cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1568
Views
4
Helpful
9
Replies
Cisco Employee

Movi authentication for VCS-TMSPE-AD?

Hi, Expert

The setup is VCS X7.2, TMSPE 13.2 with MS active directory as the user database.

The user account has been imported into TMSPE by System > Provisioning > Users > XXX group > User import > Configure AD.

And the VCS has been integrated with TMSPE successfully.

The problem here is how the authentication works? is the full username/password was imported to TMSPE during the import, and then pass to VCS? or only user info imported to TMS?

I tried login, but it also prompted the username/password wrong, with below logging, but if I change the user's password in TMSPE manully, then it works.

2012-11-20T23:58:18+08:00 vcsc tvcs: UTCTime="2012-11-20 15:58:18,406" Module="network.http" Level="DEBUG":  Message="Request" Method="POST" URL="http://127.0.0.1:9998/credential/name/lianzhao" Ref="0x3985970"

2012-11-20T23:58:18+08:00 vcsc tvcs: UTCTime="2012-11-20 15:58:18,411" Module="network.http" Level="DEBUG":  Message="Response" Src-ip="127.0.0.1" Src-port="9998" Dst-ip="127.0.0.1" Dst-port="47550" Response="200 OK" ResponseTime="0.003867" Ref="0x3985970"

2012-11-20T23:58:18+08:00 vcsc tvcs: UTCTime="2012-11-20 15:58:18,411" Module="network.ldap" Level="INFO":   Detail="Authentication credential found in directory for identity: lianzhao"

2012-11-20T23:58:18+08:00 vcsc tvcs: UTCTime="2012-11-20 15:58:18,411" Module="developer.nomodule" Level="WARN" CodeLocation="ppcmains/sip/sipproxy/SipProxyAuthentication.cpp(453)" Method="SipProxyAuthentication::validateDigestAuthorisationCredentials" Thread="0x7f7b9fffd700": calculated response does not match supplied response, calculatedResponse=6c510983415df744b9fc057cd5315133, response=bfc97064a7d7e434f1a1d189e59d996e

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Movi authentication for VCS-TMSPE-AD?

For device authentication using NTLM by integrating MS AD, TMS import user account from AD server (only user account but not password).

This account information will export to VCS from TMS as provisioning user account (again does not include password).

When VCS receive provisioning request from Jabber Video client, VCS will challenge password against AD server.

For signaling flow, please refer https://supportforums.cisco.com/docs/DOC-25398 or device authentication deployment guide.

View solution in original post

9 REPLIES 9
Highlighted
Cisco Employee

Movi authentication for VCS-TMSPE-AD?

For device authentication using NTLM by integrating MS AD, TMS import user account from AD server (only user account but not password).

This account information will export to VCS from TMS as provisioning user account (again does not include password).

When VCS receive provisioning request from Jabber Video client, VCS will challenge password against AD server.

For signaling flow, please refer https://supportforums.cisco.com/docs/DOC-25398 or device authentication deployment guide.

View solution in original post

Highlighted
Cisco Employee

Movi authentication for VCS-TMSPE-AD?

Hi, Tomonori

Thanks for the suggestion, and I'm configuring the VCS Configuration > Authentication > Devices > Active Directory Services, but it always shown failed to join the domain:

Highlighted
Cisco Employee

Movi authentication for VCS-TMSPE-AD?

If status of AD service shows “inactive” then VCS won’t able to challenge user account password between AD server.

Therefore provisioning request from Jabber Video client will failed due to incomplete user authentication.

Have you configure all mandatory field for AD service configuration on VCS properly?
If all parameters are correctly configured (ideally follow the deployment guide), but still failing to let VCS to join AD domain, I’d suggest to open TAC case to review the configuration and negotiation status with additional log information.

Highlighted
Cisco Employee

Movi authentication for VCS-TMSPE-AD?

When you talking about mandatory field for AD service configuration, are you referring to VCS Configuration > Authentication > Devices > Active Directory Services?

Highlighted
Cisco Employee

Movi authentication for VCS-TMSPE-AD?

Yes, correct.

AD domain, short domain name, Clockskew, username and password are mandatory parameters for AD service configuration.

Also if DNS SRV is not providing DC, you need to specify IP address of DC.

Highlighted
Cisco Employee

Movi authentication for VCS-TMSPE-AD?

Hi, Tomonori

I found the reason why I couldn't join the domain by checking the logs, it's because of the time between VCSc and domain controller are not in the same time, so I'm trying to reset the time, but I found the NTP configuration in my VCSc syncronized, but it always ahead 15min....I'm choosing the correct time zone btw.

2012-11-21T13:33:47+08:00 vcsc UTCTime="2012-11-21 05:33:47,117" Module="developer.domain_management" Level="INFO" CodeLocation="membershiputils(184)" Event="Command output: failed to kinit password: NT_STATUS_TIME_DIFFERENCE_AT_DC "

GMT+8 time now is 1:30, but you can check below picture:

Highlighted
Cisco Employee

Movi authentication for VCS-TMSPE-AD?

Sorry, after update again and again, now the time reflect the correct one, but it looks not stable, at least a few minutes before, it always ahead of 15 mins....sharply...

Highlighted
Cisco Employee

Movi authentication for VCS-TMSPE-AD?

It changed again, ahead of 15mins.....

Highlighted
Cisco Employee

Movi authentication for VCS-TMSPE-AD?

Do you see same result for time sync even you configure different NTP server on VCS?

CreatePlease to create content