cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
772
Views
0
Helpful
6
Replies

authenticating Jabber Video on VCS vs TMS import

Douglas Baggett
Level 1
Level 1

Hello all! Thanks ahead of time for the help

Am I correct in my reading that you can authenticate Jabber video users two different ways? One direct to the VCS by configuring AD on the VCS itself, and the other is by importing users on the TMS itself within the TMSPE provisioning tree?

I'm running VCS 7.2.1 and TMS 14.3.

I have a bunch of Jabber video users that are manually provisioned. I want to migrate the whole setup to AD but am unsure in this regard (which way is best).

I have an additional twist. Due to some unfortunate planning, the current manually created database of users have accounts that have the same userid's as their accounts currently in AD. I'm not sure if I have to delete those accounts first (quite a few) before hooking up AD on the VCS or TMS.

1 Accepted Solution

Accepted Solutions

Patrick Sparkman
VIP Alumni
VIP Alumni

Hello Douglas -

Yes you can authenticate two different ways, however, only one method at a time.

When you have created manual accounts in TMS for provisioned users, you can authtenticate using those users accounts/passwords that you've created.  The accounts are configured within TMS, and are stored within the VCS's local database.

Importing users from AD into TMS only improrts the users information (name, usersname, comapany info), it doesn't import passwords.  You'd have to configure the VCS to use Active Directory Services to join your domain.  When a users tries to log in, they will then authenticate to AD via the VCS.

If you try to do an import from AD within your provisioning directory, you'll need to delete the manual accounts, as the import will give an error when it tries to import/create a user that already has a manual account created.  I can't say for certain, but you might be able to leave the manual accounts, and run with it that way, just have to remember those specific accounts won't be moved/deleted if your AD structure changes.

I'd recommend you take a look at the Authenticating Device Deployment Guide for your version of VCS, it can help a lot.

http://www.cisco.com/en/US/products/ps11337/products_installation_and_configuration_guides_list.html

View solution in original post

6 Replies 6

Patrick Sparkman
VIP Alumni
VIP Alumni

Hello Douglas -

Yes you can authenticate two different ways, however, only one method at a time.

When you have created manual accounts in TMS for provisioned users, you can authtenticate using those users accounts/passwords that you've created.  The accounts are configured within TMS, and are stored within the VCS's local database.

Importing users from AD into TMS only improrts the users information (name, usersname, comapany info), it doesn't import passwords.  You'd have to configure the VCS to use Active Directory Services to join your domain.  When a users tries to log in, they will then authenticate to AD via the VCS.

If you try to do an import from AD within your provisioning directory, you'll need to delete the manual accounts, as the import will give an error when it tries to import/create a user that already has a manual account created.  I can't say for certain, but you might be able to leave the manual accounts, and run with it that way, just have to remember those specific accounts won't be moved/deleted if your AD structure changes.

I'd recommend you take a look at the Authenticating Device Deployment Guide for your version of VCS, it can help a lot.

http://www.cisco.com/en/US/products/ps11337/products_installation_and_configuration_guides_list.html

Ok, so you are saying you need to enable it on the VCS AND import users on the TMS?

Sounds like I'll need to delete the accounts. I guess it will pay to make sure the SQL database is backed up PRIOR to doing this

More than likely I'll delete my manual accounts and then set up the AD afterwards.

Sorry for the confusion. I must of missed somewhere where it talked about what needed to be done on both devices (TMS AND VCS)

I've never configured AD authentication with manual created accounts in TMS myself, but I'm sure it would work as long as the usernames of manually created accounts match those in AD.  Testing is probably the way to go here, doesn't hurt in either case to test when making such a big authentication change for the users. If that works, it's really comes down to your preference, do you want to have to worry about a mix of manual and imported accounts?

There is another thread that mentioned something of having manual accounts then wanting to import accounts from AD that contained some of the same usernames.  Can't remember the name of it though.

Whenever I think of using AD authentication, I'm always thinking of sending TMS in that route to for the user accounts, to me it's simpler that way, knowing the accounts are imported/created automatically.

And one more question...

If I leave the old users it sounds like those users already in the database will still be active since the matching AD user with the same name will not be imported (since they are already there).

That could be useful as the current user base would continue to work but the rest of the users would be imported from AD (that are not previously locally provisioned).

Assuming I can run it that way, how often does the AD userbase get imported? Ideally what I'm thinking I could do is delete individual locally provisioned users as allows time wise and then replace them with their AD counterparts?

Here is the discussion I was refereing to about importing users into TMSPE with manually created accounts in place that match some being imported.

https://supportforums.cisco.com/message/4149073

Here is a discussion that mentions the import time.

https://supportforums.cisco.com/message/3783278

Ok. Now you've embarresed me. You found a thread that I was in and completely forgot about