Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Using Active Directory Database (Direct)
Active Directory database (direct) authentication uses NTLM protocol challenges and authenticates credentials via
direct access to an Active Directory server using a Kerberos connection.
direct access to an Active Directory server using a Kerberos connection.
It can be enabled at the same time as local database and H.350 directory service authentication. This is because
NTLM authentication is only supported by certain endpoints. Therefore, for example, you could use the Active
Directory (direct) server method for Jabber Video, and the local database or H.350 directory service authentication for
the other devices that do not support NTLM.
NTLM authentication is only supported by certain endpoints. Therefore, for example, you could use the Active
Directory (direct) server method for Jabber Video, and the local database or H.350 directory service authentication for
the other devices that do not support NTLM.
If Active Directory (direct) authentication has been configured and NTLM protocol challenges is set to Auto, then
NTLM authentication challenges are offered to those devices that support NTLM. Devices that do not support NTLM
will continue to receive a standard Digest challenge.
NTLM authentication challenges are offered to those devices that support NTLM. Devices that do not support NTLM
will continue to receive a standard Digest challenge.
Note that the VCS embeds NTLMv2 authentication protocol messages within standard SIP messages when
communicating with endpoint devices, and uses a secure RPC channel when communicating with the AD Domain
Controller. Users' Windows domain credentials and the AD domain administrator credentials are not stored on the
VCS.
communicating with endpoint devices, and uses a secure RPC channel when communicating with the AD Domain
Controller. Users' Windows domain credentials and the AD domain administrator credentials are not stored on the
VCS.
Configuration Prerequisites
Active Directory
■
A username and password of an AD user account with either “account operator” or “administrator” access
rights must be available for the VCS to use for joining and leaving the domain.
rights must be available for the VCS to use for joining and leaving the domain.
■
Entries must exist in the Active Directory server for all devices that are to be authenticated through this
method. Each entry must have an associated password.
method. Each entry must have an associated password.
■
The device entries (in all domains) must be accessible by the user account that is used by VCS to join the
domain. If the VCS is in a domain that is part of a forest, and there is trust between domains in the forest, the
VCS can authenticate device entries from different domains providing the user account has appropriate rights
to authenticate devices against the other domains.
domain. If the VCS is in a domain that is part of a forest, and there is trust between domains in the forest, the
VCS can authenticate device entries from different domains providing the user account has appropriate rights
to authenticate devices against the other domains.
Kerberos Key Distribution Center
The KDC (Kerberos Key Distribution Center) server must be synchronized to a time server.
DNS server
If a DNS name or DNS SRV name is used to identify the AD servers, a DNS server must be configured with the relevant
details. (Note that the VCS must be configured to use a DNS server even if you are not using DNS / DNS SRV to
specify the AD servers.)
details. (Note that the VCS must be configured to use a DNS server even if you are not using DNS / DNS SRV to
specify the AD servers.)
VCS
■
The VCS must be configured to use a DNS server (System > DNS).
—
The VCS’s System host name (System > DNS) must be 15 or fewer characters long.
(Microsoft NetBIOS names are capped at 15 characters.)
—
When part of a cluster, ensure that each VCS peer has a unique System host name.
■
Ensure that an NTP server (System > Time) has been configured and is active.
■
If the connection is going to use TLS encryption, a valid CA certificate, private key and server certificate must
be uploaded to the VCS.
be uploaded to the VCS.
■
The VCS must be configured to challenge for authentication on the relevant zones and subzones:
—
The Default Zone (Configuration > Zones > Zones, then select Default Zone) must be configured with an
Authentication policy of Check credentials. This ensures that provisioning requests (and any call requests
from non-registered devices) are challenged.
Authentication policy of Check credentials. This ensures that provisioning requests (and any call requests
from non-registered devices) are challenged.
—
The Default Subzone (Configuration > Local Zone > Default Subzone) – or the relevant subzones - must be
configured with an Authentication policy of Check credentials. This ensures that registration, presence,
phone book and call requests from registered devices are challenged.
configured with an Authentication policy of Check credentials. This ensures that registration, presence,
phone book and call requests from registered devices are challenged.
142
Cisco TelePresence Video Communication Server Administrator Guide
Device Authentication