Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MOVI with Mix authentication AD and LDAP?

Hi all

Is it possible to configure VCS for MOVI authentication in mix mode.

I have a situation in which are some MOVI user are not in the AD.

Now I woul like authenticate this MOVI  user via  local ldap databse on the VCS-Expressway.

Because I have set all subzone and Zone on the VCS-E with "check credential" and the  MOVI user authenticate via AD, is working fine, without any Problem, but now I have the Problem with the none AD Movi User.

Has anbody a Idea?

any Input appreciated.

Best Regards

Georg

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: MOVI with Mix authentication AD and LDAP?

Hi Georg,

this is possible but you would need to use 2 separate VCS-C's to do this, where 1 VCS-C is joined to the AD domain and configured to do NTLM authentication for Movi/Jabber Video provisioning requests, and where the other VCS-C is configured to use local database/LDAP authentication for Movi/Jabber Video provisioning requests.

Further, you would have to create two separate folders in TMS Provisioning Directory, where one folder houses the AD users and the other folder houses the non-AD users.

Lastly, you would have to configure the Internal Server setting on the Movi/Jabber Video so that the AD users get their provisioning configuration from the VCS-C which is configured for NTLM, while the non-AD users get their provisioning configuration for the non-NTLM VCS-C.

Now if you bring a VCS-E into the mix, so that both AD and non-AD users will also be logging in via the VCS-E, this will get a lot more complicated, since you would somehow have to ensure that a provisioning request from an AD user gets proxied through to the NTLM-enabled VCS-C while provisioning requests from non-AD users get proxied through to the non-NTLM VCS-C. This could be done with clever search rules, but that requires that you have an URI scheme for your provisioning users which allows you to determine if a provisioning request originates from an AD-based user or not.

In summary, this can be done, but it adds significant administrative overhead and would probably complicate troubleshooting quite a bit if that is ever required, and I would strongly suggest that you instead try to get all of the provisioning users into AD if possible.

Regards

Andreas

4 REPLIES
Gold

Re: MOVI with Mix authentication AD and LDAP?

Hi Georg,

this is possible but you would need to use 2 separate VCS-C's to do this, where 1 VCS-C is joined to the AD domain and configured to do NTLM authentication for Movi/Jabber Video provisioning requests, and where the other VCS-C is configured to use local database/LDAP authentication for Movi/Jabber Video provisioning requests.

Further, you would have to create two separate folders in TMS Provisioning Directory, where one folder houses the AD users and the other folder houses the non-AD users.

Lastly, you would have to configure the Internal Server setting on the Movi/Jabber Video so that the AD users get their provisioning configuration from the VCS-C which is configured for NTLM, while the non-AD users get their provisioning configuration for the non-NTLM VCS-C.

Now if you bring a VCS-E into the mix, so that both AD and non-AD users will also be logging in via the VCS-E, this will get a lot more complicated, since you would somehow have to ensure that a provisioning request from an AD user gets proxied through to the NTLM-enabled VCS-C while provisioning requests from non-AD users get proxied through to the non-NTLM VCS-C. This could be done with clever search rules, but that requires that you have an URI scheme for your provisioning users which allows you to determine if a provisioning request originates from an AD-based user or not.

In summary, this can be done, but it adds significant administrative overhead and would probably complicate troubleshooting quite a bit if that is ever required, and I would strongly suggest that you instead try to get all of the provisioning users into AD if possible.

Regards

Andreas

New Member

MOVI with Mix authentication AD and LDAP?

Hi Andreas

Thank you for the clarification.

I think this is the best way to try all MOVI  user authenticate via AD.

Regards

Georg

VIP Purple

Re: MOVI with Mix authentication AD and LDAP?

Out of curiosity how would one use LDAP over AD, and what password would it use?  I know how to use the VCS with AD, as I have it configured that way althought not currently enabled.

Gold

MOVI with Mix authentication AD and LDAP?

Patrick,

on the VCS there is a configuration setting called 'NTLM protocol challenges'. When this is set to 'Auto' or 'On', and assuming the VCS is joined to an AD domain, the VCS will verify credentials provided by Movi 4.2 or higher against AD rather than against LDAP or local database.

- Andreas

858
Views
0
Helpful
4
Replies