Cisco Cisco TelePresence Video Communication Server Expressway
Configuring VCS authentication methods
VCS Deployment Guide: Device authentication on Cisco VCS (VCS X7.1)
Page 18 of 47
Note that setting up your VCS’s authentication policy to check credentials will affect all
devices (not just Movi) that send provisioning, registration, presence, phone book and call
requests to the VCS.
devices (not just Movi) that send provisioning, registration, presence, phone book and call
requests to the VCS.
Endpoint
The PC on which Movi runs must use appropriate settings which match the settings of the AD
server (see Appendix 4 — Active Directory (direct): Movi PC and AD server compatibility
configuration).
server (see Appendix 4 — Active Directory (direct): Movi PC and AD server compatibility
configuration).
IT request
You can use the questionnaire in Appendix 1 — IT requisition to get the appropriate information from
your IT department).
your IT department).
Configure Active Directory server details in Cisco VCS
To configure Active Directory (direct) and join the AD domain:
1. Go to
VCS configuration > Authentication > Devices > Active Directory Service
.
2. Configure the fields as follows:
Connect to Active
Directory Service
Directory Service
On
AD domain
<AD DOMAIN>
This must be the qualified domain name (QDN) of the AD domain and must be
entered in CAPITALS. For example, EXAMPLE.COM.
This must be the qualified domain name (QDN) of the AD domain and must be
entered in CAPITALS. For example, EXAMPLE.COM.
Short domain
name
name
<AD Short Domain Name>
(this is also known as the NetBIOS Domain Name). For example, EXAMPLE.
(this is also known as the NetBIOS Domain Name). For example, EXAMPLE.
Secure channel
mode
mode
Auto / Enabled / Disabled
This configures the authentication used on the communications between VCS and
the AD Domain Controller. Generally this should be left at its default value Auto.
This configures the authentication used on the communications between VCS and
the AD Domain Controller. Generally this should be left at its default value Auto.
Encryption
Off / TLS
This configures whether TLS encryption is used between VCS and the Active
Directory server.
Note that if encryption is set to TLS, a valid CA certificate, private key and server
certificate must be uploaded to the VCS via the
This configures whether TLS encryption is used between VCS and the Active
Directory server.
Note that if encryption is set to TLS, a valid CA certificate, private key and server
certificate must be uploaded to the VCS via the
Security certificates
page
(
Maintenance > Certificate management > Security certificates
).
The default value is TLS.
Clockskew
(seconds)
(seconds)
<Skew value in seconds>
This sets up the maximum clock skew allowed between the VCS and the KDC
(Kerberos Key Distribution Center). It should be kept in step with the clock skew
setting on the KDC; generally this will be its default value of 300 (5 minutes).
Ensure that VCS and KDC are synchronized to time servers.
This sets up the maximum clock skew allowed between the VCS and the KDC
(Kerberos Key Distribution Center). It should be kept in step with the clock skew
setting on the KDC; generally this will be its default value of 300 (5 minutes).
Ensure that VCS and KDC are synchronized to time servers.
Use DNS SRV
lookup to obtain
Domain Controller
addresses
lookup to obtain
Domain Controller
addresses
You are recommended to leave this field set to Yes.
This means that VCS will use a DNS SRV lookup of <AD DOMAIN> to obtain the
address details of the AD domain controllers.
If the lookup cannot provide the addresses then set this field to No and enter the
IP address of the primary Domain Controller into the Address 1 field that will be
displayed.
This means that VCS will use a DNS SRV lookup of <AD DOMAIN> to obtain the
address details of the AD domain controllers.
If the lookup cannot provide the addresses then set this field to No and enter the
IP address of the primary Domain Controller into the Address 1 field that will be
displayed.
Use DNS SRV
lookup to obtain
Kerberos Key
Distribution Center
addresses
lookup to obtain
Kerberos Key
Distribution Center
addresses
You are recommended to leave this field set to Yes.
This means that VCS will use a DNS SRV lookup of <AD DOMAIN> to obtain the
address details of the Kerberos Key Distribution Center servers.
If the lookup cannot provide the addresses then set this field to No and enter the
IP address of the primary Key Distribution Center servers into the Address 1 field
that will be displayed. Typically, Port 1 can be left as its default value of 88.
Note that Key Distribution Center addresses are typically the same as the Domain
This means that VCS will use a DNS SRV lookup of <AD DOMAIN> to obtain the
address details of the Kerberos Key Distribution Center servers.
If the lookup cannot provide the addresses then set this field to No and enter the
IP address of the primary Key Distribution Center servers into the Address 1 field
that will be displayed. Typically, Port 1 can be left as its default value of 88.
Note that Key Distribution Center addresses are typically the same as the Domain