Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VCS x7.0 AD direct Authentication for Movi 4.2 (Kerberos) Multiple Domains?

VCS x7.0 AD direct Authentication for Movi 4.2 (Kerberos) Multiple Domains?

Greetings all, I was hoping there are options for authenticating against multiple AD domains using Kerberos

The Cisco VCS Authenticating devices deployment guide states - The device entries must all be in a single AD domain.

Is there any way the VCS can utilize a trust relationship with a separate AD domain to authenticate users on the other domain? For example: The VCS has joined the Alpha AD and is authenticating Alpha Movi users. Then if a two way trust relationship is created with the external Delta AD domain, will Delta AD user accounts be able to be authenticated by the VCS?

We currently have VCS x5.2 and tested LDAP authentication to AD with the trust relationship working with a separate AD domain. Unfortunately we are not permitted to use LDAP for authentication and we have been forced down the TMS provisioning route. We require direct authentication with AD and the new VCS from x6 provides that mechanism via Kerberos.

I have been told that you require VCS/VCS Cluster per domain for multiple domain authentications. I am really surprised that Cisco has this limitation as Kerberos does work across domains provided the appropriate trusts are in place between domains. We can't possibly deploy and support a VCS environment per domain so we are in a bit of a jam.

Are multiple Domain authentications an absolute no? (Using the AD direct method)

Thanks in advance

  • TelePresence

VCS x7.0 AD direct Authentication for Movi 4.2 (Kerberos) Multip

Hi Anthony,

You are correct, one VCS/cluster will only support one AD domain. If you need to authenticate with AD for more than one domain, you will need more VCS/clusters (one per domain).

Here are the prerequisites for Active Directory integration:

Active Directory

  • Entries must exist in the Active Directory server for all devices that are to be authenticated through this method. Each entry must have an associated password
  • The device entries must all be in a single AD domain
  • A username and password of an AD user with either “account operator” or “administrator” access rights must be available for the Cisco VCS to use for joining and leaving the domain

But it will be a nice feature request to support more than one domains. So please contact your Key Account Manager to open this feature request.

Hope this helps,