Kerberos session token).

BDI on the other hand with a set of static credentials results in an AD username/password sitting locally on the user's workstation (admittadly hashed). If someone locks that account lookups for all users will fail; good luck digging yourself out of this hole if it happens to you. To protect the password in-transit you would have to require SSL (no Kerberos here) which will increase the load on the domain controller. Also a static set of DCs will be queried regardless of the user's location which makes this more rigid.

Please remember to rate helpful responses and identify helpful or correct answers.

View solution in original post

Jonathan Schulenberg · ‎10-24-2012

If you use EDI and Windows Credentials Jabber will utilize the native ADSI API to perform the query. This is the most preferred option both from a scale (the most appropriate DC for this user is queried based on the AD Sites design) and security perspective (the user has an active Kerberos session token).

BDI on the other hand with a set of static credentials results in an AD username/password sitting locally on the user's workstation (admittadly hashed). If someone locks that account lookups for all users will fail; good luck digging yourself out of this hole if it happens to you. To protect the password in-transit you would have to require SSL (no Kerberos here) which will increase the load on the domain controller. Also a static set of DCs will be queried regardless of the user's location which makes this more rigid.

Please remember to rate helpful responses and identify helpful or correct answers.

Juan Gerardo Hernandez · ‎11-02-2012

Thank you very mucho Jonathan, very helpful.

I also got one issue with this...

If the computer that has windows jabber is not a part of a windows domain, jabber will not show the users and phoen ifnrmation on the search field for that machine.

Reggards.

Jonathan Schulenberg · ‎11-02-2012

If you want it to work on non-domain joined workstations you would need to set static credentials. You can either change the global XML file to do this to everyone; or, create a separate one (e.g. jabber-config-standalone.xml) and point those users to it. Prior to CUCM 8.6(2a)SU2 you have to specify the alternate XML file at install time. With the current CUCM builds there is a new setting on the CSF device under Product Specific Configuration Layout in CUCM Administration. You will see a Cisco Support Field. In it you can specify configurationfile="yourfilename.xml". This will point Jabber to the non-default config file on the TFTP server.

Please remember to rate helpful responses and identify helpful or correct answers.

Juan Gerardo Hernandez · ‎11-02-2012

Hi, Jonathan.

Because of I use CUCM 8.6.1, I will follow the instructions of your link.

TFTP_FILE_NAME

Filename

Specifies a unique name for the global configuration file on your TFTP server. You should specify a value for this argument if your global configuration file does not use the default name of jabber-config.xml.

You can specify either an unqualified or fully qualified filename as the value. The name you specify as the value for this argument overrides any other global configuration files on your TFTP server.

This argument is optional.

Very helpful, thank you.