cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
6843
Views
30
Helpful
13
Replies

Jabber User Can't Login Using AD Account

Hi,

I have an issue regarding jabber/movi registering on the local VCS Control. They cannot login using their Jabber account on the VCS Control  that were provisioned on TMSPE. The error login message is "Wrong username/password or domain"...

Jabber users that were provisioned manually on the TMS can log in successfully.

Connection between TMS and AD is ok and import of AD users were successful.

What should be the correct configuration on the VCS Control authentication policy?

>Default Subzone ?

>Deafault Zone ?

>Traversal Zone ?

Do i need also to connect the VCS Control on the AD?

Thank you,

Acevirgil

6 Accepted Solutions

Accepted Solutions

Jens Didriksen
Level 9
Level 9

"Check credentials" on all three - and yes, the VCS-C must be added to AD.

/jens

Please rate replies and mark question(s) "Answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.

View solution in original post

Hi,

yes, you need an Admin account or an acount with "administrator" or "account operator" privilege.

see page 18 of this document:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Authenticating_Devices_Deployment_Guide_X7-2.pdf

regards, Ahmad

View solution in original post

Hi Acevirgil,

we set "treat as authenticate" for infrastructure devices such as MCU, etc.

for endpoint such as jabber please use "Check credential".

same document as before (page 11, and Page 39).

regards,Ahmad

View solution in original post

Acevirgil,

We configured the VCS-C zones with authentication policy with:

>Default Subzone = threat as authenticated

>Default Zone = threat as authenticated

>Traversal Zone = threat as authenticated

We did not connect the VCS-C on the AD and Jabber users using their AD credentials can login successfully.

In fact, maybe your AD integration is not even working. When you check as "treat as authenticate", jabber clients are able to login even if the user inserts a wrong password, even using a blank password, because in this case, VCS doesn't even challenge the client for authentication, so it doesn't mean your AD integration is working, because the users are login without auhtentication.

You should never use "treat as authenticated".

Go ahead and configure all zone in VCSc "check credentials" as suggested by Jens.

Regards

Paulo Souza

Please rate replies and mark question as "answered" if applicable.

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

View solution in original post

With "treat as authenticated" you might find that they can log in with any password and/or any username, you need to set it to "check credentials". I strongly suggest you study the documentation linked to by Ahmad.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

View solution in original post

Hi Acevirgil,

So this is how the AD authentication works from VCS. TMS imoprts users from AD but it doesn't import the password.

this users gets replicated to VCS local database and without password.

On VCS you have two options.

- Active directory

- LDAP

when you go for active directory authentication the VCS should join into the domain. For this probably an account is needed with sufficient privileges so that VCS can be joined into domain.

when the movi/jabber user tries to login the VCS challenges it (only when the default zone is kept as check credential) and then the credential supplied by the client will be checked through AD. once this process gets completed the user recieves its provisioning settings and then client initiates a "REGISTER" message.

REGISTER goes to default subzone or specific subzone (if created) and if that subzone is kept as "check credential" again the registration request be challenged by VCS and authenticated as said above. If you keep the Default subzone as "treat as authenticated" then the VCS won't challenge it but will allow client to register without challening the REGISTER message.

if you getting the wrong domain or password error then something is wrong. Again check the templates, search rules etc.

When you go to AD page on VCS does it shows active and join to domain? if the VCS not joined to domain properly that might be the reason you are getting the error when keeping "check credential" on default zone.

please reverify the AD settings on the VCS and try again.

cheers

Alok

View solution in original post

13 Replies 13

Jens Didriksen
Level 9
Level 9

"Check credentials" on all three - and yes, the VCS-C must be added to AD.

/jens

Please rate replies and mark question(s) "Answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.

Hi Jens,

Do we need an AD admin account for us to join the VCS-C on the AD?

Thanks,

Acevirgil

Hi,

yes, you need an Admin account or an acount with "administrator" or "account operator" privilege.

see page 18 of this document:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Authenticating_Devices_Deployment_Guide_X7-2.pdf

regards, Ahmad

Hi Jens,

We configured the VCS-C zones with authentication policy with:

>Default Subzone = threat as authenticated

>Default Zone = threat as authenticated

>Traversal Zone = threat as authenticated

We did not connect the VCS-C on the AD and Jabber users using their AD credentials can login successfully.

Thank you for the help.

Best regards,

Acevirgil

Hi Acevirgil,

we set "treat as authenticate" for infrastructure devices such as MCU, etc.

for endpoint such as jabber please use "Check credential".

same document as before (page 11, and Page 39).

regards,Ahmad

Acevirgil,

We configured the VCS-C zones with authentication policy with:

>Default Subzone = threat as authenticated

>Default Zone = threat as authenticated

>Traversal Zone = threat as authenticated

We did not connect the VCS-C on the AD and Jabber users using their AD credentials can login successfully.

In fact, maybe your AD integration is not even working. When you check as "treat as authenticate", jabber clients are able to login even if the user inserts a wrong password, even using a blank password, because in this case, VCS doesn't even challenge the client for authentication, so it doesn't mean your AD integration is working, because the users are login without auhtentication.

You should never use "treat as authenticated".

Go ahead and configure all zone in VCSc "check credentials" as suggested by Jens.

Regards

Paulo Souza

Please rate replies and mark question as "answered" if applicable.

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Hi Paulo,

Good recommendation. I will reconfigure all the zones in the VCS-c authentication policy to "check credentials".

But if we tried to set "check credentials" on those zones, Jabber AD users can't login and "wrong username/password" is the error login message. Or maybe there is something wrong with the configuration on the Subzones and its membership rule?

If we configure all zones on VCS-c authentication policy to "check credentials" we need to add also the VCS-c on the AD domain?

Thanks for the help.

Acevirgil

Hi Acevirgil,

So this is how the AD authentication works from VCS. TMS imoprts users from AD but it doesn't import the password.

this users gets replicated to VCS local database and without password.

On VCS you have two options.

- Active directory

- LDAP

when you go for active directory authentication the VCS should join into the domain. For this probably an account is needed with sufficient privileges so that VCS can be joined into domain.

when the movi/jabber user tries to login the VCS challenges it (only when the default zone is kept as check credential) and then the credential supplied by the client will be checked through AD. once this process gets completed the user recieves its provisioning settings and then client initiates a "REGISTER" message.

REGISTER goes to default subzone or specific subzone (if created) and if that subzone is kept as "check credential" again the registration request be challenged by VCS and authenticated as said above. If you keep the Default subzone as "treat as authenticated" then the VCS won't challenge it but will allow client to register without challening the REGISTER message.

if you getting the wrong domain or password error then something is wrong. Again check the templates, search rules etc.

When you go to AD page on VCS does it shows active and join to domain? if the VCS not joined to domain properly that might be the reason you are getting the error when keeping "check credential" on default zone.

please reverify the AD settings on the VCS and try again.

cheers

Alok

Hi Alok,

Thank you for in-depth explanation on the process on how jabber users are authenticated on the VCS using AD account.

By the way, the VCS-c was not configured yet to join on the AD domain that's why jabber users can be able to log in with the "treat as authenticated" policy on the zones.

For security reasons and as recommended, we will do the best practice. I'll keep you posted on how it goes...

Thank you for the help.

Best regards,

Acevirgil

Hi Alok,

I observed that even the manually provisioned jabber users on the TMS. When I change the treat as authenticated policy to check credential on the zones. The user can't log in. It's getting weird.

We thought that the only issue is the users imported from AD. I created manually a "jabber test user" on the TMS and configured VCS Control authentication policy with different modes and i got different error messages:

Default SubZone: "treat as authenticated"

Default Zone: "treat as authenticated"

> "Jabber test user" can log in using any passwords

Default SubZone: "check credentials"

Default Zone: "check credentials"

> "Jabber test user" cannot log with real password

> Error log in message "Wrong username/domain or password"

Default SubZone: "check credentials"

Default Zone: "treat as authenticated"

> "Jabber test user" cannot log with real password

> Error log in message "Log in failed due to registration failure"

Default SubZone: "treat as authenticated"

Default Zone: "check credentials"

> "Jabber test user" cannot log with real password

> Error log in message "Wrong username/domain or password"

I already raised and open a case with  this kind issue to TAC and also i would like to ask assistance on this site for faster troubleshooting.

Best regards,

Acevirgil

Hi Acevirgil,

The behvaiour is correct.  As mentioend in device authentication deployment also you can't have mixed mode authentication. either it will be AD users or local user's can login at a time.

when the Default zone is set to "check credential" and you have VCS integration with Active directory in that case the VCS challenge the user with NTLM and then verifies the credential provided by the jabber client agains active directory.

so if you have a user manually created in TMS it won't work. I think this question has been raised earlier and you will see lot of threads on it.

basically there is feature request pending with developers and not sure when it will be implemented.

Rgds,

Alok

can you let me know the TAC case SR number. just IM me.

thanks

Alok

With "treat as authenticated" you might find that they can log in with any password and/or any username, you need to set it to "check credentials". I strongly suggest you study the documentation linked to by Ahmad.

/jens

Please rate replies and mark question(s) as "answered" if applicable.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: