cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1075
Views
0
Helpful
6
Replies

Active Directory Authentication for Jabber video

Anthony Thomson
Level 3
Level 3

Hello,

I've managed to configure my VCS Control to join my AD domain, so now my Jabber Video accounts authenticate with AD credentials.  I've uploaded appropriate certificates to the VCS so that the connection to AD is TLS-encrypted.

I'm using Provisioning Extensions on X7.2, and TMS 13.2.1.

Prior to adding the VCS to the AD domain, and moving over to TMSPE, Movi accounts would authenticate against the (TMS Agent) database on the VCS Control, regardless of whether the authentication request came from the VCS Control, or was passed on from the VCS Expressway.  Now, Jabber clients trying to authenticate on the VCS Expressway fail if the Default Zone and/or Default SubZone are set to "check credentials".  If I change the zone settings to be "treat as authenticated"....it works, but they aren't actually being authenticated, since any password is accepted.  Obviously this isn't a good idea.

So my question is basically, what am I missing?  Am I supposed to join the VCS Expressway to AD as well???  Given the external location of the Expressway this is a less-than-desireable solution; is there no way to pass authentication requests for AD back to the VCS control?

I've read "Cisco_VCS_Authenticating_Devices_Deployment_Guide_X7-2" and the relevant sections of the VCS Admin Guide and I'm not sure if I'm missing it but I cannot find the information to lead me in the right direction here.

1 Accepted Solution

Accepted Solutions

Alok Jaiswal
Cisco Employee
Cisco Employee

Hi Anthony,

Its not necessary to join the expressway to AD!! expressway should pass all the authentication to control and should be able to register without the need of joining to domain.

ideally any authentication request coming from expressway should be passed on to control and control should challenge the user for credential.

for authentication of the jabber clients via expressway you should put the traversal zone on the vcs-control to check credential and on expressway keep the default zone to do not check credential.

also check if you set the ADS services on the expressway? if yes, disable it..

Thanks

Alok

View solution in original post

6 Replies 6

Alok Jaiswal
Cisco Employee
Cisco Employee

Hi Anthony,

Its not necessary to join the expressway to AD!! expressway should pass all the authentication to control and should be able to register without the need of joining to domain.

ideally any authentication request coming from expressway should be passed on to control and control should challenge the user for credential.

for authentication of the jabber clients via expressway you should put the traversal zone on the vcs-control to check credential and on expressway keep the default zone to do not check credential.

also check if you set the ADS services on the expressway? if yes, disable it..

Thanks

Alok

Additionally check whether you have search rules to pass the initial subscribe messages from expressway to control and secondally check the template you uploaded in TMS, does it has the public sip uri field populated properly or not.

cheers

Alok

Thank, Alok!  That did the trick;  I had tried everything else....didn't occur to me to put the Check credentials on the incoming traversal zone on the Control!

The public SIP uri field is fine, as are the search rules on the Expressway; AD authentication is working properly for my Expressway-connected Jabber clients.  Thanks.

gubadman
Level 3
Level 3

Hi Anthony,

I did some testing. Our Expressway has Do Not Check on the default Zone and Default Subzone. And our Control has Check Credentials on the Traversal zone to the Expressway and is set up for AD authentication. I cannot log my Movi into the Expressway without using the correct credentials.

Could you try setting up like this?

Thanks,

Guy

Tomonori Taniguchi
Cisco Employee
Cisco Employee

Please refer the https://supportforums.cisco.com/docs/DOC-25398 as well.

This document contain recommend configuration on each devices and also expected signal flow for Device Authentication with AD.

I'm using Provisioning Extensions on X7.2, and TMS 13.2.1. and more or less have the same setup i.e:

VCSE -- >> VCSC -- >> TMS -- >> AD

VCSE subzones (treat as authenticated), VCSC traversal zone (check credential)

TMS using normal AD import

I've created normal users in OU in AD and import via TMS and my jabber video registration works perfectly well to my VCSE. The funny thing is, when I key in my username with a blank password, it still gets registered. But if I put in a wrong username or a wrong password, authentication fails.

Any idea on how to stop the 'blank' password from allowing my jabber to register?

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: