01-10-2013 04:34 AM - edited 03-18-2019 12:25 AM
Hi, Experts
The architecture is as below:
Movi or EX60 -> VCS Expressway -> VCS Control (Authentication through AD) -> TMSPE
The movi user can login by their username and password, also get phonebook correctly, but using the same user credentials, the EX60 could't been provisioned, TMSPE already imported the EX60 template with a few settings, and that is shown in VCS control already.
When using the touch pannel of the EX60, there are four areas for configurations: username, password, domain, external manager; in my fillings, the username, password and domain are the same between Movi and EX60, and for the external manager, I've put the VCS expressway's public IP into that field.
After did some diagnostic logging, I found the below info, but acutally the username/password I used for EX60 is exactly the same on Movi which can login successful.
BTW, both Movi and EX60 are connecting from Internet
2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,457" Module="network.sip" Level="INFO": Src-ip="123.123.123.123" Src-port="7001" Detail="Receive Request Method=SUBSCRIBE, Request-URI=sip:xxx@yyy.com, Call-ID=a48804eca92f0a40@192.168.1.4"
2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,457" Module="network.sip" Level="DEBUG": Src-ip="123.123.123.123" Src-port="7001"
SIPMSG:
|SUBSCRIBE sip:xxx@yyy.com SIP/2.0
Via: SIP/2.0/TLS 123.123.123.123:7001;egress-zone=TraversalZone;branch=z9hG4bKbcf198976b49c549757cfa4ffaa63ca711816.0478002c4a97d56809160bce80ec1272;proxy-call-id=6f9d8e7a-5b1e-11e2-aad7-000c29bc93c9;received=123.123.123.123;rport=7001
Via: SIP/2.0/TLS 192.168.1.4:5061;branch=z9hG4bKe25f645f5a082db642b18eafbf077f14.1;received=61.165.188.154;rport=54629;ingress-zone=DefaultSubZone
Call-ID: a48804eca92f0a40@192.168.1.4
CSeq: 101 SUBSCRIBE
Contact: <sip:xxx@yyy.com;gr=urn:uuid:142a3221-0817-57f2-b7f6-54aac220c42a>
From: <sip:xxx@yyy.com>;tag=7efeafa2a40ee175
To: <sip:provisioning@yyy.com>
Max-Forwards: 15
Record-Route: <sip:123.123.123.123:7001;transport=tls;lr;apparent=replace;proxy-call-id=6f9d8e7a-5b1e-11e2-aad7-000c29bc93c9>
Record-Route: <sip:123.123.123.123:7001;transport=tls;lr>
Record-Route: <sip:123.123.123.123:5061;transport=tls;lr>
Record-Route: <sip:61.165.188.154:54629;transport=tls;apparent=remove;ds;lr;proxy-call-id=6f9d8e7a-5b1e-11e2-aad7-000c29bc93c9>
User-Agent: TANDBERG/516 (TC5.1.4.295090)
Expires: 3600
Event: ua-profile;model=ex60;vendor=tandberg.com;serial="A1AZ43E00090";profile-type=user;version="TC5.1.4.295090";clientid="id-00:50:60:08:03:DB-";mac-address="00:50:60:08:03:DB"
Accept: application/pidf+xml
X-TAATag: 6f9d9168-5b1e-11e2-a2f4-000c29bc93c9
Content-Length: 0
|
2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,458" Module="network.sip" Level="INFO": Dst-ip="123.123.123.123" Dst-port="7001" Detail="Sending Response Code=407, Method=SUBSCRIBE, To=sip:provisioning@yyy.com, Call-ID=a48804eca92f0a40@192.168.1.4"
2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,458" Module="network.sip" Level="DEBUG": Dst-ip="123.123.123.123" Dst-port="7001"
SIPMSG:
|SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/TLS 123.123.123.123:7001;egress-zone=TraversalZone;branch=z9hG4bKbcf198976b49c549757cfa4ffaa63ca711816.0478002c4a97d56809160bce80ec1272;proxy-call-id=6f9d8e7a-5b1e-11e2-aad7-000c29bc93c9;received=123.123.123.123;rport=7001
Via: SIP/2.0/TLS 192.168.1.4:5061;branch=z9hG4bKe25f645f5a082db642b18eafbf077f14.1;received=61.165.188.154;rport=54629;ingress-zone=DefaultSubZone
Call-ID: a48804eca92f0a40@192.168.1.4
CSeq: 101 SUBSCRIBE
From: <sip:xxx@yyy.com>;tag=7efeafa2a40ee175
To: <sip:provisioning@yyy.com>;tag=af407bd2061beffe
Server: TANDBERG/4120 (X7.2.1)
Proxy-Authenticate: Digest realm="vcsc.yyy.com", nonce="c9a4cb9445b5d96625d5fd7c2f26c460216f35aa2b15d162c79f9ff7ab03", opaque="AQAAAPliFrzUQV7Kj9A4DJ5mkH350LV2", stale=FALSE, algorithm=MD5, qop="auth"
Content-Length: 0
|
2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,516" Module="network.sip" Level="INFO": Src-ip="123.123.123.123" Src-port="7001" Detail="Receive Request Method=SUBSCRIBE, Request-URI=sip:xxx@yyy.com, Call-ID=a48804eca92f0a40@192.168.1.4"
2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,516" Module="network.sip" Level="DEBUG": Src-ip="123.123.123.123" Src-port="7001"
SIPMSG:
|SUBSCRIBE sip:xxx@yyy.com SIP/2.0
Via: SIP/2.0/TLS 123.123.123.123:7001;egress-zone=TraversalZone;branch=z9hG4bK88c6c1ab68ac29a2baad79f373c5780c11818.58b5841c155f6ed8d36de38281aa7aa8;proxy-call-id=6fa6852a-5b1e-11e2-9e00-000c29bc93c9;received=123.123.123.123;rport=7001
Via: SIP/2.0/TLS 192.168.1.4:5061;branch=z9hG4bK86991f63e040efdaa5376ccdcd541dc0.1;received=61.165.188.154;rport=54629;ingress-zone=DefaultSubZone
Call-ID: a48804eca92f0a40@192.168.1.4
CSeq: 102 SUBSCRIBE
Contact: <sip:xxx@yyy.com;gr=urn:uuid:142a3221-0817-57f2-b7f6-54aac220c42a>
From: <sip:xxx@yyy.com>;tag=7efeafa2a40ee175
To: <sip:provisioning@yyy.com>
Max-Forwards: 15
Record-Route: <sip:123.123.123.123:7001;transport=tls;lr;apparent=replace;proxy-call-id=6fa6852a-5b1e-11e2-9e00-000c29bc93c9>
Record-Route: <sip:123.123.123.123:7001;transport=tls;lr>
Record-Route: <sip:123.123.123.123:5061;transport=tls;lr>
Record-Route: <sip:61.165.188.154:54629;transport=tls;apparent=remove;ds;lr;proxy-call-id=6fa6852a-5b1e-11e2-9e00-000c29bc93c9>
User-Agent: TANDBERG/516 (TC5.1.4.295090)
Expires: 3600
Proxy-Authorization: Digest nonce="c9a4cb9445b5d96625d5fd7c2f26c460216f35aa2b15d162c79f9ff7ab03", realm="vcsc.yyy.com", qop=auth, opaque="AQAAAPliFrzUQV7Kj9A4DJ5mkH350LV2", username="xxx", uri="sip:yyy.com", response="eb3cc75731f7e48c6f6af4adb7e5bba0", algorithm=MD5, nc=00000001, cnonce="07b93f430f7036a871699aa1558bfa5f"
Event: ua-profile;model=ex60;vendor=tandberg.com;serial="A1AZ43E00090";profile-type=user;version="TC5.1.4.295090";clientid="id-00:50:60:08:03:DB-";mac-address="00:50:60:08:03:DB"
Accept: application/pidf+xml
X-TAATag: 6fa68962-5b1e-11e2-b72b-000c29bc93c9
Content-Length: 0
|
2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,517" Module="network.http" Level="DEBUG": Message="Request" Method="POST" URL="http://127.0.0.1:9998/credential/name/xxx" Ref="0x7f3e8400f0f0"
2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,522" Module="network.http" Level="DEBUG": Message="Response" Src-ip="127.0.0.1" Src-port="9998" Dst-ip="127.0.0.1" Dst-port="43650" Response="200 OK" ResponseTime="0.004748" Ref="0x7f3e8400f0f0"
2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,522" Module="network.ldap" Level="INFO": Detail="Authentication credential found in directory for identity: xxx"
2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,522" Module="developer.nomodule" Level="WARN" CodeLocation="ppcmains/sip/sipproxy/SipProxyAuthentication.cpp(453)" Method="SipProxyAuthentication::validateDigestAuthorisationCredentials" Thread="0x7f3e9c7cc700": calculated response does not match supplied response, calculatedResponse=2800d2e046695a6c6fea48825c745a09, response=eb3cc75731f7e48c6f6af4adb7e5bba0
2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,523" Module="network.sip" Level="INFO": Dst-ip="123.123.123.123" Dst-port="7001" Detail="Sending Response Code=407, Method=SUBSCRIBE, To=sip:provisioning@yyy.com, Call-ID=a48804eca92f0a40@192.168.1.4"
2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,523" Module="network.sip" Level="DEBUG": Dst-ip="123.123.123.123" Dst-port="7001"
SIPMSG:
|SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/TLS 123.123.123.123:7001;egress-zone=TraversalZone;branch=z9hG4bK88c6c1ab68ac29a2baad79f373c5780c11818.58b5841c155f6ed8d36de38281aa7aa8;proxy-call-id=6fa6852a-5b1e-11e2-9e00-000c29bc93c9;received=123.123.123.123;rport=7001
Via: SIP/2.0/TLS 192.168.1.4:5061;branch=z9hG4bK86991f63e040efdaa5376ccdcd541dc0.1;received=61.165.188.154;rport=54629;ingress-zone=DefaultSubZone
Call-ID: a48804eca92f0a40@192.168.1.4
CSeq: 102 SUBSCRIBE
From: <sip:xxx@yyy.com>;tag=7efeafa2a40ee175
To: <sip:provisioning@yyy.com>;tag=33343865b3d116b6
Server: TANDBERG/4120 (X7.2.1)
Proxy-Authenticate: Digest realm="vcsc.yyy.com", nonce="b7946bc861c08c79a59deef4833c77b89d10ac00965129a64be2615e968d", opaque="AgAAAGyk74ifNAv2n6OcfqGJmURSv/ZT", stale=FALSE, algorithm=MD5, qop="auth"
Content-Length: 0
|
Solved! Go to Solution.
01-10-2013 08:11 AM
Not exactly, the user is created by AD group import into TMS(PE). And I assume your VCS is set up to check AD credentials from the web page VCS configuration > Authentication > Devices > Active Directory Service. You do not need to create a new users.
However the AD password checking only works for Movi and Jabber for iPad, other devices don't support it, they use digest authentication. This uses the password for the user that is in TMS. And although the user is imported to TMS from AD, their password will never be imported. TMS creates a password automatically for imported users - it is what comes from the {password} token when you send the provisoning account information email in TMS - I believe TMS generates 8 digit numeric passwords for the imported users by default, though these could then be changed. This password should be used for the EX60.
01-10-2013 05:09 AM
Hi,
While Movi can do AD authentication, EX60 can only do digest authentication. So in this case you need to use the password that is datafilled in TMS for the user, which may be different to their AD password.
Thanks,
Guy
01-10-2013 06:08 AM
Hi, Guy
Are you talking about create the user directly under TMSPE, instead of going through AD?
Sent from Cisco Technical Support iPhone App
01-10-2013 08:11 AM
Not exactly, the user is created by AD group import into TMS(PE). And I assume your VCS is set up to check AD credentials from the web page VCS configuration > Authentication > Devices > Active Directory Service. You do not need to create a new users.
However the AD password checking only works for Movi and Jabber for iPad, other devices don't support it, they use digest authentication. This uses the password for the user that is in TMS. And although the user is imported to TMS from AD, their password will never be imported. TMS creates a password automatically for imported users - it is what comes from the {password} token when you send the provisoning account information email in TMS - I believe TMS generates 8 digit numeric passwords for the imported users by default, though these could then be changed. This password should be used for the EX60.
01-10-2013 06:01 PM
Hi, Guy
Got your point, and I've tried with your suggestion, but the problem is I haven't setup an SMTP server in my TMSPE, so when I clieck the System -> Provisioning -> Users -> Certain User -> Send Account Information, it only prompt as an messsage at the right below corner of the screen, I couldn't know the digit password you metioned above.
In addition, I've tried to click Edit User to change the password to something contain alphanumeric, but the EX60 still failed to get the provisioning from VCS Expressway.
05-29-2013 02:28 PM
Thanks, Guy, you helped me solve my problem. I fixed the issue of EX60 authenticating to TMS/VCS by manually setting a user password in TMSPE. For my Jabber clients I can leave the password blank since hashes are passed to and from AD.
05-29-2013 04:10 PM
You were able to setup a jabber account using no password? Interesting.
Sent from Cisco Technical Support iPhone App
05-30-2013 07:52 AM
We are using Jabber Movi with the legacy setting to allow Windows credential passthrough.
06-04-2013 06:53 PM
How did you get the credentials to pass through. I have the same version "Movi"
Sent from Cisco Technical Support iPhone App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: