Solved: VCS to AD integration

mayank.sharma · ‎06-26-2013

Hi Friends,

From what I understand regarding this...

Active Directory database (direct) authentication can be enabled at the same time as local database and H.350 directory service authentication.

In such circumstances you could, for example, use the Active Directory (direct) server method for Movi / Jabber Video, and the local database or H.350 directory service authentication for the other devices that do not support NTLM.

NTLM Protocol Challenges by default is "Auto" meaning the VCS decides, based on the device type, whether to send NTLM challenges.

Assuming there is only VCS Control i.e. no VCS Expressway in play...

If I have AD Integration and the Default Zone & Default SubZone set to "Check Credentials" then I believe that MOVI logins will be challlenged via AD but normal endpoints will be authenticated via the local database. (assuming they are in the Default SubZone)

If I have AD Integration and the Default Zone & Default SubZone set to "Do not Check credentials" then will the MOVI Logins still be challlenged via AD or instead they will be authenticated via Local Database?

Basiclly what I am trying to determine is will NTLM Protocol Challenges default Setting "Auto" be totally bypassed if the Default Zone & Default SubZone set to "Do not Check credentials"?

Regards,

Mayank

Alok Jaiswal · ‎06-30-2013

Hi,

do not check credential is valid for TMS agent however for TMS -PE the setting on default zone should be "check credential".

and even though you have NTLM set as "auto" it won't allow the AD users to login.

Rgds

Alok

View solution in original post

Alok Jaiswal · ‎06-27-2013

Hi Mayank,

yes, you are right. When you set the zone to "check credential" vcs checks for NTLM authentication challenge/response and let the endpoints who do not support NTLM to authenticate via local database.

However when the zones are set to "do not check credential" the VCS will infact not let movi users to login because challenge will only be done when the zone is set to "check credential", infact on movi/jabber you will see wrong domain or password.

so the reply to your question neither it will check with AD nor with local database.

Rgds

Alok

mayank.sharma · ‎06-30-2013

Hi Alok,

Thanks for the reply.

Regarding your response when the zones are set to "do not check credentials", do you mean to say that the VCS will not let Movi/Jabber users login even when NTLM Protocol Challenges by default is "Auto" and there is integration to AD?

Assuming we do not want to have AD integration and set my Zones to "do not check credentials" (as I want my movi users to be authenticated via the TMS provisioning). Will the movi users not be authenticated against the TMS Provisioning Database (i.e locally created users on the TMS)?

Regards,

Mayank

Alok Jaiswal · ‎06-30-2013

Hi,

do not check credential is valid for TMS agent however for TMS -PE the setting on default zone should be "check credential".

and even though you have NTLM set as "auto" it won't allow the AD users to login.

Rgds

Alok

mayank.sharma · ‎07-02-2013

Hi Alok,

Thanks for the reponse.

So the way I am understanding it is that when previously using TMS Agent Legacy we could set the default Zone to be "do not check credentials" and TMS Created MOVI users would be authenticated via the TMS Agent Provisioning Database.

But with TMSPE if the Default Zone has to be set to "Check Credentials" and this will allow MOVI logins to be challlenged via AD but normal endpoints will be authenticated via the local database. But If you set it to "do not check credentials". MOVI users will not be able to login at all. So then am I right to say that with TMSPE there is no way to have users authenticated with the login/password when they are locally created on the TMS (blue shirt MOVI)?

Regards,

Mayank

Paulo Souza · ‎07-02-2013

Hi Mayank,

So then am I right to say that with TMSPE there is no way to have users authenticated with the login/password when they are locally created on the TMS (blue shirt MOVI)?

In fact, it is not true. As of VCS version 7, you can use the provisioning data base replicated from TMS as a local data of VCS. Therefore, when you have "check credentials" enable, VCS wil try to find credentials in its local database which also includes TMS imported users. Then, with provisioning enbale on TMS, you will be able to use TMS' provisioning database to authenticate jabber clients and other generic clients.

As of VCS versioin 7.2, you don't have to configure whether to use local database (which includes TMS imported users) or LDAP imported users. You can have both things working at the same time. So, combining provisioning database and LDAP authentication, you can have jabber clients authenticating by using LDAP credentials and generic clients authenticating by using provisioning database imported from TMS. If you don't have LDAP, you can use TMS imported users to authenticate all the clients.

I have it working in an environment, I have different clients authenticating to VCS only using TMS users directory. There is no manual database creation on VCS.

Regards

Paulo Souza

Please rate replies and mark question as "answered" if applicable.

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

mayank.sharma · ‎07-08-2013

Thanks guys for your inputs...