Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 3: Active Directory (Direct)
SIP Messages for a Provisioning Subscription
The ladder diagram below shows the call flow for SIP messaging when authentication is challenged using NTLM
(Active Directory direct).
(Active Directory direct).
The provisioning server may reside on the VCS which authenticates the messaging – in which case the destination of
the signaling will be seen as 127.0.0.1, alternatively the messages may be sent to a different VCS (for example, a
VCS Control from a VCS Expressway) where the provisioning server resides.
the signaling will be seen as 127.0.0.1, alternatively the messages may be sent to a different VCS (for example, a
VCS Control from a VCS Expressway) where the provisioning server resides.
Endpoint VCS Provisioning server
Subscribe
407 Proxy Authentication Required
with SIP header: ‘Proxy-Authenticate:
NTLM realm="<VCSHostID>",
qop="auth",
targetname="<VCSHostID>"’
Subscribe
with SIP header: ‘Proxy-Authenticate:
NTLM qop="auth", realm="<VCSHostID>",
targetname="<VCSHostID>",
gssapi-data=""’
407 Proxy Authentication Required
with SIP header: ‘Proxy-Authenticate:
NTLM realm="<VCSHostID>",
opaque="<opData>", targetname="<VCSHostID>",
gssapi-data="<gsData>"’
Subscribe
with ‘Proxy-Authorization: NTLM
qop="auth", realm="<VCSHostID>",
targetname="<VCSHostID>",
opaque="<opData>",
gssapi-data="<MoviGsData>"’
Subscribe
with SIP header: ‘P-Asserted-Identity:
<sip:<assertedID>>’
200 OK
200 OK
38
Cisco VCS Authenticating Devices Deployment Guide