cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1700
Views
0
Helpful
6
Replies
Highlighted
Beginner

TMS 14.1.1 LDAP integration from Multiple AD Forests

We are using TMS 14.1.1 and currently have this pointing at one of our DC's in forest1\domain1.  This is working fine.  We have a 2 way Trust relationship between this AD forest/domain and a second AD forest/domain. Is it possible for us to provision users in BOTH AD Forest/Domains to allow use of Cisco Jabber Video for Windows/iPad?

Forest1/Domain1 - User A OK

Forest2/Doamin2 - User B Fails

If it is not possible to have both AD Forest/Domains configured within TMS, how could we work round the issue?

Many thanks

Regards

David

6 REPLIES 6
Highlighted
Cisco Employee

Hi David,

Just to clarify, are you talking TMS or TMSPE since your mentioning provisioning users? For example, are you referring to importing users into the Provisioning Directory, aka TMSPE? And when you say "User A OK" and "User B Fails", what exactly do you mean by fails?

Dale

Highlighted

Dale,

thanks forhte response.

Sorry yes this is for Provisioning of users to use Jabber Video, so TMSPE rather than TMS.  We currently can logging from as user that is in Domain1 but if logging in as a user from domain2 we get an invalid username or password error on the jabber video client.  Not sure that the users are being implorted from domain2 as the LDAP configuration is only set for domain1.  So we are looking to allow user to be imported via LDAP configuration for BOTH domain1 and domain2.

Hope that clarifies.

Regards

David

Highlighted

Ok...so you have successfully imported the users (from both domains) into your Provsioning Directory and have set up appropriate dial plans and configuration templates for those users when they go to register and provision to the VCS...so this is maybe more of a question of authentication when the users register and provision to the VCS. And this is assuming everything is working okay between TMSPE and the VCSs. Therefore, what username and password are you authenticating with, i.e. the TMSPE created username and passwords or you have you set up AD authentication on the VCS side?

Highlighted

Dale,

Thanks again for responding.  After checking the setup within TMS for TMSPE I noted that we only have a single LDAP configuration for domain1 and nothing for domain2.  I have created a user account for TMS to use within Domain2 to access and read AD. 

I have then setup a new group within TMS under Systems>Provisioning>Users and pointed this to a DC within Domain2.  I tested the import which looked good so ran the import.  Our VCS is set to pull from TMS/TMSPE every 2 minutes so witing for the Domain2 users to be imported before appemtping to login.  I can now logon and make/receive calls OK with Jabber video for TP on a laptop in domain2 with a user account in domain2.

Only difference between the logon process is that form domain1 we don't need to specify the domain but for domain2 we have to have the username int he format domain2\username.

Thanks for your assitance with this.

Regards

David

Highlighted

The reason you need to include a domain name for the users in domain2 is mostlike likely because the VCS has been added as a member of domain 1. An authentication request (rpcnetlogon) sent to the Active Directory Domain Controller will use the machine domain membership domain as a default. The "machine domain" is the domain that of the VCS. For Active Directory to be able to route the netlogon request to the trusted domain, the trusted domain name needs to be included with the username. WIthout it, the Domain Controller will not know to route it to the trusted domain.

- Zac Colton

Highlighted
Enthusiast

I have a similar situation.

Our design has 2 seperate VCSs (one in domain1 and one in domain2).  Would the requirement for logging on movi users in domain2 still need domain\username or could they just use username?  My assumption is that with VCS C in Domain2 movi users wouldn't need to add the domain to their login because this vcs would already be in the second domain.

 

Brandon