Configuration Guide for Cisco Unified MeetingPlace Web Conferencing Release 5.4
Configuring User Authentication in Cisco Unified MeetingPlace Web Conferencing
Downloads: This chapterpdf (PDF - 175.0KB) The complete bookPDF (PDF - 4.38MB) | Feedback

Configuring User Authentication in Cisco Unified MeetingPlace Web Conferencing

Table Of Contents

Configuring User Authentication in Cisco Unified MeetingPlace Web Conferencing

About User Authentication

Restrictions: User Authentication and Load Balancing

Restrictions: User Authentication and Segmented Meeting Access Deployments

Allowing Cisco Unified MeetingPlace for Outlook Authentication

About MeetingPlace Authentication

About LDAP Authentication

About LDAP then MeetingPlace Authentication

About Trust External Authentication

About HTTP Basic Authentication (Domain)

About Windows Integrated Authentication

Login Behavior with Windows Integrated Authentication

Troubleshooting Problems with Improper Functionality of Windows Authentication


Configuring User Authentication in Cisco Unified MeetingPlace Web Conferencing


This section describes how to configure user authentication in Cisco Unified MeetingPlace Web Conferencing.


Note Though all authentication methods can be applied to internal or external servers, some authentication methods may not make sense for a DMZ environment. For more information about Web Conferencing support for DMZ environments, see the "Configuring External Access to Cisco Unified MeetingPlace Web Conferencing" chapter.


See the following sections:

About User Authentication

About MeetingPlace Authentication

About LDAP Authentication

About LDAP then MeetingPlace Authentication

About Trust External Authentication

About HTTP Basic Authentication (Domain)

About Windows Integrated Authentication

Troubleshooting Problems with Improper Functionality of Windows Authentication

About User Authentication

By default, Cisco Unified MeetingPlace Web Conferencing prompts users for login credentials by using an HTML web form, then authenticates them against the Cisco Unified MeetingPlace user profile database. However, you can choose to authenticate Cisco Unified MeetingPlace against third-party authentication software that provides different authentication behaviors. This can include different login windows, authentication against other user profile databases, or both.

Integration with third-party authentication software can provide the following benefits:

Centralized user database—Facilitates profile management.

Single Sign-On (SSO)—Allows users who have already been authenticated once to have access to all resources and applications on the network without having to re-enter their credentials.

For SSO to work, you must ensure that Cisco Unified MeetingPlace user IDs are set up so that they match the corresponding user IDs used by the third-party authentication software. Because Cisco Unified MeetingPlace user IDs are case-sensitive, we recommend that you create them with all lowercase characters, and that you use Cisco Unified MeetingPlace Directory Services for directory synchronization. This way, matching user IDs between Cisco Unified MeetingPlace and third-party authentication software is easily accomplished.


Note Cisco Unified MeetingPlace Web Conferencing automatically converts case so that Cisco Unified MeetingPlace user IDs and corresponding user IDs used by third-party authentication software match.


Web Conferencing provides the following authentication configuration options:

HTTP Basic Authentication (Domain)

LDAP

LDAP, then MeetingPlace

MeetingPlace

Trust External Authentication

Windows Integrated Authentication


Note Having a Cisco Unified MeetingPlace profile does not guarantee users access to the Cisco Unified MeetingPlace system. Login behaviors vary depending on the authentication configuration and login options that you choose.


Restrictions: User Authentication and Load Balancing

In a Cisco Unified MeetingPlace load-balancing cluster, all users must enter the Cisco Unified MeetingPlace system through a designated Cisco Unified MeetingPlace web server. In such circumstances, you only need to configure the designated web server for your chosen authentication method. You can configure all other web servers in the cluster to use the default authentication method—MeetingPlace Web Form Authentication.

If, however, you want to configure other web servers in the cluster to use the same authentication method as a failover strategy, you can. However, depending on the type of authentication method used, this configuration can result in undesirable SSO behaviors.

For example, if you configure HTTP Basic Authentication or Windows Integrated Authentication, Cisco Unified MeetingPlace will prompt users for login credentials each time there is a web server redirect. This is because you are altering the hostname in the authentication configuration each time you redirect traffic to an active web server through a DNS change. If you configure LDAP or MeetingPlace authentication, users will not be prompted again for login credentials during a web conferencing redirect.

Restrictions: User Authentication and Segmented Meeting Access Deployments

If you configured a segmented meeting access deployment with one server (SMA-1S), you have two authentication options when configuring user authentication:

Configure both internal and external web sites to use the MeetingPlace native login form page

Configure the internal web site to use HTTP Basic Authentication and the external web site to use the MeetingPlace native login form page

Allowing Cisco Unified MeetingPlace for Outlook Authentication

If your Cisco Unified MeetingPlace system includes the Cisco Unified MeetingPlace for Outlook integration, you must configure Cisco Unified MeetingPlace Web Conferencing to allow Outlook to authenticate. Do the following procedure.

Before You Begin

Verify that the Cisco Unified MeetingPlace user IDs and Windows domain user IDs of your users match.

To Configure Cisco Unified MeetingPlace for Outlook Authentication


Step 1 Update the Cisco Unified MeetingPlace Web Conferencing registry key to allow Outlook authentication.

a. From your desktop, choose Start > Run, then enter regedit.

b. Locate HKEY_LOCAL_MACHINE\SOFTWARE\Latitude\MeetingPlace WebPublisher\mpagent and change to RemoteUserAllowed.

c. To allow Outlook to authenticate, choose 1.

Step 2 Configure Cisco Unified MeetingPlace for Outlook to use integrated windows authentication.

a. Open Explorer and navigate to the \MPWEB\mpoutlook folder.

b. Double-click configclients.exe.

c. From the Outlook control panel, choose the Logins tab and check Use Integrated Windows Authentication.

d. Click OK.

e. Close the Outlook Configuration Client utility.

Step 3 If you are configuring Web Conferencing user authentication, proceed to the "About User Authentication" section to determine your authentication mode.


About MeetingPlace Authentication

Authenticating users against the profile database on the Cisco Unified MeetingPlace Audio Server system is the default user authentication option. You have two options when configuring this type of authentication:

Logging in with an HTML-based web page form. This is the default option.

Logging in against a login window rendered by your web browser.

Regardless of the login page users see, user IDs and passwords are sent to the Audio Server system for authentication. Both profiles and user passwords must match. Profiles are case-sensitive.

See the following procedures:

To Configure MeetingPlace Authentication

To Verify the MeetingPlace Authentication Configuration by Using the HTTP Form

To Configure MeetingPlace Authentication

If you are also using Cisco Unified MeetingPlace for Outlook, complete the "Allowing Cisco Unified MeetingPlace for Outlook Authentication" section before doing this procedure.


Step 1 Sign in to Cisco Unified MeetingPlace Web Conferencing.

Step 2 From the Welcome page, click Admin, then click Web Server.

Step 3 From the "View" section of the page, click the name of the web server that you want to configure.

Step 4 Scroll to the Web Authentication section.

Step 5 For "Step 1: Directory," choose MeetingPlace.

Step 6 For "Step 2: Login Method," choose one of the following options:

To see an HTML-based Cisco Unified MeetingPlace login window, choose Web Page Form. This is the default authentication method.

To see a login window rendered by your web browser, choose HTTP Basic Authentication.


Note If you choose HTTP Basic Authentication, users cannot log in to Cisco Unified MeetingPlace as guests.


Step 7 Click Submit and wait five minutes for the new configuration to take effect.

Step 8 (Optional) If you chose HTTP Basic Authentication, proceed to the "To Verify the MeetingPlace Authentication Configuration by Using the HTTP Form" procedure.


To Verify the MeetingPlace Authentication Configuration by Using the HTTP Form

Use a Cisco Unified MeetingPlace end user profile when completing this procedure.


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace Web Conferencing.

Step 2 Verify the following end-user behaviors:

When you access the Cisco Unified MeetingPlace home page, you see an Enter Network Password window.

After you enter your end-user Cisco Unified MeetingPlace user ID and password, you are authenticated to the Audio Server.

The Welcome page displays your name in firstname, lastname order.

Sign In and Sign Out links do not display.


About LDAP Authentication

LDAP authentication compares user login information against the profile database on an LDAPv2-compliant directory server. After users are authenticated by the LDAP server, they are automatically logged in to Cisco Unified MeetingPlace as long as their LDAP user IDs also exist in Cisco Unified MeetingPlace. With LDAP authentication, the following restrictions apply:

Cisco Unified MeetingPlace Web Conferencing supports only unencrypted LDAP, that is, queries to the LDAP server are in clear text.

Users cannot log in with their Cisco Unified MeetingPlace passwords for their same LDAP user names.

LDAP profiles are used for authentication; Cisco Unified MeetingPlace profiles are ignored.


Note To authenticate Cisco Unified MeetingPlace Web Conferencing against the LDAP server, make sure that the LDAP server directory is designed to have all users in one container rather than broken into multiple containers (each representing a child OU).


See the following procedures:

To Configure LDAP Authentication

To Verify the LDAP Authentication Configuration by Using the Web Page Form

To Verify the LDAP Authentication Configuration by Using the HTTP Form

To Configure LDAP Authentication

If you are also using Cisco Unified MeetingPlace for Outlook, complete the "Allowing Cisco Unified MeetingPlace for Outlook Authentication" section before beginning this procedure.


Step 1 Sign in to Cisco Unified MeetingPlace Web Conferencing.

Step 2 From the Welcome page, click Admin, then click Web Server.

Step 3 From the "View" section of the page, click the name of the web server that you want to configure.

Step 4 Scroll to the Web Authentication section.

Step 5 For "Step 1: Directory," choose LDAP.

Step 6 For "LDAP Hostname," enter the LDAP hostname, for example ldap.domain.com.

Step 7 For "LDAP Distinguished Name (DN)," enter the DN information for your directory.


Note All users in the LDAP server directory must be in one container rather than broken into multiple containers each representing a child OU.


Example

CN=%USERNAME%, OU=People, DC=mydomain, DC=com

%USERNAME% is the username that the user enters when logging in.

Before sending the request to the LDAP server %USERNAME% is replaced with the username that the user enters in the login username field. No additional modifications are made to the DN value.

%USERNAME% is case-sensitive, that is, all upper case.

Consult your LDAP expert for your DN information.

Step 8 For "Step 2: Login Method," choose one of the following:

To see an HTML-based Cisco Unified MeetingPlace login window, choose Web Page Form.

To see a login window rendered by your web browser, choose HTTP Basic Authentication.


Note If you choose HTTP Basic Authentication, users cannot log in to Cisco Unified MeetingPlace as guests.


Step 9 Click Submit and wait five minutes for the new configuration to take effect.

Step 10 (Optional) If you chose Web Page Form and want to verify your configuration, proceed to the "To Verify the LDAP Authentication Configuration by Using the Web Page Form" procedure.

Step 11 (Optional) If you chose HTTP Basic Authentication and want to verify your configuration, proceed to the "To Verify the LDAP Authentication Configuration by Using the HTTP Form" procedure.


To Verify the LDAP Authentication Configuration by Using the Web Page Form

Use a Cisco Unified MeetingPlace end user profile when completing this procedure.


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace Web Conferencing.

Step 2 Verify the following end-user behaviors:

If you have a Cisco Unified MeetingPlace profile, you can log in with your LDAP password.

You cannot log in without a password.


To Verify the LDAP Authentication Configuration by Using the HTTP Form

Use a Cisco Unified MeetingPlace end user profile when completing this procedure.


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace Web Conferencing.

Step 2 Verify the following end-user behaviors:

When you access the Cisco Unified MeetingPlace home page, you see an Enter Network Password window.

After you enter your LDAP profile user ID and password, you are authenticated to the Audio Server.

The Welcome page displays your name in firstname, lastname order.

Sign In and Sign Out links do not display.


About LDAP then MeetingPlace Authentication

This authentication mode attempts to authenticate users against two directories if the need arises. When users first log in, they are authenticated against the LDAP directory. If this authentication fails, the login information is sent to the Cisco Unified MeetingPlace Audio Server for a possible match. This behavior allows a company to give non-LDAP users, such as guests or contractors, access to Cisco Unified MeetingPlace.

Before configuring this authentication mode, keep the following points in mind:

To authenticate Cisco Unified MeetingPlace Web Conferencing against the LDAP server, make sure that the LDAP server directory is designed to have all users in one container rather than broken into multiple containers (each representing a child OU).

If a match is made in the LDAP database, the user must provide the proper LDAP password. Three attempts with the incorrect password will lock the LDAP profile of the user.

Only users who are not found in the LDAP directory are eligible for authentication through the Cisco Unified MeetingPlace directory.

User IDs in the Cisco Unified MeetingPlace profile database are case sensitive.

See the following procedures:

To Configure the LDAP then MeetingPlace Authentication

To Verify the LDAP then MeetingPlace Authentication Configuration by Using the Web Page Form

To Verify the LDAP then MeetingPlace Authentication Configuration by Using the HTTP Form

To Configure the LDAP then MeetingPlace Authentication

If you are also using Cisco Unified MeetingPlace for Outlook, complete the "Allowing Cisco Unified MeetingPlace for Outlook Authentication" section before beginning this procedure.


Step 1 Sign in to Cisco Unified MeetingPlace Web Conferencing.

Step 2 From the Welcome page, click Admin, then click Web Server.

Step 3 From the "View" section of the page, click the name of the web server that you want to configure.

Step 4 Scroll to the Web Authentication section.

Step 5 For "Step 1: Directory," choose LDAP, then MeetingPlace.

Step 6 For "LDAP Hostname," enter the LDAP hostname, for example ldap.domain.com.

Step 7 For "LDAP Distinguished Name (DN)," enter the DN information for your directory.


Note All users in the LDAP server directory must be in one container rather than broken into multiple containers each representing a child OU.


Example

CN=%USERNAME%, OU=People, DC=mydomain, DC=com

%USERNAME% is the username that the user enters when logging in.

Before sending the request to the LDAP server %USERNAME% is replaced with the username that the user types in the login username field. No additional modifications are made to the DN value.

%USERNAME% is case sensitive, that is, all upper case.

Consult your LDAP expert for your DN information.

Step 8 For "Step 2: Login Method," choose one of the following:

To see an HTML-based Cisco Unified MeetingPlace login window, choose Web Page Form.

To see a login window rendered by your web browser, choose HTTP Basic Authentication.


Note If you choose HTTP Basic Authentication, users cannot log in to Cisco Unified MeetingPlace as guests.


Step 9 Click Submit and wait five minutes for the new configuration to take effect.

Step 10 (Optional) If you want to verify your Web Page Form configuration, proceed to the "To Verify the LDAP then MeetingPlace Authentication Configuration by Using the Web Page Form" procedure.

Step 11 (Optional) If you want to verify you HTTP form configuration, proceed to the "To Verify the LDAP then MeetingPlace Authentication Configuration by Using the HTTP Form" procedure.


To Verify the LDAP then MeetingPlace Authentication Configuration by Using the Web Page Form

Use a Cisco Unified MeetingPlace end user profile when completing this procedure.


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace Web Conferencing.

Step 2 Verify the following end-user behaviors:

You can log in with your LDAP password.

You cannot log in without a password.

If you have a Cisco Unified MeetingPlace profile, you can log in and schedule meetings.

If you do not have a Cisco Unified MeetingPlace profile, you can only attend and search public meetings.


To Verify the LDAP then MeetingPlace Authentication Configuration by Using the HTTP Form

Use a Cisco Unified MeetingPlace end user profile when completing this procedure.


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace Web Conferencing.

Step 2 Verify the following end-user behaviors:

You can log in with your LDAP password.

You cannot log in without a password.

If you have a Cisco Unified MeetingPlace profile, you can log in and schedule meetings.

This option does not allow you to log in to Cisco Unified MeetingPlace as a guest, that is, without a Cisco Unified MeetingPlace profile.


About Trust External Authentication

Trust External Authentication represents a broad-range of enterprise security software that provides functions like authentication, resource access authorization, Single Sign On (SSO), and intrusion detection. Typically, this software protects your web server by installing a DLL plug-in into the web server service, for example IIS. This DLL plug-in, also called ISAPI Filter, intercepts user login credentials and passes them to a corporate authentication and authorization server. The software must be able to output user IDs in the HTTP header so that they can be passed to Cisco Unified MeetingPlace for authentication.


Note User IDs in the Cisco Unified MeetingPlace profile database are case sensitive. Users cannot log in to Cisco Unified MeetingPlace as guests after you have configured this authentication mode.


Before configuring this authentication mode, make sure that you read the following terms of agreement:

Terms for Single Sign On Software Integration, page 1-7

Terms of Support for Single Sign On Software Integration, page 1-8

Restrictions

When configuring Trust External authentication, make sure that the following directories are not protected by SSO:

/mpweb/scripts/public/

/mpweb/extensions/

Protecting these directories will prevent Cisco Unified MeetingPlace Web Conferencing from functioning properly.

See the following procedures:

To Configure Trust External Authentication

To Verify the Trust External Authentication Configuration

To Configure Trust External Authentication

When user IDs are sent to the Cisco Unified MeetingPlace Audio Server, Web Conferencing can apply transformation to user IDs.

If you are also using Cisco Unified MeetingPlace for Outlook, complete the "Allowing Cisco Unified MeetingPlace for Outlook Authentication" section before beginning this procedure.


Step 1 Sign in to Cisco Unified MeetingPlace Web Conferencing.

Step 2 From the Welcome page, click Admin, then click Web Server.

Step 3 From the "View" section of the page, click the name of the web server that you want to configure.

Step 4 Scroll down to the Web Authentication section.

Step 5 For "Step 1: Directory," choose Trust External Authentication.

Step 6 For "HTTP Header Containing Username," enter an appropriate value for an external service, such as HTTP_SM_USER for SiteMinder.

Step 7 For "Username Conversion Function," choose how you want user names transformed. None applies no transformation to the original user ID string.

Step 8 Click Submit and wait five minutes for the new configuration to take effect.

Step 9 (Optional) If you want to verify your configuration, proceed to the "To Verify the Trust External Authentication Configuration" procedure.


To Verify the Trust External Authentication Configuration

Use a Cisco Unified MeetingPlace end user profile when completing the this procedure.


Step 1 Open your web browser and navigate to the Cisco Unified MeetingPlace Web Conferencing home page.

Step 2 Verify the following end-user behaviors:

Using a SiteMinder environment, you are immediately authenticated to MeetingPlace with your SiteMinder user ID and password.

If you have a Cisco Unified MeetingPlace profile, you can log in with your SiteMinder password and schedule meetings.


About HTTP Basic Authentication (Domain)

The HTTP basic authentication method is a widely used industry-standard method for collecting user ID and password information. It works as follows:

1. Users are prompted by a pop-up login window that is rendered by their web browser.

2. Users enter valid domain user IDs and passwords. Cisco Unified MeetingPlace profile passwords are ignored and not used in the authentication operation.

3. If the web servers accept the login credentials and the user IDs also exist in Cisco Unified MeetingPlace profile databases, users are logged in automatically to Cisco Unified MeetingPlace and are granted access to the Cisco Unified MeetingPlace home page.


Note Cisco Unified MeetingPlace profile user IDs are case sensitive and must match the domain user ID of the user. If you choose this authentication mode, users cannot log in to Cisco Unified MeetingPlacev as guests.


The advantage of HTTP Basic Authentication is that it is part of the HTTP specification and is supported by most browsers. The disadvantage is that the password is Base64 encoded before being sent over the network. Since Base64 is not a true encryption, it can be easily deciphered. You can mitigate this security risk by implementing Secure Socket Layer (SSL) on the web server.

See the following procedures:

To Configure HTTP Basic Authentication (Domain)

To Verify the HTTP Basic Authentication (Domain) Configuration

To Configure HTTP Basic Authentication (Domain)

This option restricts users from logging in to Cisco Unified MeetingPlace as guest users. All users must have Cisco Unified MeetingPlace profiles.

If you are also using Cisco Unified MeetingPlace for Outlook, complete the "Allowing Cisco Unified MeetingPlace for Outlook Authentication" section before beginning this procedure.


Step 1 Sign in to Cisco Unified MeetingPlace Web Conferencing.

Step 2 From the Welcome page, click Admin, then click Web Server.

Step 3 From the "View" section of the page, click the name of the web server that you want to configure.

Step 4 Scroll down to the Web Authentication section.

Step 5 For "Step 1: Directory," choose HTTP Basic Authentication (Domain).

"Step 2: Login Method" is automatically set to HTTP Basic Authentication and cannot be changed.

Step 6 Click Submit and wait five minutes for the new configuration to take effect.

Step 7 (Optional) To verify your configuration, see the "To Verify the HTTP Basic Authentication (Domain) Configuration" procedure.


To Verify the HTTP Basic Authentication (Domain) Configuration

Use a Cisco Unified MeetingPlace end user profile when completing this procedure.


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace Web Conferencing.

Step 2 Verify the following end-user behaviors:

You see an Enter Network Password dialog when accessing the home page.

If you have a local account on the Windows server and a matching profile user ID, you are authenticated to the Audio Server when you enter your domain user ID and password.

If you have a Cisco Unified MeetingPlace profile, your name appears on the Welcome page as firstname, lastname and the Sign In link no longer displays.

You can only log in to Cisco Unified MeetingPlace if you are authenticated by the Cisco Unified MeetingPlace web server.

In IIS, the MPWeb/Scripts folder is set to Basic Authentication.


About Windows Integrated Authentication

Windows Integrated Authentication (WIA) uses an algorithm to generate a hash based on the credentials and computers that users are using. WIA then sends this hash to the server; user passwords are not sent to the server.

If WIA fails for some reason, such as improper user credentials, users are prompted by their browsers to enter their user IDs and passwords. The Windows logon credentials are encrypted before being passed from the client to the web server.


Note You can configure Internet Explorer version 4.0 or later versions to initially prompt for user information if needed. For more information, see the Internet Explorer documentation.


Although Windows Integrated Authentication (WIA) is secure, it does have the following limitations:

Only Microsoft Internet Explorer version 4.0 or later versions support this authentication method.

WIA does not work across proxy servers or other firewall applications.

WIA works only under the browser Intranet Zone connections and for any trusted sites you have configured.

Therefore, WIA is best suited for an intranet environment where both users and the web server are in the same domain and where administrators can ensure that every user has Microsoft Internet Explorer. The web server must be in a Windows domain.

To further ensure or verify that your network supports WIA, refer to Microsoft online documentation.

Login Behavior with Windows Integrated Authentication

The following describes the login behavior when using WIA:

Users log in to their workstations by using their Windows NT domain accounts.

If their NT account user IDs also exist in the Cisco Unified MeetingPlace profile database, users are automatically logged in to Cisco Unified MeetingPlace and granted access to the home page. Cisco Unified MeetingPlace profile passwords are ignored and not used in the SSO operation.

The home page does not have Sign In links to the HTML-based login form because users are already logged in through the SSO process. For SSO terms of agreement, see the "Terms for Single Sign On Software Integration" section on page 1-7 and the "Terms of Support for Single Sign On Software Integration" section on page 1-8.

If their NT account user IDs do not match any user IDs in the Cisco Unified MeetingPlace directory, users see the Cisco Unified MeetingPlace Web Conferencing home page, but with Sign In links to the HTML-based login form. Users must then enter valid Cisco Unified MeetingPlace user IDs and passwords.


Note Cisco Unified MeetingPlace user IDs are case sensitive. Web Conferencing converts case from lower case to upper case and vice versa automatically. However, if you are using a segmented meeting access configuration with one server (SMA-1S), case conversion affects the internal server only.


The following describes the login behavior when WIA does not work properly:

Users see a popup window prompting them for their Cisco Unified MeetingPlace user IDs and passwords.

If their credentials are authenticated in the Cisco Unified MeetingPlace directory, users see the Cisco Unified MeetingPlace home page.

If authentication fails, users are prompted continually for their valid login credentials.

See the following procedures:

To Configure Windows Integrated Authentication

To Verify the Windows Integrated Authentication Configuration

To Configure Windows Integrated Authentication

If you are also using Cisco Unified MeetingPlace for Outlook, complete the "Allowing Cisco Unified MeetingPlace for Outlook Authentication" section before beginning this procedure.

Note the following restrictions:

Users must have local accounts on Windows servers with matching profile user IDs.

Only Microsoft Internet Explorer version 4.0 or later supports this authentication method.

WIA works only under the browser Intranet Zone connections.

WIA does not work across proxy servers or other firewall applications.

You cannot have any dots in your URL. Using IP or FQDN causes users to be prompted for login credentials.


Step 1 Sign in to Cisco Unified MeetingPlace Web Conferencing.

Step 2 From the Welcome page, click Admin, then click Web Server.

Step 3 From the "View" section of the page, click the name of the web server that you want to configure.

Step 4 Scroll down to the Web Authentication section.

Step 5 For "Step 1: Directory," choose Windows Integrated Authentication.

"Step 2: Login Method" is automatically set to HTTP Basic Authentication and cannot be changed.

Step 6 Click Submit and wait five minutes for the new configuration to take effect.

Step 7 (Optional) To verify your configuration, see the "To Verify the Windows Integrated Authentication Configuration" procedure.


To Verify the Windows Integrated Authentication Configuration

Use a Cisco Unified MeetingPlace end user profile when completing this procedure.


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace Web Conferencing.

Step 2 Verify the following end-user behaviors:

If you are on the same domain, you are immediately authenticated to the web server and see the Welcome page with your name displayed in firstname, lastname order. The Sign In link does not display.

If you are on a different domain, you see an Enter Network Password window that includes the Domain field.

If you are on a different domain, enter your Windows NT account user ID and password. You are then authenticated to the Cisco Unified MeetingPlace web server and see the Welcome page with your name displayed in firstname, lastname order. The Sign In link does not display.

Only users authenticated by the web server can log in.

In IIS, the MPWeb/Scripts folder is set to Integrated Windows Authentication.


Troubleshooting Tips

If you configured your web server hostname by using an IP address or FQDN, you will be prompted for your Windows login information even if you log in by using your domain Windows account.

For a workaround to this problem, see the "Troubleshooting Problems with Improper Functionality of Windows Authentication" section.

For information about configuring your web server hostname, see the "Configuring the Web Server" section on page 2-29.

Troubleshooting Problems with Improper Functionality of Windows Authentication

If the server name in a URL request to the web server contains any periods, such as the dots in an IP address or a FQDN, the request is automatically routed to Internet Explorer's Internet Zone. Internet Explorer's default Internet Zone is configured to not pass Windows credentials to the web server.

Consequently, if you configured Windows authentication but used an IP address or FQDN when setting your web server Host Name parameter in the "Configuring the Web Server" section on page 2-29, Internet Explorer prompts you for your Windows login information when you try to access Cisco Unified MeetingPlace Web Conferencing even if you are already logged on to your computer with your domain Windows account.

The following procedures provide instructions for two workarounds for this issue:

To Add the URL String to Internet Explorer's Trusted Zone

To Modify Internet Explorer's Internet Zone to Automatically Pass Windows Credentials and Log Users Into a Website

We recommend that you use the workaround provided in the "To Add the URL String to Internet Explorer's Trusted Zone" procedure.

To Add the URL String to Internet Explorer's Trusted Zone

This is the preferred method for working around Internet Explorer's Internet Zone configuration.


Caution If you choose this workaround, you must apply this change to all end user computers.

Step 1 Open Internet Explorer. From Tools > Internet Options, click the Security tab.

Step 2 From the Security tab, click Trusted Zone.

Step 3 Click Edit.

Step 4 From the Trusted Sites window, add the URL of your web server.

For example, if you set your web server Hostname parameter to abc.company.com, then enter http://abc.company.com in the list of trusted websites and click Add.

Step 5 Click OK.


To Modify Internet Explorer's Internet Zone to Automatically Pass Windows Credentials and Log Users Into a Website


Caution If you choose this workaround, you must apply this change to all end user computers.

Step 1 Open Internet Explorer. From Tools > Internet Options, click the Security tab.

Step 2 From the Security tab, click Internet Zone, then click Custom Level.

Step 3 From the Security Settings window, scroll to the bottom to the User Authentication section.

Step 4 For Logon, click Authenticate Logon with Current Username and Password.

Step 5 Click OK.