cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2356
Views
0
Helpful
12
Replies

When TMS logout, do you also need to close all window tabs?

smilewonee
Level 1
Level 1

Hi, This is Paul. I brought some topic with TMS.

Whenever I try to log out, closing all window tabs are needed.

Does it happen to you guys as well? I need to fix this repetitive work..

Can anyone share some tips for avoiding it?

Best Regards,

Paul

12 Replies 12

Kjetil Ree
Cisco Employee
Cisco Employee

Hi Paul,

This is expected behavior. I am not aware of any workarounds; I tried clearing all TMS cookies from my web browser, but that did not help.

Regards,

Kjetil

Right Click on the Browser Icon in your task bar and select "Close all windows".

CloseAllWindows.png

Note: this will close every browser window you have open, not just the TMS ones.  Example used is IE, but same works for Firefox (and I assume for others as well as it's a standard Windows thing). 

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.

Hi Wayne,

Thanks to your reply but that's not the one I wanted to take about.

Can anyone share some tips for avoiding it?

As I said, I was asking some tips to avoid all tabs closing behavior when logout TMS.

Best Regards,

Paul

No worries.  As Kjetil said, TMS doesn't work this way, I was trying to give you another option to close all those windows quickly and easily other than clicking the close buton on them all individually.

I'd say that the main TMS window doesn't keep track of any of the other windows you launch from it, so it has no idea what to close when you log out.  So, it can't currently do it for you.

If you really need this functionality, I'd suggest you log a feature request with your local Cisco representative for consideration in a future release of TMS.


Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.

Dear Wayne,

Have you ever tried to logout TMS and open it again? and Have you thought this is a strange behavior?

I think it is actually critical for the network security.

It also affects on not only tabs but also new windows.

I've tried:

1)login TMS on the window with several tabs.

2)close only TMS tab

3)open a new window(not new tab but newly created window)

4)login TMS on that window - Authentification process was not needed which means I didn't have to put ID/PW eventhough I open a new window.

From that test, TMS authentification process information(login info) is actually stored on internet or somewhere.

I think I'd better to proceed a feature enhancement request.

Best Regards,

Paul

Hi Paul

Not an issue for me. TMS uses my domain credentials, so, if I'm logged in to the PC, TMS doesn't prompt me to log in again.

If another user tries to log in from their PC, they're restricted to what they can see by TMS security for their username.

If I leave my PC unattended, I lock the device, or log out - so there no way someone else can use TMS as me on that PC - but I'd be more concerned about all the other applications and data they could get to from that device (corporate file shares, email, etc) than what they'll see in TMS.

Wayne

Sent from Cisco Technical Support iPad App

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.

Hi Kjetil, I appreciate to you for the reply.

However, If it is expected behavior, the user would have really strange and repetitive experience when trying to log out TMS.

Could you please explain me why this behavior occurs as designed?

Best Regards,

Paul

Hi Kjetil!

I agree with Paul, it might be the "expected behavior" by the software, but its definitely not the

wanted / "expected behavior" by the user / admin or me.

We had criticized that even during the Tandberg days.

That mechanizm seems to work fine for other sites and even other Cisco TelePresence

products (TCS, MCU, VCS, endpoints, ...) so its hard to understand.

There are scenarios where it is not possible to close your complete browser instance.

So this is far away from ideal.

Please remember to rate helpful responses and identify helpful or correct answers.

Please remember to rate helpful responses and identify

Martin,

Can you elaborate on why you or your admin are looking to explictly log out of the application?

Steve Kapinos
Cisco Employee
Cisco Employee

The reason why is... TMS uses server/client authentication.. this means when you authenticate, your BROWSER is authenticated to the website, not just a session via a cookie.  The only way to make the browser itself 'log out' is to close the application.

This is how all websites that use server based authentication work. 

The experience you are expecting is when the web application itself is managing the user sessions.  The website in these situations is actually setup for anonymous access, and the user authenticates inside the website's code.  The session is managed via cookies or similar.

The benefit of the server based authentication model is we can use Windows Integrated Authentication, the user generally doesn't have to login at all.  If you access the server via it's machine name, or FQDN that maps to it... The server and browser automatically negotiate and the user as logged into the computer is logged into the website.  Authentication is handled at the OS level.  If you are an Active Directory environment... you get SSO for free.

If you use an IP address, the relationship is not understood, and the webserver itself will prompt the browser to show a user/pass dialog window.

So... if you want to bypass integrated authentication, load the webpage via IP instead of machine name or FQDN.  But once you have authenticated the browser... you must close the browser to release that.  If it's the whole application or just the window, will depend on the implementation of the browser.  My experience is most require you to close all windows.

But can I ask.. why are you trying to switch users or force logouts?

Dear Steven,

Thanks for your explanation!

What I understood from your explaniation is that:

The TMS has been designed to authenciate the login/out process via Windows Intergrated Authentication and it is actually different from cookie session authentication. Once It proccess authentication via WIA, I would be handled at the OS. Thus, closing a current browser can't actually terminate the authenticated session, but closing an application can.

Also when it comes to log in via IP, It would follow the application's implemenatation. I don't still understand using IP address and bypass integrated authentication are related.(Also wondering what bypass intergrated authentication exactly is. It's not really important though.. ).

But wait, regarding SSO and Windows Integrated Authentication on TMS. There is a strange design. When accessing to Conference Control Center, Authentication process are repeatedly needed unless we save the password. I know it is JRE application and we need separate authentication for it. However, why JRE are not integrated to WIA on TMS?-It might be strange or regardless question though. Also, If more sign up needed in the same website(TMS, CCC), SSO is not actually embedded.

To answer your question:

"But can I ask.. why are you trying to switch users or force logouts?"

In a case we have implemented, giving access authority to the users on TMS(It is limited provisioning and they can't use all the categories of TMS like administrator). The users can book the conference by themselves on demand via TMS. It could be more flexible to initiate the conference. They also can avoid schedule conflict and lack of ports.

Anyway, when it comes to give an access authority to the users, the security would be on higher risk. Forcing logouts is actually needed because the users possibly can't be aware of WIE. There could be even more possibility regarding security that we can't actually predict. Thus, I have wanted to minimize those possibilities that can be on risk. Then I found this behavior on TMS, so have started this discussion

Also, when it comes to switching users, There would be the case the different users can probably use same computer to book the conference on TMS.

I think I have been thinking of user experience

Thanks for reading my long reply, I will wait for you guys feedback!

Best Regards,

Paul

The TMS has been designed to authenciate the login/out process via Windows Intergrated Authentication and it is

actually different from cookie session authentication

Half way there.  It's designed to use server based authentication, which is different from having your web code handle the session management.

A paralell to this in other websites people may be used to is in apache it's like using .htaccess and .htpasswd.  The webserver handles the authentication portion of the login. 

For TMS, this allows us to leverage the capabilities of IIS and Active Directory, and provide a seamless login experience with Windows Integrated Authenticaiton.

Once It proccess authentication via WIA, I would be handled at the OS. Thus, closing a current browser can't actually terminate the authenticated session, but closing an application can.

The OS portion is simply that you authenticated with the OS at some point earlier... the OS is responsible for verifying that and dealing with it's own session management.  The OS is only a factor when doing Windows Integrated Authentication... which is just one possible option when doing server based authentication.  (you can still do digest and basic auth too).  The whole 'why can't I close just one window' discussion is purely about implementation within the browser and nothing to do with what authentication (WIA, basic, or digest) is negotiated.  When IE has multiple windows open, it's not separate applications running.. the browser retains the negotiated session info even tho you closed that one window... but when you close the entire application down, it dumps that info.  If the browser were to completely isolate each browser window... you'd get what you want.. but that's just not how they've been implemented for choices of their own making.

From a security point of view, the OS's session management is also a way of controlling access and enforcing session limits like idle, etc. 

Also when it comes to log in via IP, It would follow the application's implemenatation. I don't still understand using IP address and bypass integrated authentication are related.(Also wondering what bypass intergrated authentication exactly is. It's not really important though.. 

I've never researched the technical reason by Microsoft, if it's choice or hurdle.. but I know windows integrated auth will not kick in if you open the site via IP.  And since many customers don't setup their DNS right, or have a history of using IPs for admin/technical things... they often do not realize the integrated login experience is available. 

But wait, regarding SSO and Windows Integrated Authentication on TMS. There is a strange design. When accessing to

Conference Control Center, Authentication process are repeatedly needed unless we save the password

This is actually a limitation of the JRE in some environments.  It will do integrated authentication and not require a user prompt if you access the site via the correct hostname and are using a suitable JRE.  This works on Windows just fine.  However, there are known limitations on OSX... at the time caused by the Apple provided JRE (Apple uses their own JRE, not Sun/oracle).

If you are logged into the Windows machine with a Windows user account the TMS server would normally trust (a domain user), and are accessing the site via the machine name or alias that resolves to the machine name, you should get an integrated login for both the TMS front-page, and CCC. 

Use an IP address, or be logged into the machine with an account the IIS server is not able to authenticate, and you'll be prompted for user/pass.

Anyway, when it comes to give an access authority to the users, the security would be on higher risk.

Forcing logouts

is actually needed because the users possibly can't be aware of WIE. There could be even more possibility regarding security that we can't actually predict. Thus, I have wanted to minimize those possibilities that can be on risk. Then I found this behavior on TMS, so have started this discussion

Honestly I'd be more concerned that you have computers open for any use with access to your enterprise environment without any authorization required.  If different users are able to use the same computer without changing security contexts, you have a much larger liability than their TMS meetings.  Force the user to log out of the terminal, and your TMS concerns go away.