cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2352
Views
4
Helpful
9
Replies

Movi authentication for VCS-TMSPE-AD?

lianzhao
Cisco Employee
Cisco Employee

Hi, Expert

The setup is VCS X7.2, TMSPE 13.2 with MS active directory as the user database.

The user account has been imported into TMSPE by System > Provisioning > Users > XXX group > User import > Configure AD.

And the VCS has been integrated with TMSPE successfully.

The problem here is how the authentication works? is the full username/password was imported to TMSPE during the import, and then pass to VCS? or only user info imported to TMS?

I tried login, but it also prompted the username/password wrong, with below logging, but if I change the user's password in TMSPE manully, then it works.

2012-11-20T23:58:18+08:00 vcsc tvcs: UTCTime="2012-11-20 15:58:18,406" Module="network.http" Level="DEBUG":  Message="Request" Method="POST" URL="http://127.0.0.1:9998/credential/name/lianzhao" Ref="0x3985970"

2012-11-20T23:58:18+08:00 vcsc tvcs: UTCTime="2012-11-20 15:58:18,411" Module="network.http" Level="DEBUG":  Message="Response" Src-ip="127.0.0.1" Src-port="9998" Dst-ip="127.0.0.1" Dst-port="47550" Response="200 OK" ResponseTime="0.003867" Ref="0x3985970"

2012-11-20T23:58:18+08:00 vcsc tvcs: UTCTime="2012-11-20 15:58:18,411" Module="network.ldap" Level="INFO":   Detail="Authentication credential found in directory for identity: lianzhao"

2012-11-20T23:58:18+08:00 vcsc tvcs: UTCTime="2012-11-20 15:58:18,411" Module="developer.nomodule" Level="WARN" CodeLocation="ppcmains/sip/sipproxy/SipProxyAuthentication.cpp(453)" Method="SipProxyAuthentication::validateDigestAuthorisationCredentials" Thread="0x7f7b9fffd700": calculated response does not match supplied response, calculatedResponse=6c510983415df744b9fc057cd5315133, response=bfc97064a7d7e434f1a1d189e59d996e

1 Accepted Solution

Accepted Solutions

Tomonori Taniguchi
Cisco Employee
Cisco Employee

For device authentication using NTLM by integrating MS AD, TMS import user account from AD server (only user account but not password).

This account information will export to VCS from TMS as provisioning user account (again does not include password).

When VCS receive provisioning request from Jabber Video client, VCS will challenge password against AD server.

For signaling flow, please refer https://supportforums.cisco.com/docs/DOC-25398 or device authentication deployment guide.

View solution in original post

9 Replies 9

Tomonori Taniguchi
Cisco Employee
Cisco Employee

For device authentication using NTLM by integrating MS AD, TMS import user account from AD server (only user account but not password).

This account information will export to VCS from TMS as provisioning user account (again does not include password).

When VCS receive provisioning request from Jabber Video client, VCS will challenge password against AD server.

For signaling flow, please refer https://supportforums.cisco.com/docs/DOC-25398 or device authentication deployment guide.

Hi, Tomonori

Thanks for the suggestion, and I'm configuring the VCS Configuration > Authentication > Devices > Active Directory Services, but it always shown failed to join the domain:

If status of AD service shows “inactive” then VCS won’t able to challenge user account password between AD server.

Therefore provisioning request from Jabber Video client will failed due to incomplete user authentication.

Have you configure all mandatory field for AD service configuration on VCS properly?
If all parameters are correctly configured (ideally follow the deployment guide), but still failing to let VCS to join AD domain, I’d suggest to open TAC case to review the configuration and negotiation status with additional log information.

When you talking about mandatory field for AD service configuration, are you referring to VCS Configuration > Authentication > Devices > Active Directory Services?

Yes, correct.

AD domain, short domain name, Clockskew, username and password are mandatory parameters for AD service configuration.

Also if DNS SRV is not providing DC, you need to specify IP address of DC.

Hi, Tomonori

I found the reason why I couldn't join the domain by checking the logs, it's because of the time between VCSc and domain controller are not in the same time, so I'm trying to reset the time, but I found the NTP configuration in my VCSc syncronized, but it always ahead 15min....I'm choosing the correct time zone btw.

2012-11-21T13:33:47+08:00 vcsc UTCTime="2012-11-21 05:33:47,117" Module="developer.domain_management" Level="INFO" CodeLocation="membershiputils(184)" Event="Command output: failed to kinit password: NT_STATUS_TIME_DIFFERENCE_AT_DC "

GMT+8 time now is 1:30, but you can check below picture:

Sorry, after update again and again, now the time reflect the correct one, but it looks not stable, at least a few minutes before, it always ahead of 15 mins....sharply...

It changed again, ahead of 15mins.....

Do you see same result for time sync even you configure different NTP server on VCS?