Solved: VCS Device Authentication

Patrick Sparkman · ‎07-19-2012

I've successfuly configured our VCS to authenticate Jabber Video (Movi) users to AD, however when I try to login as a manualy created user from TMS, I can't. Is there a way to have AD authentication enabled, but at the same time be allowed to use the credentials that are present in TMS? For users in AD as well as those not, such as the ones manually created in TMS.

Thanks, Patrick

awinter2 · ‎07-19-2012

Patrick,

the "NTLM Protocol challenges" setting (Which enables/disables AD authentication for Jabber Video (And Movi 4.2 and higher) is a box-wide setting, and you therefore can't choose to use AD authentication for a selection of users while doing regular (Digest) authentication for others.

If you have a strong need for a mixed-authentication environment, your best bet would be to use 2 VCS's and TMS PE, where in TMS PE, you have 1 group of AD imported users which are homed on one VCS, and another group of manually created users which are homed on the other VCS, and then enable NTLM/AD auth on the first VCS and disable NTLM/AD auth on the second VCS.

The reasoning behind the all-in/all-out approach for NTLM authentication for Jabber Video is that in a "normal" enterprise environment, if you are using AD authentication for provisioning, you are likely to be doing so for all of your users, and not just a subset of them.

Hope this helps,

Andreas

View solution in original post

awinter2 · ‎07-19-2012

Patrick,

the "NTLM Protocol challenges" setting (Which enables/disables AD authentication for Jabber Video (And Movi 4.2 and higher) is a box-wide setting, and you therefore can't choose to use AD authentication for a selection of users while doing regular (Digest) authentication for others.

If you have a strong need for a mixed-authentication environment, your best bet would be to use 2 VCS's and TMS PE, where in TMS PE, you have 1 group of AD imported users which are homed on one VCS, and another group of manually created users which are homed on the other VCS, and then enable NTLM/AD auth on the first VCS and disable NTLM/AD auth on the second VCS.

The reasoning behind the all-in/all-out approach for NTLM authentication for Jabber Video is that in a "normal" enterprise environment, if you are using AD authentication for provisioning, you are likely to be doing so for all of your users, and not just a subset of them.

Hope this helps,

Andreas

Patrick Sparkman · ‎07-19-2012

Thanks Andreas, it makes perfect sense. Tell me, could those two VCS's be clustered together but still have one dedicated to AD and the other to TMS Agent (Provisioning), or do they need to be the same since in a cluster? I take it since you mentioned TMSPE that it isn't possible with the Legacy Agent.

awinter2 · ‎07-19-2012

Patrick,

they can not be clustered since the NTLM Protocol challenges setting would be replicated from the master to the slave, they need to run as individual VCS's.

I recommended using TMS PE since with TMS PE, you can associate a group (folder) of users in TMS (On the 'Users' page in TMS PE) with a certain VCS or VCS cluster, which makes everything easier to manage.

With legacy TMS Agent, the entire user base would be replicated over to both VCS's, which would still work but be more of a "mess".

Anyone deploying provisioning now should be going the TMS PE route in any case in my opinion, which is why I'm advocating for TMS PE

- Andreas