cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1463
Views
15
Helpful
9
Replies

Active Directory integration with Telepresence - Jabber video

nuinoahmed
Level 1
Level 1

Hello,

 

I would like to have a clarification about AD integration with existing TP infrastructure.

We have A VCS-C 8.x, VCS-E 7.2.2, TMS 14.3 with TMSPE.

We need to have our Video Jabber users using their accounts and authentification from existing users accounts on AD. All other codecs authentification will remain local on VCS-C.

Where should I configure the AD integration?  On TMS only? VCS-C only? or both?

Any document that explain this setup clearly?

Thanks.

 

2 Accepted Solutions

Accepted Solutions

If you want the Jabber Video clients to send their authentication requests to the VCS Control, where you have ADS setup, you need to configure the default and traversal zones to not check credentials on the Expressway, and to check credentials on the Control.

Regarding your comment about authenticating to the Expressway, just to be clear, before the client can actually create a registration on the Expressway, do you want them to authenticate, meaning the subzone where they will register to is checking credentials, if so, ADS poses a problem here.  As the Jabber Video client will always use NTLM to send it's credentials when ADS is in use, the Expressway will be presented with the users domain username/password.  As the Expressway is not connected to AD to check those credentials, it won't allow the registration.  Authentication requests for registration always happens on the local server, because that is where the registration is to be.

Zac in the below discussion, covers this very well and how to get around this when using ADS and registering Jabber Video to the Expressway.

jabber-video-authentication-vcs-ce

View solution in original post

That should work, however I don't have any experience with using the delegated credentials feature.  Looking back at the discussion I linked to, I forgotten that the other reply I marked as an answer is Zac mentioning this feature and it will provide the same solution.  Good catch, that was some time ago, I forgot all about it.

View solution in original post

9 Replies 9

Patrick Sparkman
VIP Alumni
VIP Alumni

You would do this in two parts, the first part is optional to help make the management of accounts easier in TMS.

  1. Configure TMSPE to import users from AD.  This will allow for them to use theirusername from AD and keep you from having to manually create accounts in TMS.  See "Importing users from external directories" in the Cisco-TMSPE-with-VCS-Deployment-Guide-1-3, pg 29.
  2. Configure VCS to us Active Directory Services (ADS).  This will allow them to use their password from AD via NTLM.  See Cisco-VCS-Authenticating-Devices-Deployment-Guide-X8-2.

Thanks Patrick for you reply.

I found also the following link that seems to be a summary of both docs you mentionned.

http://ciscovideolab.com/mediawiki/index.php?title=Lab6&printable=yes

 

Looks about right, good find.

One thing to note, do you authenticate Jabber Video clients before allowing them to register to your VCS?  For example, whatever subzone you have configured Jabber Video to register to, be the default subzone or a subzone you created with membership rules.

Hi Parick,

Yes, Jabber Video clients must authenticate before registering.

I forgot to mention that internat Jabber Video clients register to the VCS-C and external Video Jabber clients register to the VCS-E.  Am I supposed to set turn on SIP registration proxy mode on the VCS Expressway?  How external Video Jabber client will be authenticated?

Thanks,

Ahmed

 

If you want the Jabber Video clients to send their authentication requests to the VCS Control, where you have ADS setup, you need to configure the default and traversal zones to not check credentials on the Expressway, and to check credentials on the Control.

Regarding your comment about authenticating to the Expressway, just to be clear, before the client can actually create a registration on the Expressway, do you want them to authenticate, meaning the subzone where they will register to is checking credentials, if so, ADS poses a problem here.  As the Jabber Video client will always use NTLM to send it's credentials when ADS is in use, the Expressway will be presented with the users domain username/password.  As the Expressway is not connected to AD to check those credentials, it won't allow the registration.  Authentication requests for registration always happens on the local server, because that is where the registration is to be.

Zac in the below discussion, covers this very well and how to get around this when using ADS and registering Jabber Video to the Expressway.

jabber-video-authentication-vcs-ce

Hi Patrick,

 

Thanks again for you input. I had a quick look to Zac proposed solution but I am not sure i will fit our setup as the same users are some times registering to VCS-C and some times to VCS-E.  We need same way of authenticating where ever the Video Jabber is registered.  I will read the proposed solution again in details.

But, I probably found the right document and solution.

http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-2/Cisco-VCS-Authenticating-Devices-Deployment-Guide-X8-2.pdf

Page 51.

It seems that since VCS X8.1, new feature was added and called Delegate credential checking. This permit Authentication to be delegated to VCS-C when VCS-E cannot bet connected to the AD server.

Please have a look and let me know your comments.  Thanks.

Ahmed

 

 

 

That should work, however I don't have any experience with using the delegated credentials feature.  Looking back at the discussion I linked to, I forgotten that the other reply I marked as an answer is Zac mentioning this feature and it will provide the same solution.  Good catch, that was some time ago, I forgot all about it.

Yes, I see it also now that Zac mentionned this also :-)

As the VCS-C is 8.2 already. I will upgrade also the VCS-E also to 8.2 (That was supposed to be done soon anyway).  I will implement this and will share later any intersting finding.  Thanks again Patrick for this helpfull discussion.

 

You're welcome, glad that I was able to help.  I've have Zac's original solution in place, delegated credentials isn't an option for me at the moment.

Don't forget to mark relevant replies as "correct", so others can easily find answers to the same questions.