04-01-2013 10:35 AM - edited 03-18-2019 12:51 AM
I was testing some different authentication scenarios with Jabber TP against AD.
It seems that Jabber Users assigned to Distribution Groups instead of Security Groups, seem to authenticate fine. Is this suppose to be the case?
They import fine into TMS and when using Jabber for TP, they authenticate fine.
I assumed, (yes I know what assume means) that Distrinbution Groups would not work for autheticating Jabber users.
TMS 13.2.1, VCS 7.2.1
Thank you
Solved! Go to Solution.
04-01-2013 10:57 AM
Its two parts, the import which imports the users by a given filter from ad.
So if your ad user used to see these users they get imported.
The other part is the authentication, so if this specific user can authenticate it will be allowed.
It might be interesting to know if there is a way to limit the users which are allowed to authenticate by the windows server side.
You can find also more info on how it works in the
"Device authentication on Cisco VCS Guide"
Why do you ask, do you see a proble?
The final start would be to define a proper filter on the TMS/TMSPE to only import users which you really want to import. :-)
Please remember to rate helpful responses and identify
04-01-2013 10:57 AM
Its two parts, the import which imports the users by a given filter from ad.
So if your ad user used to see these users they get imported.
The other part is the authentication, so if this specific user can authenticate it will be allowed.
It might be interesting to know if there is a way to limit the users which are allowed to authenticate by the windows server side.
You can find also more info on how it works in the
"Device authentication on Cisco VCS Guide"
Why do you ask, do you see a proble?
The final start would be to define a proper filter on the TMS/TMSPE to only import users which you really want to import. :-)
Please remember to rate helpful responses and identify
04-01-2013 11:15 AM
Martin,
Thanks for the quick response. Yes I read the guide and it is helpful, although it does not specify whether distribution groups and security groups are handled differently. I guess that should of been my clue that it does not handle them differently.
No a problem really. However, if you read Microsofts bit on Distribution Groups you will see
Distribution groups can be used only with e-mail applications (such as Exchange) to send e-mail to collections of users. Distribution groups are not security-enabled, which means that they cannot be listed in discretionary access control lists (DACLs). If you need a group for controlling access to shared resources, create a security group.
With that as a definition, I assumed (yes I know), that the groups would be treated differently regarding provisioning.
This is not causing any current problem, but I wanted to make sure I really understood how it is being used, so that I could give proper advice on provisioning using AD.
The plus side is that it allows larger organizations to allow their provisioning person to provision existing AD users without requiring them to have access to security groups.
That may also be a down side, although I am unsure if it causing any security groups "problems".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide