Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1513
Views
0
Helpful
4
Replies

MOVI with Mix authentication AD and LDAP?

Go to solution
Georg Kehrer
Level 4
Level 4

‎03-19-2012 02:51 AM - edited ‎03-17-2019 02:15 PM

Hi all

Is it possible to configure VCS for MOVI authentication in mix mode.

I have a situation in which are some MOVI user are not in the AD.

Now I woul like authenticate this MOVI  user via  local ldap databse on the VCS-Expressway.

Because I have set all subzone and Zone on the VCS-E with "check credential" and the  MOVI user authenticate via AD, is working fine, without any Problem, but now I have the Problem with the none AD Movi User.

Has anbody a Idea?

any Input appreciated.

Best Regards

Georg

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
awinter2
Level 7
Level 7

‎03-19-2012 03:24 AM

Hi Georg,

this is possible but you would need to use 2 separate VCS-C's to do this, where 1 VCS-C is joined to the AD domain and configured to do NTLM authentication for Movi/Jabber Video provisioning requests, and where the other VCS-C is configured to use local database/LDAP authentication for Movi/Jabber Video provisioning requests.

Further, you would have to create two separate folders in TMS Provisioning Directory, where one folder houses the AD users and the other folder houses the non-AD users.

Lastly, you would have to configure the Internal Server setting on the Movi/Jabber Video so that the AD users get their provisioning configuration from the VCS-C which is configured for NTLM, while the non-AD users get their provisioning configuration for the non-NTLM VCS-C.

Now if you bring a VCS-E into the mix, so that both AD and non-AD users will also be logging in via the VCS-E, this will get a lot more complicated, since you would somehow have to ensure that a provisioning request from an AD user gets proxied through to the NTLM-enabled VCS-C while provisioning requests from non-AD users get proxied through to the non-NTLM VCS-C. This could be done with clever search rules, but that requires that you have an URI scheme for your provisioning users which allows you to determine if a provisioning request originates from an AD-based user or not.

In summary, this can be done, but it adds significant administrative overhead and would probably complicate troubleshooting quite a bit if that is ever required, and I would strongly suggest that you instead try to get all of the provisioning users into AD if possible.

Regards

Andreas

View solution in original post

0 Helpful
4 Replies 4

Go to solution
awinter2
Level 7
Level 7

‎03-19-2012 03:24 AM

Hi Georg,

this is possible but you would need to use 2 separate VCS-C's to do this, where 1 VCS-C is joined to the AD domain and configured to do NTLM authentication for Movi/Jabber Video provisioning requests, and where the other VCS-C is configured to use local database/LDAP authentication for Movi/Jabber Video provisioning requests.

Further, you would have to create two separate folders in TMS Provisioning Directory, where one folder houses the AD users and the other folder houses the non-AD users.

Lastly, you would have to configure the Internal Server setting on the Movi/Jabber Video so that the AD users get their provisioning configuration from the VCS-C which is configured for NTLM, while the non-AD users get their provisioning configuration for the non-NTLM VCS-C.

Now if you bring a VCS-E into the mix, so that both AD and non-AD users will also be logging in via the VCS-E, this will get a lot more complicated, since you would somehow have to ensure that a provisioning request from an AD user gets proxied through to the NTLM-enabled VCS-C while provisioning requests from non-AD users get proxied through to the non-NTLM VCS-C. This could be done with clever search rules, but that requires that you have an URI scheme for your provisioning users which allows you to determine if a provisioning request originates from an AD-based user or not.

In summary, this can be done, but it adds significant administrative overhead and would probably complicate troubleshooting quite a bit if that is ever required, and I would strongly suggest that you instead try to get all of the provisioning users into AD if possible.

Regards

Andreas

0 Helpful

Go to solution
Georg Kehrer
Level 4
Level 4
In response to awinter2

‎03-19-2012 05:40 AM

Hi Andreas

Thank you for the clarification.

I think this is the best way to try all MOVI  user authenticate via AD.

Regards

Georg

0 Helpful

Go to solution
Patrick Sparkman
VIP Alumni
VIP Alumni
In response to awinter2

‎03-19-2012 06:41 AM

Out of curiosity how would one use LDAP over AD, and what password would it use?  I know how to use the VCS with AD, as I have it configured that way althought not currently enabled.

0 Helpful

Go to solution
awinter2
Level 7
Level 7
In response to Patrick Sparkman

‎03-19-2012 07:23 AM

Patrick,

on the VCS there is a configuration setting called 'NTLM protocol challenges'. When this is set to 'Auto' or 'On', and assuming the VCS is joined to an AD domain, the VCS will verify credentials provided by Movi 4.2 or higher against AD rather than against LDAP or local database.

- Andreas

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents