Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1465
Views
15
Helpful
9
Replies

Active Directory integration with Telepresence - Jabber video

Go to solution
nuinoahmed
Level 1
Level 1

‎11-05-2014 02:58 AM - edited ‎03-18-2019 03:37 AM

Hello,

 

I would like to have a clarification about AD integration with existing TP infrastructure.

We have A VCS-C 8.x, VCS-E 7.2.2, TMS 14.3 with TMSPE.

We need to have our Video Jabber users using their accounts and authentification from existing users accounts on AD. All other codecs authentification will remain local on VCS-C.

Where should I configure the AD integration?  On TMS only? VCS-C only? or both?

Any document that explain this setup clearly?

Thanks.

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Patrick Sparkman
VIP Alumni
VIP Alumni
In response to nuinoahmed

‎11-05-2014 08:38 AM

If you want the Jabber Video clients to send their authentication requests to the VCS Control, where you have ADS setup, you need to configure the default and traversal zones to not check credentials on the Expressway, and to check credentials on the Control.

Regarding your comment about authenticating to the Expressway, just to be clear, before the client can actually create a registration on the Expressway, do you want them to authenticate, meaning the subzone where they will register to is checking credentials, if so, ADS poses a problem here.  As the Jabber Video client will always use NTLM to send it's credentials when ADS is in use, the Expressway will be presented with the users domain username/password.  As the Expressway is not connected to AD to check those credentials, it won't allow the registration.  Authentication requests for registration always happens on the local server, because that is where the registration is to be.

Zac in the below discussion, covers this very well and how to get around this when using ADS and registering Jabber Video to the Expressway.

jabber-video-authentication-vcs-ce

View solution in original post

0 Helpful

Go to solution
Patrick Sparkman
VIP Alumni
VIP Alumni
In response to nuinoahmed

‎11-05-2014 02:58 PM

That should work, however I don't have any experience with using the delegated credentials feature.  Looking back at the discussion I linked to, I forgotten that the other reply I marked as an answer is Zac mentioning this feature and it will provide the same solution.  Good catch, that was some time ago, I forgot all about it.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Patrick Sparkman
VIP Alumni
VIP Alumni

‎11-05-2014 05:49 AM

You would do this in two parts, the first part is optional to help make the management of accounts easier in TMS.

  1. Configure TMSPE to import users from AD.  This will allow for them to use theirusername from AD and keep you from having to manually create accounts in TMS.  See "Importing users from external directories" in the Cisco-TMSPE-with-VCS-Deployment-Guide-1-3, pg 29.
  2. Configure VCS to us Active Directory Services (ADS).  This will allow them to use their password from AD via NTLM.  See Cisco-VCS-Authenticating-Devices-Deployment-Guide-X8-2.

Go to solution
nuinoahmed
Level 1
Level 1
In response to Patrick Sparkman

‎11-05-2014 07:54 AM

Thanks Patrick for you reply.

I found also the following link that seems to be a summary of both docs you mentionned.

http://ciscovideolab.com/mediawiki/index.php?title=Lab6&printable=yes

 

Go to solution
Patrick Sparkman
VIP Alumni
VIP Alumni
In response to nuinoahmed

‎11-05-2014 08:02 AM

Looks about right, good find.

One thing to note, do you authenticate Jabber Video clients before allowing them to register to your VCS?  For example, whatever subzone you have configured Jabber Video to register to, be the default subzone or a subzone you created with membership rules.

0 Helpful

Go to solution
nuinoahmed
Level 1
Level 1
In response to Patrick Sparkman

‎11-05-2014 08:24 AM

Hi Parick,

Yes, Jabber Video clients must authenticate before registering.

I forgot to mention that internat Jabber Video clients register to the VCS-C and external Video Jabber clients register to the VCS-E.  Am I supposed to set turn on SIP registration proxy mode on the VCS Expressway?  How external Video Jabber client will be authenticated?

Thanks,

Ahmed

 

0 Helpful

Go to solution
Patrick Sparkman
VIP Alumni
VIP Alumni
In response to nuinoahmed

‎11-05-2014 08:38 AM

If you want the Jabber Video clients to send their authentication requests to the VCS Control, where you have ADS setup, you need to configure the default and traversal zones to not check credentials on the Expressway, and to check credentials on the Control.

Regarding your comment about authenticating to the Expressway, just to be clear, before the client can actually create a registration on the Expressway, do you want them to authenticate, meaning the subzone where they will register to is checking credentials, if so, ADS poses a problem here.  As the Jabber Video client will always use NTLM to send it's credentials when ADS is in use, the Expressway will be presented with the users domain username/password.  As the Expressway is not connected to AD to check those credentials, it won't allow the registration.  Authentication requests for registration always happens on the local server, because that is where the registration is to be.

Zac in the below discussion, covers this very well and how to get around this when using ADS and registering Jabber Video to the Expressway.

jabber-video-authentication-vcs-ce

0 Helpful

Go to solution
nuinoahmed
Level 1
Level 1
In response to Patrick Sparkman

‎11-05-2014 02:45 PM

Hi Patrick,

 

Thanks again for you input. I had a quick look to Zac proposed solution but I am not sure i will fit our setup as the same users are some times registering to VCS-C and some times to VCS-E.  We need same way of authenticating where ever the Video Jabber is registered.  I will read the proposed solution again in details.

But, I probably found the right document and solution.

http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-2/Cisco-VCS-Authenticating-Devices-Deployment-Guide-X8-2.pdf

Page 51.

It seems that since VCS X8.1, new feature was added and called Delegate credential checking. This permit Authentication to be delegated to VCS-C when VCS-E cannot bet connected to the AD server.

Please have a look and let me know your comments.  Thanks.

Ahmed

 

 

 

Go to solution
Patrick Sparkman
VIP Alumni
VIP Alumni
In response to nuinoahmed

‎11-05-2014 02:58 PM

That should work, however I don't have any experience with using the delegated credentials feature.  Looking back at the discussion I linked to, I forgotten that the other reply I marked as an answer is Zac mentioning this feature and it will provide the same solution.  Good catch, that was some time ago, I forgot all about it.

0 Helpful

Go to solution
nuinoahmed
Level 1
Level 1
In response to Patrick Sparkman

‎11-05-2014 03:11 PM

Yes, I see it also now that Zac mentionned this also :-)

As the VCS-C is 8.2 already. I will upgrade also the VCS-E also to 8.2 (That was supposed to be done soon anyway).  I will implement this and will share later any intersting finding.  Thanks again Patrick for this helpfull discussion.

 

0 Helpful

Go to solution
Patrick Sparkman
VIP Alumni
VIP Alumni
In response to nuinoahmed

‎11-05-2014 03:14 PM

You're welcome, glad that I was able to help.  I've have Zac's original solution in place, delegated credentials isn't an option for me at the moment.

Don't forget to mark relevant replies as "correct", so others can easily find answers to the same questions.

0 Helpful
Customers Also Viewed These Support Documents