03-19-2012 02:51 AM - edited 03-17-2019 02:15 PM
Hi all
Is it possible to configure VCS for MOVI authentication in mix mode.
I have a situation in which are some MOVI user are not in the AD.
Now I woul like authenticate this MOVI user via local ldap databse on the VCS-Expressway.
Because I have set all subzone and Zone on the VCS-E with "check credential" and the MOVI user authenticate via AD, is working fine, without any Problem, but now I have the Problem with the none AD Movi User.
Has anbody a Idea?
any Input appreciated.
Best Regards
Georg
Solved! Go to Solution.
03-19-2012 03:24 AM
Hi Georg,
this is possible but you would need to use 2 separate VCS-C's to do this, where 1 VCS-C is joined to the AD domain and configured to do NTLM authentication for Movi/Jabber Video provisioning requests, and where the other VCS-C is configured to use local database/LDAP authentication for Movi/Jabber Video provisioning requests.
Further, you would have to create two separate folders in TMS Provisioning Directory, where one folder houses the AD users and the other folder houses the non-AD users.
Lastly, you would have to configure the Internal Server setting on the Movi/Jabber Video so that the AD users get their provisioning configuration from the VCS-C which is configured for NTLM, while the non-AD users get their provisioning configuration for the non-NTLM VCS-C.
Now if you bring a VCS-E into the mix, so that both AD and non-AD users will also be logging in via the VCS-E, this will get a lot more complicated, since you would somehow have to ensure that a provisioning request from an AD user gets proxied through to the NTLM-enabled VCS-C while provisioning requests from non-AD users get proxied through to the non-NTLM VCS-C. This could be done with clever search rules, but that requires that you have an URI scheme for your provisioning users which allows you to determine if a provisioning request originates from an AD-based user or not.
In summary, this can be done, but it adds significant administrative overhead and would probably complicate troubleshooting quite a bit if that is ever required, and I would strongly suggest that you instead try to get all of the provisioning users into AD if possible.
Regards
Andreas
03-19-2012 03:24 AM
Hi Georg,
this is possible but you would need to use 2 separate VCS-C's to do this, where 1 VCS-C is joined to the AD domain and configured to do NTLM authentication for Movi/Jabber Video provisioning requests, and where the other VCS-C is configured to use local database/LDAP authentication for Movi/Jabber Video provisioning requests.
Further, you would have to create two separate folders in TMS Provisioning Directory, where one folder houses the AD users and the other folder houses the non-AD users.
Lastly, you would have to configure the Internal Server setting on the Movi/Jabber Video so that the AD users get their provisioning configuration from the VCS-C which is configured for NTLM, while the non-AD users get their provisioning configuration for the non-NTLM VCS-C.
Now if you bring a VCS-E into the mix, so that both AD and non-AD users will also be logging in via the VCS-E, this will get a lot more complicated, since you would somehow have to ensure that a provisioning request from an AD user gets proxied through to the NTLM-enabled VCS-C while provisioning requests from non-AD users get proxied through to the non-NTLM VCS-C. This could be done with clever search rules, but that requires that you have an URI scheme for your provisioning users which allows you to determine if a provisioning request originates from an AD-based user or not.
In summary, this can be done, but it adds significant administrative overhead and would probably complicate troubleshooting quite a bit if that is ever required, and I would strongly suggest that you instead try to get all of the provisioning users into AD if possible.
Regards
Andreas
03-19-2012 05:40 AM
Hi Andreas
Thank you for the clarification.
I think this is the best way to try all MOVI user authenticate via AD.
Regards
Georg
03-19-2012 06:41 AM
Out of curiosity how would one use LDAP over AD, and what password would it use? I know how to use the VCS with AD, as I have it configured that way althought not currently enabled.
03-19-2012 07:23 AM
Patrick,
on the VCS there is a configuration setting called 'NTLM protocol challenges'. When this is set to 'Auto' or 'On', and assuming the VCS is joined to an AD domain, the VCS will verify credentials provided by Movi 4.2 or higher against AD rather than against LDAP or local database.
- Andreas
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: