Cisco Cisco TelePresence Video Communication Server Expressway
Configuring VCS authentication methods
VCS Deployment Guide: Device authentication on Cisco VCS (VCS X7.1)
Page 17 of 47
Using Active Directory database (direct)
Active Directory database (direct) authentication uses NTLM protocol challenges and authenticates
credentials via direct access to an Active Directory server using a Kerberos connection.
credentials via direct access to an Active Directory server using a Kerberos connection.
Active Directory database (direct) authentication can be enabled at the same time as either the
local database or H.350 directory service authentication.
•
local database or H.350 directory service authentication.
•
This is because NTLM authentication is only supported by certain endpoints.
•
In such circumstances you could, for example, use the Active Directory (direct) server
method for Movi, and the local database or H.350 directory service authentication for the
other devices that do not support NTLM.
method for Movi, and the local database or H.350 directory service authentication for the
other devices that do not support NTLM.
NTLM authentication is only supported (at the time of writing) by Movi version 4.2 or later.
If Active Directory (direct) authentication has been configured and NTLM protocol challenges is set
to Auto, then NTLM authentication challenges are offered to those devices that support NTLM.
to Auto, then NTLM authentication challenges are offered to those devices that support NTLM.
NTLM challenges are offered in addition to the standard digest challenge.
Endpoints that support NTLM will respond to the NTLM challenge and VCS will use that in
preference to the digest challenge.
preference to the digest challenge.
Configuration prerequisites
Active Directory
A username and password of an AD user with either “account operator” or “administrator” access
rights must be available for the Cisco VCS to use for joining and leaving the domain.
rights must be available for the Cisco VCS to use for joining and leaving the domain.
Entries must exist in the Active Directory server for all devices that are to be authenticated
through this method. Each entry must have an associated password.
through this method. Each entry must have an associated password.
The device entries (in all domains) must be accessible by the user that is used by VCS to join the
domain.
domain.
Kerberos Key Distribution Center
The KDC (Kerberos Key Distribution Center) server must be synchronized to a time server.
DNS server
If a DNS name or DNS SRV name is used to identify the AD server(s), a DNS server must be
configured with the relevant details.
configured with the relevant details.
Cisco VCS
If using DNS / DNS SRV to specify the AD server(s), the VCS must be configured to use a DNS
server (
server (
System > DNS
).
•
The VCS’s Local host name (
System > DNS
) must be 15 or fewer characters long.
(Microsoft NetBIOS names are capped at 15 characters.)
•
When part of a cluster, ensure that each Cisco VCS peer has a unique Local host name.
Ensure that an NTP server (
System > Time
) has been configured and is active.
Ensure that the VCS is configured to challenge for authentication on the relevant zones and
subzones:
•
subzones:
•
The Default Zone (
VCS configuration > Zones
, then select Default Zone) must be
configured with an Authentication policy of Check credentials. This ensures that
provisioning requests (and any call requests from non-registered devices) are challenged.
provisioning requests (and any call requests from non-registered devices) are challenged.
•
The Default Subzone (
VCS configuration > Local Zone > Default Subzone
) – or the
relevant subzones - must be configured with an Authentication policy of Check credentials.
This ensures that registration, presence, phone book and call requests from registered
devices are challenged.
This ensures that registration, presence, phone book and call requests from registered
devices are challenged.