09-10-2012 06:32 AM - edited 03-17-2019 11:45 PM
Hello,
I've managed to configure my VCS Control to join my AD domain, so now my Jabber Video accounts authenticate with AD credentials. I've uploaded appropriate certificates to the VCS so that the connection to AD is TLS-encrypted.
I'm using Provisioning Extensions on X7.2, and TMS 13.2.1.
Prior to adding the VCS to the AD domain, and moving over to TMSPE, Movi accounts would authenticate against the (TMS Agent) database on the VCS Control, regardless of whether the authentication request came from the VCS Control, or was passed on from the VCS Expressway. Now, Jabber clients trying to authenticate on the VCS Expressway fail if the Default Zone and/or Default SubZone are set to "check credentials". If I change the zone settings to be "treat as authenticated"....it works, but they aren't actually being authenticated, since any password is accepted. Obviously this isn't a good idea.
So my question is basically, what am I missing? Am I supposed to join the VCS Expressway to AD as well??? Given the external location of the Expressway this is a less-than-desireable solution; is there no way to pass authentication requests for AD back to the VCS control?
I've read "Cisco_VCS_Authenticating_Devices_Deployment_Guide_X7-2" and the relevant sections of the VCS Admin Guide and I'm not sure if I'm missing it but I cannot find the information to lead me in the right direction here.
Solved! Go to Solution.
09-10-2012 06:52 AM
Hi Anthony,
Its not necessary to join the expressway to AD!! expressway should pass all the authentication to control and should be able to register without the need of joining to domain.
ideally any authentication request coming from expressway should be passed on to control and control should challenge the user for credential.
for authentication of the jabber clients via expressway you should put the traversal zone on the vcs-control to check credential and on expressway keep the default zone to do not check credential.
also check if you set the ADS services on the expressway? if yes, disable it..
Thanks
Alok
09-10-2012 06:52 AM
Hi Anthony,
Its not necessary to join the expressway to AD!! expressway should pass all the authentication to control and should be able to register without the need of joining to domain.
ideally any authentication request coming from expressway should be passed on to control and control should challenge the user for credential.
for authentication of the jabber clients via expressway you should put the traversal zone on the vcs-control to check credential and on expressway keep the default zone to do not check credential.
also check if you set the ADS services on the expressway? if yes, disable it..
Thanks
Alok
09-10-2012 07:04 AM
Additionally check whether you have search rules to pass the initial subscribe messages from expressway to control and secondally check the template you uploaded in TMS, does it has the public sip uri field populated properly or not.
cheers
Alok
09-10-2012 07:10 AM
Thank, Alok! That did the trick; I had tried everything else....didn't occur to me to put the Check credentials on the incoming traversal zone on the Control!
The public SIP uri field is fine, as are the search rules on the Expressway; AD authentication is working properly for my Expressway-connected Jabber clients. Thanks.
09-10-2012 07:09 AM
Hi Anthony,
I did some testing. Our Expressway has Do Not Check on the default Zone and Default Subzone. And our Control has Check Credentials on the Traversal zone to the Expressway and is set up for AD authentication. I cannot log my Movi into the Expressway without using the correct credentials.
Could you try setting up like this?
Thanks,
Guy
09-10-2012 08:08 AM
Please refer the https://supportforums.cisco.com/docs/DOC-25398 as well.
This document contain recommend configuration on each devices and also expected signal flow for Device Authentication with AD.
10-02-2012 10:27 AM
I'm using Provisioning Extensions on X7.2, and TMS 13.2.1. and more or less have the same setup i.e:
VCSE -- >> VCSC -- >> TMS -- >> AD
VCSE subzones (treat as authenticated), VCSC traversal zone (check credential)
TMS using normal AD import
I've created normal users in OU in AD and import via TMS and my jabber video registration works perfectly well to my VCSE. The funny thing is, when I key in my username with a blank password, it still gets registered. But if I put in a wrong username or a wrong password, authentication fails.
Any idea on how to stop the 'blank' password from allowing my jabber to register?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide