Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 3: Active Directory (direct)
SIP messages for a provisioning subscription
The ladder diagram below shows the call flow for SIP messaging when authentication is challenged using
NTLM (Active Directory direct).
NTLM (Active Directory direct).
The provisioning server may reside on the VCS which authenticates the messaging – in which case the
destination of the signaling will be seen as 127.0.0.1, alternatively the messages may be sent to a different
VCS (for example, a VCS Control from a VCS Expressway) where the provisioning server resides.
destination of the signaling will be seen as 127.0.0.1, alternatively the messages may be sent to a different
VCS (for example, a VCS Control from a VCS Expressway) where the provisioning server resides.
Endpoint VCS Provisioning server
Subscribe
407 Proxy Authentication Required
with SIP header: ‘Proxy-Authenticate:
NTLM realm="<VCSHostID>",
qop="auth",
targetname="<VCSHostID>"’
Subscribe
with SIP header: ‘Proxy-Authenticate:
NTLM qop="auth", realm="<VCSHostID>",
targetname="<VCSHostID>",
gssapi-data=""’
407 Proxy Authentication Required
with SIP header: ‘Proxy-Authenticate:
NTLM realm="<VCSHostID>", opaque="<opData>",
targetname="<VCSHostID>", gssapi-
data="<gsData>"’
Subscribe
with ‘Proxy-Authorization: NTLM
qop="auth", realm="<VCSHostID>",
targetname="<VCSHostID>",
opaque="<opData>",
gssapi-data="<MoviGsData>"’
Subscribe
with SIP header: ‘P-Asserted-Identity:
<sip:<assertedID>>’
200 OK
200 OK
Cisco TelePresence Device Authentication on Cisco VCS Deployment Guide (X8.5)
Page 39 of 55
Appendix 3: Active Directory (direct)