Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Device authentication
Cisco VCS Administrator Guide (X7.1)
Page 108 of 479
Authentication using Active Directory Service
Movi authentication using an Active Directory Service
Movi device authentication can be performed using a connection between the VCS and an Active Directory
Service (ADS). This allows Movi endpoint users to use their Windows Active Directory (AD) credentials to
authenticate via the NTLM protocol with the VCS.
Service (ADS). This allows Movi endpoint users to use their Windows Active Directory (AD) credentials to
authenticate via the NTLM protocol with the VCS.
This means that Movi users do not need a separate set of authentication credentials (username and
password) for their Movi endpoint - instead they can use the same credentials for both Windows and Movi.
password) for their Movi endpoint - instead they can use the same credentials for both Windows and Movi.
When the VCS is enabled to authenticate via an Active Directory Service, Movi 4.2 and later will
automatically use ADS. Other devices will continue to be authenticated according to the chosen
automatically use ADS. Other devices will continue to be authenticated according to the chosen
method.
ADS authentication process
To enable authentication against Active Directory, the VCS must first be configured with the details of the
Active Directory Service and it must then join the AD domain. After the VCS has established a connection to
the Active Directory Service, Movi credentials can be authenticated.
Active Directory Service and it must then join the AD domain. After the VCS has established a connection to
the Active Directory Service, Movi credentials can be authenticated.
Before the VCS can connect to the Active Directory Service, ensure that the VCS is configured with the
following prerequisite information:
following prerequisite information:
n
DNS server and Local host name details; ensure the Local host name is 15 characters or less
n
NTP server details
n
an appropriate CA certificate from the AD server if the connection is going to use TLS encryption
The VCS process to authenticate users' AD credentials is as follows:
1. Configure the VCS with the details of the Active Directory Service (
VCS configuration > Authentication
> Devices > Active Directory Service
), including:
l
AD domain and short domain name connection details
l
the username and password credentials of the domain administrator; these are required in order to join
the AD domain
Even though it is possible to explicitly configure the addresses of the AD Domain Controllers and
Kerberos Key Distribution Centers, you are recommended to let the VCS obtain them via DNS SRV
lookups.
the AD domain
Even though it is possible to explicitly configure the addresses of the AD Domain Controllers and
Kerberos Key Distribution Centers, you are recommended to let the VCS obtain them via DNS SRV
lookups.
2. When the VCS is correctly configured, it will join the AD domain:
l
the VCS requests a Kerberos ticket from the KDC and then uses this ticket when it communicates with
the Domain Controller
the Domain Controller
l
after the VCS has joined the domain it periodically obtains fresh tickets from the KDC and renews its
relationship with the Domain Controller
relationship with the Domain Controller
3. Configure the VCS to challenge Movi (4.2 or later) with NTLM authentication challenges:
l
Go to
VCS configuration > Authentication > Devices > Configuration
and ensure that NTLM
protocol challenges is set to Auto.
The VCS can now start to authenticate Movi credentials.
4. A Movi endpoint then attempts to register with the VCS.