Authenticate J4W clients from two different AD domains/single forest

Ronald Ward · ‎01-04-2013

I am needing to deploy Jabber to users in another domain within a single forest. My understanding is CUCM is the AD authentication point which only allows for a single base DN for authentication, although multiple base DN's for searching for users.

I don't see how to do this within a single CUCM cluster? I have read the docs on federation in CUP's but that doesn;t seem to apply to this scenario.

At this point it almost seems like I need a seperate CUCM cluster/node just to authenticate users for Jabber on a different domain (same forest!)

And to clarify these are not subdomains, but abccompany-west.local and abccompany-east.local

Thanks,

Ron

Sara Sheridan · ‎01-08-2013

Hi Ron,

The CUCM 8x SRND states the following under LDAP Authentication > Additional Considerations for Active Directory:

In the case of a Microsoft AD forest that encompasses multiple trees, some additional considerations apply. Because a single LDAP search base cannot cover multiple namespaces, Unified CM must use a different mechanism to authenticate users across these discontiguous namespaces.

As mentioned in the section on LDAP Synchronization, in order to support synchronization with an AD forest that has multiple trees, the UserPrincipalName (UPN) attribute must be used as the user ID within Unified CM. When the user ID is the UPN, the LDAP authentication configuration page within Unified CM Administration does not allow you to enter the LDAP Search Base field, but instead it displays the note, "LDAP user search base is formed using userid information."

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/8x/directry.html#wp1045381

I hope this helps,

--

Sara Sheridan