07-03-2013 01:39 AM - edited 03-18-2019 01:24 AM
Hi,
I have an issue regarding jabber/movi registering on the local VCS Control. They cannot login using their Jabber account on the VCS Control that were provisioned on TMSPE. The error login message is "Wrong username/password or domain"...
Jabber users that were provisioned manually on the TMS can log in successfully.
Connection between TMS and AD is ok and import of AD users were successful.
What should be the correct configuration on the VCS Control authentication policy?
>Default Subzone ?
>Deafault Zone ?
>Traversal Zone ?
Do i need also to connect the VCS Control on the AD?
Thank you,
Acevirgil
Solved! Go to Solution.
07-03-2013 02:15 AM
"Check credentials" on all three - and yes, the VCS-C must be added to AD.
/jens
Please rate replies and mark question(s) "Answered" if applicable.
07-03-2013 02:56 AM
Hi,
yes, you need an Admin account or an acount with "administrator" or "account operator" privilege.
see page 18 of this document:
regards, Ahmad
07-03-2013 03:08 AM
Hi Acevirgil,
we set "treat as authenticate" for infrastructure devices such as MCU, etc.
for endpoint such as jabber please use "Check credential".
same document as before (page 11, and Page 39).
regards,Ahmad
07-03-2013 03:25 AM
Acevirgil,
We configured the VCS-C zones with authentication policy with:
>Default Subzone = threat as authenticated
>Default Zone = threat as authenticated
>Traversal Zone = threat as authenticated
We did not connect the VCS-C on the AD and Jabber users using their AD credentials can login successfully.
In fact, maybe your AD integration is not even working. When you check as "treat as authenticate", jabber clients are able to login even if the user inserts a wrong password, even using a blank password, because in this case, VCS doesn't even challenge the client for authentication, so it doesn't mean your AD integration is working, because the users are login without auhtentication.
You should never use "treat as authenticated".
Go ahead and configure all zone in VCSc "check credentials" as suggested by Jens.
Regards
Paulo Souza
Please rate replies and mark question as "answered" if applicable.
07-03-2013 03:31 AM
With "treat as authenticated" you might find that they can log in with any password and/or any username, you need to set it to "check credentials". I strongly suggest you study the documentation linked to by Ahmad.
/jens
07-03-2013 10:02 AM
Hi Acevirgil,
So this is how the AD authentication works from VCS. TMS imoprts users from AD but it doesn't import the password.
this users gets replicated to VCS local database and without password.
On VCS you have two options.
- Active directory
- LDAP
when you go for active directory authentication the VCS should join into the domain. For this probably an account is needed with sufficient privileges so that VCS can be joined into domain.
when the movi/jabber user tries to login the VCS challenges it (only when the default zone is kept as check credential) and then the credential supplied by the client will be checked through AD. once this process gets completed the user recieves its provisioning settings and then client initiates a "REGISTER" message.
REGISTER goes to default subzone or specific subzone (if created) and if that subzone is kept as "check credential" again the registration request be challenged by VCS and authenticated as said above. If you keep the Default subzone as "treat as authenticated" then the VCS won't challenge it but will allow client to register without challening the REGISTER message.
if you getting the wrong domain or password error then something is wrong. Again check the templates, search rules etc.
When you go to AD page on VCS does it shows active and join to domain? if the VCS not joined to domain properly that might be the reason you are getting the error when keeping "check credential" on default zone.
please reverify the AD settings on the VCS and try again.
cheers
Alok
07-03-2013 02:15 AM
"Check credentials" on all three - and yes, the VCS-C must be added to AD.
/jens
Please rate replies and mark question(s) "Answered" if applicable.
07-03-2013 02:39 AM
Hi Jens,
Do we need an AD admin account for us to join the VCS-C on the AD?
Thanks,
Acevirgil
07-03-2013 02:56 AM
Hi,
yes, you need an Admin account or an acount with "administrator" or "account operator" privilege.
see page 18 of this document:
regards, Ahmad
07-03-2013 02:57 AM
Hi Jens,
We configured the VCS-C zones with authentication policy with:
>Default Subzone = threat as authenticated
>Default Zone = threat as authenticated
>Traversal Zone = threat as authenticated
We did not connect the VCS-C on the AD and Jabber users using their AD credentials can login successfully.
Thank you for the help.
Best regards,
Acevirgil
07-03-2013 03:08 AM
Hi Acevirgil,
we set "treat as authenticate" for infrastructure devices such as MCU, etc.
for endpoint such as jabber please use "Check credential".
same document as before (page 11, and Page 39).
regards,Ahmad
07-03-2013 03:25 AM
Acevirgil,
We configured the VCS-C zones with authentication policy with:
>Default Subzone = threat as authenticated
>Default Zone = threat as authenticated
>Traversal Zone = threat as authenticated
We did not connect the VCS-C on the AD and Jabber users using their AD credentials can login successfully.
In fact, maybe your AD integration is not even working. When you check as "treat as authenticate", jabber clients are able to login even if the user inserts a wrong password, even using a blank password, because in this case, VCS doesn't even challenge the client for authentication, so it doesn't mean your AD integration is working, because the users are login without auhtentication.
You should never use "treat as authenticated".
Go ahead and configure all zone in VCSc "check credentials" as suggested by Jens.
Regards
Paulo Souza
Please rate replies and mark question as "answered" if applicable.
07-03-2013 08:34 AM
Hi Paulo,
Good recommendation. I will reconfigure all the zones in the VCS-c authentication policy to "check credentials".
But if we tried to set "check credentials" on those zones, Jabber AD users can't login and "wrong username/password" is the error login message. Or maybe there is something wrong with the configuration on the Subzones and its membership rule?
If we configure all zones on VCS-c authentication policy to "check credentials" we need to add also the VCS-c on the AD domain?
Thanks for the help.
Acevirgil
07-03-2013 10:02 AM
Hi Acevirgil,
So this is how the AD authentication works from VCS. TMS imoprts users from AD but it doesn't import the password.
this users gets replicated to VCS local database and without password.
On VCS you have two options.
- Active directory
- LDAP
when you go for active directory authentication the VCS should join into the domain. For this probably an account is needed with sufficient privileges so that VCS can be joined into domain.
when the movi/jabber user tries to login the VCS challenges it (only when the default zone is kept as check credential) and then the credential supplied by the client will be checked through AD. once this process gets completed the user recieves its provisioning settings and then client initiates a "REGISTER" message.
REGISTER goes to default subzone or specific subzone (if created) and if that subzone is kept as "check credential" again the registration request be challenged by VCS and authenticated as said above. If you keep the Default subzone as "treat as authenticated" then the VCS won't challenge it but will allow client to register without challening the REGISTER message.
if you getting the wrong domain or password error then something is wrong. Again check the templates, search rules etc.
When you go to AD page on VCS does it shows active and join to domain? if the VCS not joined to domain properly that might be the reason you are getting the error when keeping "check credential" on default zone.
please reverify the AD settings on the VCS and try again.
cheers
Alok
07-03-2013 10:16 AM
Hi Alok,
Thank you for in-depth explanation on the process on how jabber users are authenticated on the VCS using AD account.
By the way, the VCS-c was not configured yet to join on the AD domain that's why jabber users can be able to log in with the "treat as authenticated" policy on the zones.
For security reasons and as recommended, we will do the best practice. I'll keep you posted on how it goes...
Thank you for the help.
Best regards,
Acevirgil
07-24-2013 12:32 AM
Hi Alok,
I observed that even the manually provisioned jabber users on the TMS. When I change the treat as authenticated policy to check credential on the zones. The user can't log in. It's getting weird.
We thought that the only issue is the users imported from AD. I created manually a "jabber test user" on the TMS and configured VCS Control authentication policy with different modes and i got different error messages:
Default SubZone: "treat as authenticated"
Default Zone: "treat as authenticated"
> "Jabber test user" can log in using any passwords
Default SubZone: "check credentials"
Default Zone: "check credentials"
> "Jabber test user" cannot log with real password
> Error log in message "Wrong username/domain or password"
Default SubZone: "check credentials"
Default Zone: "treat as authenticated"
> "Jabber test user" cannot log with real password
> Error log in message "Log in failed due to registration failure"
Default SubZone: "treat as authenticated"
Default Zone: "check credentials"
> "Jabber test user" cannot log with real password
> Error log in message "Wrong username/domain or password"
I already raised and open a case with this kind issue to TAC and also i would like to ask assistance on this site for faster troubleshooting.
Best regards,
Acevirgil
07-24-2013 07:25 AM
Hi Acevirgil,
The behvaiour is correct. As mentioend in device authentication deployment also you can't have mixed mode authentication. either it will be AD users or local user's can login at a time.
when the Default zone is set to "check credential" and you have VCS integration with Active directory in that case the VCS challenge the user with NTLM and then verifies the credential provided by the jabber client agains active directory.
so if you have a user manually created in TMS it won't work. I think this question has been raised earlier and you will see lot of threads on it.
basically there is feature request pending with developers and not sure when it will be implemented.
Rgds,
Alok
07-24-2013 07:27 AM
can you let me know the TAC case SR number. just IM me.
thanks
Alok
07-03-2013 03:31 AM
With "treat as authenticated" you might find that they can log in with any password and/or any username, you need to set it to "check credentials". I strongly suggest you study the documentation linked to by Ahmad.
/jens
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide