10-08-2013 07:01 AM - edited 03-18-2019 01:56 AM
We have two groups of Jabber Video users within our TMS, each having their own type of account.
We currently have a VCS Control and are implementing and Expressway later this year.
Is it possible to do either of the two options with the VCS-C/E?
Obviously option #1 would be prefered to keep everything under the same domain. The big question is, how to accomplish either option, whichever is capable of being done.
TMS, TMSPE, VCS all running current software release.
Thanks
Solved! Go to Solution.
10-08-2013 09:02 AM
So you do not want to use a unified SIP domain? For external AD users, the provisioning config is a bit different for the norm. You would need to make use of the SIPAuthUsername and SIPAuthPassword configuration settings in the Provisioning. I have written up an explaination of this. Keep in mind that this is only part of the puzzle for the complete solution. I referrance below that on AD credentials work on the Control, as this design is for using the most recent versions of Jabber of Video (NTLM supported).
Enabling Movi/Jabber authentication on the VCS-C and VCS-E using Active Directory Credentials
In a secure design, the VCS (Control and Expressway) would require credentials for registration. Here is a design that is not described in the admin guides, but has been used quite successfully.
The VCS Control would have Active Directory Service enabled and joined to the Active Directory Domain. For the VCS to authenticate Movi/Jabber credentials against Active Directory before the SUBSCRIBE for provisioning is sent to the provisioning service, the Default Zone would be set for Check Credentials. For the SUBSCRIBE requests coming from the Expressway, the Traversal Zone on the VCS Control would also be set for Check Credentials. This will handle the authentication for provisioning.
The next part is the registration of the Movi/Jabber client. The subzone that the client will register to also needs to be set for Check Credentials. This is all you need for internal registrations (registration at the VCS Control).
For the Expressway, things get a little more complicated. For the provisioning subscription, the SUBSCRIBE is forwarded to the VCS Control. With the Traversal Zone on the VCS Control set for Check Credentials, you are all set. Now on to the registration to the Expressway. The subzone that the client will register to will need to be set for Check Credentials. Since the VCS Expressway does not have direct access to Active Directory, we need to utilize local credentials on the Expressway. A set of credentials will need to be configured in VCS Configuration > Authentication > Devices > Local Database. You will create a single name and password that all Movi/Jabber clients will use. The end user does NOT need to know of these credentials. The username and password is supplied to the Movi/Jabber client through the provisioning data that it has received. To configure that data, on the TMS, you need to configure a SIP Authentication Username and SIP Authentication Password in the provisioning configuration. For these options to be available, you need to make sure that you have uploaded the xml configuration template for the version of Movi/Jabber that you are using. The xml file is included with the full zip package of the client that can be downloaded from www.cisco.com. So that will take care of the Expressway registration. Now this creates an interesting situation with the VCS Control. The internal Movi/Jabber client will receive the same provisioning configuration, and will attempt to use those same credentials when registering to the VCS Control. The VCS Control is already set to authenticate the registration request against Active Directory, and ONLY Active Directory.
You will need to create an Active Directory account that matches those credentials. The Active Directory account does not need any special access. It is used for authentication purposes only. A few things to keep in mind: the SIP Authentication Username and SIP Authentication Password are stored in the provisioning configuration in clear text. That means that the data is sent in clear text. To be sure that this data is not compromised on the wire, be sure that you are using TLS for your Movi/Jabber SIP communication.
*UPDATE*
To further expand upon the configuration details above, please note that the account created in Active Directory that used for the SIP Authentication Username needs to reside in the same Windows Domain as the user account used by the client for provisioning. The reason is this:
When the Jabber client user input's their credentials, it will be in the form of DOMAIN\USERNAME. When the Provisioning data is received, only the "USERNAME" field is replaced. When the client auithenticates the registration with the new username, the domain name is not replaced. This could be an issue where the Active Directory domain structure contains multiple child or sub domains, or is a trust relationship is used for authentication.
For Example:
VCS is joined to parent domain (DOMAIN). The Jabber users reside in child domains (CHILDDOMAIN1 and CHILDDOMAIN2). a user account that has a samaccount name that matches the SIP Authentication Username must reside in both the CHILDDOMAIN1 *AND* CHILDDOMAIN2.
01-27-2014 01:31 PM
Zac -
It's taken me awhile to come back around to this. I have a question, why when you specify a SIP authentication user in the provisioning template, do you need to create an AD account for that user, why doesn't it use the person's account in AD?
I just tested this, and I typed in my password correct, and it logged me into the control when the provisioning template had the SIP authentication user in place. When I typed my password incorrect, it failed to login. Can you explain this, why it registered correct when my AD password was good, and failed when it was bad, and where the SIP authentication user comes into play when compaired to my AD account trying to login?
Just simply trying to wrap my head around how it behaves
01-27-2014 10:41 PM
Patrick,
As you must be already aware Jabber registration involves two phase i.e. subscribe & registration.
what zac is talking is a workaround solution when you register the jabber via expressway. If you proxying the registraton request to VCS-C nothing is required, however if you register your jabber to expressway then the above workaround should be effective.
in the above mentioned scneario VCS-E can succesfully pass the subscribe message to VCS-C and AD authentication happens, however when the jabber tries to register to expressway the registration fails as expressway doesn't have a way to check the credentials with AD.
so in this case the local user specifies under the VCS-E database and the under the TMS template on "sip username & password" comes in picture. during the registration process jabber sends the user information after 407 challenge by VCS and when VCS-E finds this local user under the response it allows the jabber clients to register.
this process is completely unknown to the end user and the end user keeps on thinking that he is using the AD credentials for registration but actually in back hand the local user is used for actual "registration".
i hope it clarifies.
Regards
Alok
01-28-2014 03:59 AM
Alok -
Thanks for the explanation, I understand the two phases of Jabber Video when signing in, just didn't know which phase was handled by the users credentials and the VCS local credentials in this case.
Sent from Cisco Technical Support iPhone App
10-08-2013 09:00 AM
Hi Zac,
I didn't consider FIndME, as Patrick didn't mention it on the main topic.
But of course, these are only suggestions. I agree with you, we need to test is on lab.
Patrick, I will have to build a lab this week to make another tests, I will take this opportunity to test your scenario, just to see what I get.
Regards
Paulo Souza
Sent from Cisco Technical Support iPad App
01-28-2014 06:05 AM
To all,
Please keep in mind that this design I come up with would be needed in the scenario I described when using VCS X7.x and X6.x. VCS X8.x offers a new feature of credential delegation. With this feature, it will not be necessary to use the custom design that has been discussed above. The VCS-E can pass the authentication request response for the registration to the VCS-C, even though the registration is taking place at the VCS-E. Once again, I strongly suggest that any of these designs be tested in a lab environment. Also, taking debug diagnostic logs during testing is vital to understanding exactly what is being done in the backend. The VCS diagnostic logs are fairly simple to follow and full of useful information. After taking the time to go through a log or two, the backend end process should be fairly easy to understand and will provide a better avenue for an indepth understand of how the VCS (and all of its configuration options) works.
- Zac Colton
01-28-2014 07:40 AM
I saw that feature, but haven't looked too much into yet since we haven't upgraded to X8 yet. What would the drawbacks be if the traversal zone was set to "Treat as Authenticated" instead of "Check Credentials" for a VCS Control when registering to an Expressway? All other zones would remained as check.
01-28-2014 07:58 AM
Patrick,
when you set the zone or subzone to "treat as authenticated" that means any request through that zone/subzone will be authenticated and will not be challenged by VCS.
so if you set the traversal zone on VCS-C to "treat as authenticated" that means any when VCS-E proxy the jabber registration messages to VCS-C it will not be challenged and if jabber is registering to VCS-E and your subzone is kept to "treat as authenticated" on VCS-E user will be able to register with any password.
Regards
Alok
01-28-2014 08:15 AM
Thanks!
I got AD working via the Expressway, just testing with non-AD users (local database). Only if the developers would implement mixed mode authentication, or have the VCS check it's local database first before AD via NTLM.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: