Configuration and Maintenance Guide for MeetingPlace 7.1
Configuring User Authentication for Cisco Unified MeetingPlace Web Conferencing
Downloads: This chapterpdf (PDF - 248.0KB) The complete bookPDF (PDF - 5.46MB) | Feedback

Configuring User Authentication for Cisco Unified MeetingPlace Web Conferencing

Table Of Contents

Configuring User Authentication for Cisco Unified MeetingPlace Web Conferencing

About User Authentication in Cisco Unified MeetingPlace Web Conferencing

User Authentication Options in Cisco Unified MeetingPlace Web Conferencing

Restrictions: User Authentication and Load Balancing

How to Configure MeetingPlace Authentication

Configuring MeetingPlace Authentication

Verifying the MeetingPlace Authentication Configuration by Using the HTTP Form

How to Configure LDAP Authentication

Configuring LDAP Authentication

Verifying the LDAP Authentication Configuration by Using the Web Page Form

Verifying the LDAP Authentication Configuration by Using the HTTP Form

How to Configure LDAP then MeetingPlace Authentication

Prerequisites for Configuring LDAP Then MeetingPlace Authentication

Configuring the LDAP Then MeetingPlace Authentication

Verifying the LDAP Then MeetingPlace Authentication Configuration by Using the Web Page Form

Verifying the LDAP Then MeetingPlace Authentication Configuration by Using the HTTP Form

How to Configure Trust External Authentication

Terms for Single Sign On Software Integration

Terms of Support for Single Sign On Software Integration

Restrictions for Configuring Trust External Authentication

Configuring Trust External Authentication

Verifying the Trust External Authentication Configuration

How to Configure HTTP Basic Authentication (Domain)

Configuring HTTP Basic Authentication (Domain)

Verifying the HTTP Basic Authentication (Domain) Configuration

How to Configure Windows Integrated Authentication

Windows Integrated Authentication

Login Behavior with Windows Integrated Authentication

Configuring Windows Integrated Authentication

Verifying the Windows Integrated Authentication Configuration

Configuring SiteMinder for Use With Cisco Unified MeetingPlace Web Conferencing

Accessing Cisco Unified MeetingPlace Web Conferencing When Locked-Out Due to Incorrect User Authentication Setup


Configuring User Authentication for Cisco Unified MeetingPlace Web Conferencing


Release 7.1
Revised: April 3, 2011 8:30 pm

About User Authentication in Cisco Unified MeetingPlace Web Conferencing

How to Configure MeetingPlace Authentication

How to Configure LDAP Authentication

How to Configure LDAP then MeetingPlace Authentication

How to Configure Trust External Authentication

How to Configure HTTP Basic Authentication (Domain)

How to Configure Windows Integrated Authentication

Accessing Cisco Unified MeetingPlace Web Conferencing When Locked-Out Due to Incorrect User Authentication Setup

About User Authentication in Cisco Unified MeetingPlace Web Conferencing

By default, the web conferencing application prompts users for login credentials by using an HTML web form, then authenticates them against the Cisco Unified MeetingPlace user profile database. However, you can select to authenticate Cisco Unified MeetingPlace against third-party authentication software that provides different authentication behaviors. This can include different login windows, authentication against other user profile databases, or both.

User Authentication Options in Cisco Unified MeetingPlace Web Conferencing

Restrictions: User Authentication and Load Balancing

User Authentication Options in Cisco Unified MeetingPlace Web Conferencing

Cisco Unified MeetingPlace Web Conferencing provides the following authentication configuration options:

HTTP Basic Authentication (Domain)

LDAP

LDAP, then MeetingPlace

MeetingPlace

Trust External Authentication

Windows Integrated Authentication

Integration with third-party authentication software can provide the following benefits:

Centralized user database—Facilitates profile management.

Single Sign-On (SSO)—Allows users who have already been authenticated once to have access to all resources and applications on the network without having to re-enter their credentials.

For SSO to work, you must ensure that Cisco Unified MeetingPlace user IDs are set up so that they match the corresponding user IDs used by the third-party authentication software. You can configure Web Conferencing to automatically convert case so that Cisco Unified MeetingPlace user IDs and corresponding user IDs used by third-party authentication software match.


Note While all authentication methods can be applied to internal or external servers, some authentication methods may not make sense for a DMZ environment. For more information about web conferencing support for DMZ environments, see the Configuring External Access to Cisco Unified MeetingPlace Web Conferencing module.


Restrictions: User Authentication and Load Balancing

In a Cisco Unified MeetingPlace load-balancing cluster, all users must enter the Cisco Unified MeetingPlace system through a designated Cisco Unified MeetingPlace Web Server. In such circumstances, you only need to configure the designated Web Server for your chosen authentication method. You can configure all other Web Servers in the cluster to use the default authentication method—MeetingPlace Web Form Authentication.

If, however, you want to configure other Web Servers in the cluster to use the same authentication method as a failover strategy, you can. Depending on the type of authentication method used though, this configuration can result in undesirable SSO behaviors.

For example, if you configure HTTP Basic Authentication or Windows Integrated Authentication, Cisco Unified MeetingPlace will prompt users for login credentials each time there is a Web Server redirect. This is because you are altering the hostname in the authentication configuration each time you redirect traffic to an active Web Server through a DNS change. If you configure LDAP or MeetingPlace authentication, users will not be prompted again for login credentials during a web conferencing redirect.

How to Configure MeetingPlace Authentication

Authenticating users against the profile database on the Cisco Unified MeetingPlace Application Server is the default user authentication option. You have two options when configuring this type of authentication:

Logging in with an HTML-based web page form. This is the default option.

Logging in against a login window rendered by your web browser.

Regardless of the login page users see, user IDs and passwords are sent to the Cisco Unified MeetingPlace Application Server for authentication. Both profiles and user passwords must match. Profiles are not case-sensitive.

Configuring MeetingPlace Authentication

Verifying the MeetingPlace Authentication Configuration by Using the HTTP Form

Configuring MeetingPlace Authentication

Before You Begin

Read the "Restrictions: User Authentication and Load Balancing" section.

Procedure


Step 1 Sign in to the end-user web interface.

Step 2 Select Admin.

Step 3 Select Web Server.

Step 4 Select the name of the Web Server that you want to configure in the "View" section of the page.

Step 5 Scroll to the Web Authentication section.

Step 6 Select MeetingPlace for "Step 1: Directory".

Step 7 Select one of the following options for "Step 2: Login Method":

Select Web Page Form to see an HTML-based Cisco Unified MeetingPlace login window. This is the default authentication method.

Select HTTP Basic Authentication to see a login window rendered by your web browser.

Step 8 Select Submit and wait five minutes for the new configuration to take effect.


What to Do Next

(Optional) Proceed to the "Verifying the MeetingPlace Authentication Configuration by Using the HTTP Form" section.

Verifying the MeetingPlace Authentication Configuration by Using the HTTP Form

Use a Cisco Unified MeetingPlace end-user profile when completing this procedure.

Before You Begin

Complete the "Configuring MeetingPlace Authentication" section.

Procedure


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace.

Step 2 Verify the following end-user behaviors:

When you access the Cisco Unified MeetingPlace home page, you see an Enter Network Password window.

After you enter your end-user Cisco Unified MeetingPlace user ID and password, you are authenticated to the Cisco Unified MeetingPlace Application Server.

The Welcome page displays your name in firstname, lastname order.

Sign In and Sign Out links do not display.


How to Configure LDAP Authentication

LDAP authentication compares user login information against the profile database on an LDAPv2-compliant directory server. After users are authenticated by the LDAP server, they are automatically logged in to Cisco Unified MeetingPlace as long as their LDAP user IDs also exist in Cisco Unified MeetingPlace. You can also authenticate users against a multiple LDAP forest configuration.

With LDAP authentication, the following restrictions apply:

Cisco Unified MeetingPlace Web Conferencing supports only unencrypted LDAP, that is, queries to the LDAP server are in clear text.

Users cannot log in with their Cisco Unified MeetingPlace passwords for their same LDAP user names.

LDAP profiles are used for authentication; Cisco Unified MeetingPlace profile passwords are ignored.

Cisco Unified MeetingPlace enforces e-mail format validation when you have LDAP synchronization configured. If an e-mail address for a particular user does not conform to the standard e-mail format, the user is skipped during the LDAP synchronization process and not imported into the MeetingPlace database.

Standard e-mail format expressions include: ^([\\w-_.'])*\\w+@([\\da-zA-Z-]+\\.)+[\\da-zA-Z]{2,6}$


Note To authenticate the web conferencing application against the LDAP server, make sure that the LDAP server directory is designed to have all users in one container rather than broken into multiple containers (each representing a child OU).


Configuring LDAP Authentication

Verifying the LDAP Authentication Configuration by Using the Web Page Form

Verifying the LDAP Authentication Configuration by Using the HTTP Form

Configuring LDAP Authentication

Before You Begin

Read the "Restrictions: User Authentication and Load Balancing" section.

Procedure


Step 1 Sign in to the end-user web interface.

Step 2 Select Admin.

Step 3 Select Web Server.

Step 4 Select the name of the Web Server that you want to configure in the "View" section of the page.

Step 5 Scroll to the Web Authentication section.

Step 6 Select LDAP for "Step 1: Directory".

Step 7 Enter the LDAP hostname in the field provided.

Example: ldap.domain.com

Step 8 Enter the Distinguished Name (DN) information for your directory in the field provided noting the following considerations:

Cisco Unified MeetingPlace user profile login names are limited to 17 characters; therefore, the LDAP match must be 17 characters or less.

You can only enter one value for the LDAP Distinguished Name (DN) field. If your users are segregated into multiple organizational units (OUs), you can work around this issue by using either the DOMAIN\USER or user@ou.domain.com format for the DN. When configuring the LDAP Distinguished Name field, enter just %USERNAME%, without specifying an OU, DC, or other parameter.


Note All users in the LDAP server directory must be in one container rather than broken into multiple containers each representing a child OU.


%USERNAME% is the username that the user enters when logging in.

Before sending the request to the LDAP server %USERNAME% is replaced with the username that the user enters in the login username field. No additional modifications are made to the DN value.

%USERNAME% is case-sensitive, that is, all upper case.

If you match any of the following circumstances, leave the DN field blank (empty) instead of entering %USERNAME%:

You are authenticating against a multiple LDAP forest configuration. Example: CN=%USERNAME%, OU=People, DC=mydomain, DC=com

The LDAP server you are using is the LDAP interface on a Microsoft Active Directory server. If this is the case, you must leave the DN field blank (empty) for authentication to work. When configured in this manner, the format of the usernames that the user enters must be DOMAIN\USER or user@ou.domain.com.

You want to send user passwords as protected (that is, not as clear text). Enteringa value for the DN field sends passwords as clear text.


Note If you choose to enter a value for the DN field, it is your responsibility to establish a secure connection between the Cisco Unified MeetingPlace web server and the LDAP server. This is not the same as configuring SSL configuration on the web server. The SSL feature in Cisco Unified MeetingPlace protects traffic between the client and web server. You will require a secure connection between the web server and the LDAP server.


Consult your LDAP expert for your DN information.

Step 9 Select how you want user names transformed for "Username Conversion Function."

Selecting None applies no transformation to the original user ID string.

Step 10 Select one of the following for "Step 2: Login Method."

Select Web Page Form to see an HTML-based Cisco Unified MeetingPlace login window.

Select HTTP Basic Authentication to see a login window rendered by your web browser.

Step 11 Select Submit and wait five minutes for the new configuration to take effect.


Troubleshooting Tips

If you chose HTTP Basic Authentication as your login method, restart the Cisco Unified MeetingPlace Web Conferencing service after configuring your LDAP authentication. If you do not, users who change their passwords in LDAP will be able to log in to Cisco Unified MeetingPlace by using both their old and new passwords until the Cisco Unified MeetingPlace Web Conferencing service is restarted or after approximately 60 minutes.


Note When you restart the web server, all manual changes made to the registry are lost.


What to Do Next

Based on your configuration, proceed to one of the following topics:

Verifying the LDAP Authentication Configuration by Using the Web Page Form

Verifying the LDAP Authentication Configuration by Using the HTTP Form

Verifying the LDAP Authentication Configuration by Using the Web Page Form

Use a Cisco Unified MeetingPlace end-user profile when completing this procedure.

Before You Begin

Complete the "Configuring LDAP Authentication" section.

Procedure


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace.

Step 2 Verify the following end-user behaviors:

If you have a Cisco Unified MeetingPlace profile, you can log in with your LDAP password.

You cannot log in as a profiled user without a password.


Related Topics

Configuring LDAP Authentication

Verifying the LDAP Authentication Configuration by Using the HTTP Form

Use a Cisco Unified MeetingPlace end-user profile when completing this procedure.

Before You Begin

Complete the "Configuring LDAP Authentication" section.

Procedure


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace.

Step 2 Verify the following end-user behaviors:

When you access the Cisco Unified MeetingPlace home page, you see an Enter Network Password window.

After you enter your LDAP profile user ID and password, you are authenticated to the Cisco Unified MeetingPlace Application Server.

The Welcome page displays your name in firstname, lastname order.

Sign In and Sign Out links do not display.


Related Topics

Configuring LDAP Authentication

How to Configure LDAP then MeetingPlace Authentication

This authentication mode attempts to authenticate users against two directories if the need arises. When users first log in, they are authenticated against the LDAP directory. If this authentication fails, the login information is sent to the Cisco Unified MeetingPlace Application Server for a possible match. This behavior allows a company to give non-LDAP users, such as guests or contractors, access to Cisco Unified MeetingPlace.


Note Cisco Unified MeetingPlace enforces e-mail format validation when you have LDAP synchronization configured. If an e-mail address for a particular user does not conform to the standard e-mail format, the user is skipped during the LDAP synchronization process and not imported into the MeetingPlace database. Standard email addresses are in the form user@domain. User is limited to upper and lower case alphanumeric characters and period (dot), dash, and underscore. Domain is limited to alphanumeric characters and period (dot) and dash (no underscore). No spaces are permitted.


Prerequisites for Configuring LDAP Then MeetingPlace Authentication

Configuring the LDAP Then MeetingPlace Authentication

Verifying the LDAP Then MeetingPlace Authentication Configuration by Using the Web Page Form

Verifying the LDAP Then MeetingPlace Authentication Configuration by Using the HTTP Form

Prerequisites for Configuring LDAP Then MeetingPlace Authentication

To authenticate Cisco Unified MeetingPlace Web Conferencing against the LDAP server, make sure that the LDAP server directory is designed to have all users in one container rather than broken into multiple containers (each representing a child OU).

If a match is made in the LDAP database, the user must provide the proper LDAP password. Three attempts with the incorrect password will lock the LDAP profile of the user.

Only users who are not found in the LDAP directory are eligible for authentication through the Cisco Unified MeetingPlace directory.

User IDs in the Cisco Unified MeetingPlace profile database are not case-sensitive.

Related Topics

How to Configure LDAP then MeetingPlace Authentication

Configuring the LDAP Then MeetingPlace Authentication

Before You Begin

Read the "Restrictions: User Authentication and Load Balancing" section.

Procedure


Step 1 Sign in to the end-user web interface.

Step 2 Select Admin.

Step 3 Select Web Server.

Step 4 Select the name of the Web Server that you want to configure in the "View" section of the page.

Step 5 Scroll to the Web Authentication section.

Step 6 Select LDAP, then MeetingPlace for "Step 1: Directory".

Step 7 Enter the LDAP hostname in the field provided.

Example: ldap.domain.com

Step 8 Enter the Distinguished Name (DN) information for your directory in the field provided noting the following considerations:

Cisco Unified MeetingPlace user profile login names are limited to 17 characters; therefore, the LDAP match must be 17 characters or less.

You can only enter one value for the LDAP Distinguished Name (DN) field. If your users are segregated into multiple organizational units (OUs), you can work around this issue by using either the DOMAIN\USER or user@ou.domain.com format for the DN. When configuring the LDAP Distinguished Name field, enter just %USERNAME%, without specifying an OU, DC, orother parameter.

You are authenticating against a multiple LDAP forest configuration. Example: CN=%USERNAME%, OU=People, DC=mydomain, DC=com.

The LDAP server you are using is the LDAP interface on a Microsoft ActiveDirectory server. If this is the case, you must leave the DN field blank forauthentication to work. When configured in this manner, the format of the user names that the user enters must be DOMAIN\USER oruser@ou.domain.com.

You want to send user passwords as protected (that is, not as clear text). Entering a value for the DN field sends passwords as clear text.


Note If you choose to enter a value for the DN field, it is your responsibility to establish a secure connection between the Cisco Unified MeetingPlace web server and the LDAP server. This is not the same as configuring SSL configuration on the web server. The SSL feature in Cisco Unified MeetingPlace protects traffic between the client and web server. You will require a secure connection between the web server and the LDAP server.


Consult your LDAP expert for your DN information.

Step 9 Select how you want user names transformed for "Username Conversion Function."

Selecting None applies no transformation to the original user ID string.

Step 10 Select one of the following for "Step 2: Login Method":

Select Web Page Form to see an HTML-based Cisco Unified MeetingPlace login window.

Select HTTP Basic Authentication to see a login window rendered by your web browser.

Step 11 Select Submit and wait five minutes for the new configuration to take effect.


What to Do Next

Based on your configuration, proceed to one of the following topics:

Verifying the LDAP Then MeetingPlace Authentication Configuration by Using the Web Page Form

Verifying the LDAP Then MeetingPlace Authentication Configuration by Using the HTTP Form

Verifying the LDAP Then MeetingPlace Authentication Configuration by Using the Web Page Form

Use a Cisco Unified MeetingPlace end-user profile when completing this procedure.

Before You Begin

Complete the "Configuring the LDAP Then MeetingPlace Authentication" section.

Procedure


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace.

Step 2 Verify the following end-user behaviors:

You can log in with your LDAP password.

You cannot log in without a password.

If you have a Cisco Unified MeetingPlace profile, you can log in and schedule meetings.

If you do not have a Cisco Unified MeetingPlace profile, you can only attend and search public meetings.


Related Topics

How to Resolve Authentication Problems in the Troubleshooting Cisco Unified MeetingPlace Web Conferencing module.

Verifying the LDAP Then MeetingPlace Authentication Configuration by Using the HTTP Form

Use a Cisco Unified MeetingPlace end-user profile when completing this procedure.

Before You Begin

Complete the "Configuring the LDAP Then MeetingPlace Authentication" section.

Procedure


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace.

Step 2 Verify the following end-user behaviors:

You can log in with your LDAP password.

You cannot log in without a password.

If you have a Cisco Unified MeetingPlace profile, you can log in and schedule meetings.

This option does not allow you to log in to Cisco Unified MeetingPlace as a guest, that is, without a Cisco Unified MeetingPlace profile.


Related Topics

How to Resolve Authentication Problems in the Troubleshooting Cisco Unified MeetingPlace Web Conferencing module.

How to Configure Trust External Authentication

Trust External Authentication represents a broad-range of enterprise security software that provides functions like authentication, resource access authorization, Single Sign On (SSO), and intrusion detection. Typically, this software protects your Web Server by installing a DLL plug-in into the Web Server service, for example IIS. This DLL plug-in, also called ISAPI Filter, intercepts user login credentials and passes them to a corporate authentication and authorization server. The software must be able to output user IDs in the HTTP header so that they can be passed to Cisco Unified MeetingPlace for authentication.


Note Users cannot log in to Cisco Unified MeetingPlace as guests after you have configured this authentication mode.


Terms for Single Sign On Software Integration

Terms of Support for Single Sign On Software Integration

Restrictions for Configuring Trust External Authentication

Configuring Trust External Authentication

Verifying the Trust External Authentication Configuration

Terms for Single Sign On Software Integration

Customer Premise Equipment (CPE) customers who implement SSO software integrations on their Cisco Unified MeetingPlace Web Servers do so at their own risk and are responsible for understanding the technical implementations and feasibility of SSO integrations on their systems.

By allowing SSO software integrations, we do not claim support for any SSO software packages or vendors.

Using SSO software integrations requires proper configuration of Cisco Unified MeetingPlace Web Conferencing systems through the Admin pages. If your SSO software integration requires a change in the Web Conferencing product source code, your SSO integration becomes an SSO customization, and we do not support customizations by either customers or any other parties.

Any CPE customers who want to integrate SSO packages can contact Cisco Managed Services to obtain a Service Request to implement SSO. This service is offered as a convenience and does not change the scope of the SSO integration: this service is an integration and configuration of the Web Conferencing product, not a customization of the product code.

Customers must first implement SSO software integrations on test or lab servers and verify that the integrated systems work, including Web Conferencing features and operations.

Customers are responsible for ensuring stability of integrated Web Conferencing-SSO systems, including communicating with SSO software vendors for the following reasons:

To obtain necessary fixes and support

To troubleshoot functional problems and technical problems, including crashes triggered by the SSO package

Many SSO software products include a web-server extension, called the IIS ISAPI extension or filter. Web Conferencing installs and uses four IIS extensions. Any incompatibility between an SSO software extension and the Web Conferencing extensions can make IIS non-functional or unstable. Any crash of the SSO IIS extension can cause IIS to crash and can generate a full Web Conferencing outage, resulting in a full system restart, ending of in-progress meetings, and disconnecting of Web Conferencing users. Any memory leak in the SSO package or module can make IIS or the whole server unstable, as well.


Note When you restart the web server, all manual changes made to the registry are lost.


Although SSO software integration is productized for the Web Conferencing system, any changes in overall configuration, including Web Conferencing upgrades and SSO package upgrades, can potentially break integrated Web Conferencing-SSO systems.

Terms of Support for Single Sign On Software Integration

Customers must inform Cisco TAC that their Cisco Unified MeetingPlace Web Servers have third-party SSO packages installed and configured with Web Conferencing when opening a service request for Web Conferencing, Cisco Unified MeetingPlace for Microsoft Outlook, or Cisco Unified MeetingPlace for IBM Lotus Notes.

Customers must be able to provide SSO integration details upon request. Inability to provide details can result in Cisco TAC not being able to proceed with service requests.

If a service request is about troubleshooting the SSO integration, Cisco TAC can review the logs and identify whether the problem is on the SSO side or the Web Conferencing side. If the problem is on the SSO side, information will be provided to customers, so they can further troubleshoot with their SSO vendors.

If the service request is about troubleshooting a Web Conferencing problem that does not seem to be connected to the SSO integration, Cisco TAC will proceed per the normal support process. If TAC discovers that the SSO integration plays a role in the problem, information will be provided to customers, so they can further troubleshoot with their SSO vendors.

If Cisco TAC believes the problem is triggered by an SSO package, Cisco TAC can require customers to disable the SSO package to troubleshoot further.

Microsoft Debug Diagnostic tool, also called DebugDiag, may be required for troubleshooting IIS crashes and memory leaks to determine if these problems are produced by the SSO package.

Restrictions for Configuring Trust External Authentication

When configuring Trust External authentication, make sure that the /mpweb/scripts/public/ directory is not protected by SSO. Protecting this directory will prevent web conferencing from functioning properly.

To use SSO, you must enable SSL on the Application Server. If you have a failover system, with active and standby servers, ensure that SSL is installed and configured on the standby server as well as on the active server.This way, SSO will continue to work if the system has to move the standby server for any reason.

Related Topics

How to Configure Trust External Authentication

Configuring Trust External Authentication

Before You Begin

Read the "Restrictions: User Authentication and Load Balancing" section.

Read the "Terms for Single Sign On Software Integration" section.

Read the "Terms of Support for Single Sign On Software Integration" section.

Procedure


Step 1 Sign in to the end-user web interface.

Step 2 Select Admin.

Step 3 Select Web Server.

Step 4 Select the name of the Web Server that you want to configure in the "View" section of the page.

Step 5 Scroll down to the Web Authentication section.

Step 6 Select Trust External Authentication for "Step 1: Directory."

Step 7 Enter an appropriate value for an external service for "HTTP Header Containing Username."

Example: Enter HTTP_SM_USER for SiteMinder

Step 8 Select how you want user names transformed for "Username Conversion Function."

Selecting None applies no transformation to the original user ID string.

Step 9 Select Submit and wait five minutes for the new configuration to take effect.


What to Do Next

(Optional) Proceed to the "Verifying the Trust External Authentication Configuration" section.

Verifying the Trust External Authentication Configuration

Use a Cisco Unified MeetingPlace end user profile when completing this procedure.

Before You Begin

Complete the "Configuring Trust External Authentication" section.

Procedure


Step 1 Open your web browser and navigate to the Cisco Unified MeetingPlace home page.

Step 2 Verify the following end-user behaviors:

Using a SiteMinder environment, you are immediately authenticated to MeetingPlace with your SiteMinder user ID and password.

If you have a Cisco Unified MeetingPlace profile, you can log in with your SiteMinder password and schedule meetings.


How to Configure HTTP Basic Authentication (Domain)

The HTTP basic authentication method is a widely used industry-standard method for collecting user ID and password information. It works as follows:

1. Users are prompted by a pop-up login window that is rendered by their web browser.

2. Users enter valid domain user IDs and passwords.

Cisco Unified MeetingPlace profile passwords are ignored and not used in the authentication operation.

3. If the Web Servers accept the login credentials and the user IDs also exist in Cisco Unified MeetingPlace profile databases, users are logged in automatically to Cisco Unified MeetingPlace and are granted access to the Cisco Unified MeetingPlace home page.


Note The Cisco Unified MeetingPlace profile user ID must match the domain user ID of the user.


The advantage of HTTP Basic Authentication is that it is part of the HTTP specification and is supported by most browsers. The disadvantage is that the password is Base 64-encoded before being sent over the network. Since Base64 is not a true encryption, it can be easily deciphered. You can mitigate this security risk by implementing Secure Socket Layer (SSL) on the Web Server.

Configuring HTTP Basic Authentication (Domain)

Verifying the HTTP Basic Authentication (Domain) Configuration

Configuring HTTP Basic Authentication (Domain)

Before You Begin

Read the "Restrictions: User Authentication and Load Balancing" section.

Procedure


Step 1 Sign in to the end-user web interface.

Step 2 Select Admin.

Step 3 Select Web Server.

Step 4 Select the name of the Web Server that you want to configure in the "View" section of the page.

Step 5 Scroll down to the Web Authentication section.

Step 6 Select HTTP Basic Authentication (Domain) for "Step 1: Directory."

"Step 2: Login Method" is automatically set to HTTP Basic Authentication and cannot be changed.

Step 7 Enter your default logon domain in the field provided.

Step 8 Select how you want user names transformed for "Username Conversion Function."

Selecting None applies no transformation to the original user ID string.

Step 9 Select Submit and wait five minutes for the new configuration to take effect.


What to Do Next

(Optional) Proceed to the "Verifying the HTTP Basic Authentication (Domain) Configuration" section.

Verifying the HTTP Basic Authentication (Domain) Configuration

Use a Cisco Unified MeetingPlace end-user profile when completing this procedure.

Before You Begin

Complete the "Configuring HTTP Basic Authentication (Domain)" section.

Procedure


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace.

Step 2 Verify the following end-user behaviors:

You see an Enter Network Password dialog when accessing the home page.

If you have a local account on the Windows server and a matching profile user ID, you are authenticated to the Cisco Unified MeetingPlace when you enter your domain user ID and password.

If you have a Cisco Unified MeetingPlace profile, your name displays on the Welcome page as firstname, lastname and the Sign In link no longer displays.

You can only log in to Cisco Unified MeetingPlace if you are authenticated by the Cisco Unified MeetingPlace Web Server.

In IIS, the MPWeb/Scripts folder is set to Basic Authentication.


How to Configure Windows Integrated Authentication

Windows Integrated Authentication

Login Behavior with Windows Integrated Authentication

Configuring Windows Integrated Authentication

Verifying the Windows Integrated Authentication Configuration

Configuring SiteMinder for Use With Cisco Unified MeetingPlace Web Conferencing

Windows Integrated Authentication

Windows Integrated Authentication (WIA) uses an algorithm to generate a hash based on the credentials and computers that users are using. WIA then sends this hash to the server; user passwords are not sent to the server. If WIA fails for some reason, such as improper user credentials, the browser prompts users to enter their user IDs and passwords. The Windows logon credentials are encrypted before being passed from the client to the Web Server.


Tip You can configure Internet Explorer version 4.0 or later to initially prompt for user information if needed. For more information, see the Internet Explorer documentation.


Windows Integrated Authentication (WIA) is secure, but has the following limitations:

Only Microsoft Internet Explorer version 4.0 or later supports this authentication method.

WIA does not work across proxy servers or other firewall applications.

WIA works only under the browser Intranet Zone connections and for any trusted sites you have configured.

WIA does not work on Web servers with SSL enabled.

Therefore, WIA is best suited for an intranet environment where both users and the Web Server are in the same domain and where administrators can ensure that every user has Microsoft Internet Explorer. The Web Server must be in a Windows domain.

Refer to Microsoft online documentation to further ensure or verify that your network supports WIA.

Login Behavior with Windows Integrated Authentication

When WIA Works Properly:

Users log in to their workstations by using their Windows NT domain accounts.

If their NT account user IDs also exist in the Cisco Unified MeetingPlace profile database, users are automatically logged in to Cisco Unified MeetingPlace and granted access to the home page. Cisco Unified MeetingPlace user passwords are ignored and not used in the SSO operation.

The home page does not have Sign In links to the HTML-based login form because users are already logged in through the SSO process.

If their NT account user IDs do not match any user IDs in the Cisco Unified MeetingPlace directory, users see the Cisco Unified MeetingPlace home page, but with Sign In links to the HTML-based login form. Users must then enter valid Cisco Unified MeetingPlace user IDs and passwords.

(System administrators only) If a user selects Sign Out from the Cisco Unified MeetingPlace Web Administration, then the user is logged out and returns to the home page. To log back in, the user may select Sign In and enter the valid Cisco Unified MeetingPlace user ID and password.

When WIA Does Not Work Properly:

Users see a popup window prompting them for their Cisco Unified MeetingPlace user IDs and passwords.

If their credentials are authenticated in the Cisco Unified MeetingPlace directory, users see the Cisco Unified MeetingPlace home page.

If authentication fails, users are prompted continually for their valid login credentials.


Note Cisco Unified MeetingPlace user IDs are not case-sensitive.


Related Topics

Read the "Terms for Single Sign On Software Integration" section.

Read the "Terms of Support for Single Sign On Software Integration" section.

Configuring Windows Integrated Authentication

Before You Begin

Read the "Restrictions: User Authentication and Load Balancing" section.

Restrictions

Each user must have an account (local or Active Directory) on the Windows NT Server and must also have a Cisco Unified MeetingPlace profile user ID that matches the account name.

Users must be using Microsoft Internet Explorer version 4.0 or later.

WIA works only under the browser Intranet Zone connections. By default, only pages without any dots in the URL are considered to be in the Intranet Zone

WIA does not work across proxy servers or other firewall applications.

Procedure


Step 1 Sign in to the end-user web interface.

Step 2 Select Admin.

Step 3 Select Web Server.

Step 4 Select the name of the Web Server that you want to configure in the "View" section of the page.

Step 5 Scroll down to the Web Authentication section.

Step 6 Select Windows Integrated Authentication for "Step 1: Directory."

"Step 2: Login Method" is automatically set to HTTP Basic Authentication and cannot be changed.

Step 7 Select how you want user names transformed for "Username Conversion Function."

Selecting None applies no transformation to the original user ID string.

Step 8 Select Submit and wait five minutes for the new configuration to take effect.


What to Do Next

(Optional) Proceed to the "Verifying the Windows Integrated Authentication Configuration" section.

Verifying the Windows Integrated Authentication Configuration

Use a Cisco Unified MeetingPlace end-user profile when completing this procedure.

Before You Begin

Complete the "Configuring Windows Integrated Authentication" section.

Procedure


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace.

Step 2 Verify the following end-user behaviors:

If you are on the same domain, you are immediately authenticated to the Web Server and see the Welcome page with your name displayed in firstname, lastname order. The Sign In link does not display.

If you are on a different domain, you see an Enter Network Password window that includes the Domain field.

If you are on a different domain, enter your Windows NT account user ID and password. You are then authenticated to the Cisco Unified MeetingPlace Web Server and see the Welcome page with your name displayed in firstname, lastname order. The Sign In link does not display.

Only users authenticated by the Web Server can log in.

In IIS, the MPWeb/Scripts folder is set to Integrated Windows Authentication.


Troubleshooting Tips

If you configured your Web Server Home Page hostname by using an IP address or FQDN, you will be prompted for your Windows login information even if you log in by using your domain Windows account.

See "How to Resolve Authentication Problems" in the Troubleshooting Cisco Unified MeetingPlace Web Conferencing module for a workaround to this problem.

See "Setting Your Web Server Options" in the Quick Start Configuration: Cisco Unified MeetingPlace Basic Web Conferencing module for information about configuring your Web Server Home Page hostname.

Configuring SiteMinder for Use With Cisco Unified MeetingPlace Web Conferencing

If your deployment includes the SiteMinder application for authentication and single-sign on support, you will need to make the following changes to the SiteMinder configuration so that it can interoperate properly with Cisco Unified MeetingPlace Web Conferencing Release 7.1.

String Blocking in URLs

SiteMinder looks for invalid strings in all URLs before processing. Web Conferencing uses internal URLs that include the "." character (period), which is blocked by the default SiteMinder configuration. The default block is:

badurlchars="./, /., /*, *., ~, \, %00-%1f,%7f-%ff"

In order for Web Conferencing to function properly, remove /. from the badurlchars string, for example:

badurlchars="./, /*, *., ~, \, %00-%1f,%7f-%ff"

Localhost Redirection and Hostname Blocking in URLs

Web Conferencing uses internal URLs that include connecting to the localhost/loopback on port 8002, for example, http://localhost:8002. When SiteMinder receives a localhost request, it resolves localhost to the actual host name of the server. SiteMinder then looks up the host name in its list of hosts and matches it to the name of an agent. In order for web conferencing to function properly, you must add this agent name to the exception list so that it is not blocked by SiteMinder.

The following example shows the SiteMinder logging for a localhost request on port 8002:

[5812/7912][Tue Apr 24 14:00:07 2007][..\..\..\CSmHttpPlugin.cpp:219][INFO:2] PLUGIN: Read 
HTTP_HOST value 'localhost:8002'.
[5812/7912][Tue Apr 24 14:00:07 2007][..\..\..\CSmHttpPlugin.cpp:270][INFO:2] PLUGIN: 
ProcessResource - Resolved Host 'YOURHOSTNAME:8002'. 
[5812/7912][Tue Apr 24 14:00:40 2007][..\..\..\CSmHttpPlugin.cpp:290][INFO:1] PLUGIN: 
ProcessResource - Resolved Agentname 'yourhostname-unprotected' for HTTP_HOST 
'YOURHOSTNAME:8002'.

In the first line, SiteMinder processes the request to localhost on port 8002. In the second line, localhost is resolved to the actual hostname of the computer (in this example, YOURHOSTNAME). In the third line, YOURHOSTNAME:8002 is resolved to the agent defined in your SiteMinder configuration as yourhostname-unprotected. It is this agent name that must be allowed (not blocked) by SiteMinder in order for the request to succeed.

Accessing Cisco Unified MeetingPlace Web Conferencing When Locked-Out Due to Incorrect User Authentication Setup

If you configure Web Conferencing to use anything other than the MeetingPlace native login form for user authentication, you may not be able to log in to Cisco Unified MeetingPlace through the web due to incomplete user authentication configuration. For example, you configured LDAP, then MeetingPlace user authentication, but failed to enter a valid LDAP hostname or to ensure that the LDAP user IDs existed in MeetingPlace. In such circumstances, you are unable to log into Web Conferencing to correct your configuration errors.

To restore access to the web conferencing application, you can do one of the following:

Log on to the Cisco Unified MeetingPlace Web Server, open a web browser, and browse to http://localhost:8002. You will be logged in as the technician and can access the admin pages to fix the problem.

Edit the SQL database and reset the mode to MeetingPlace native login form.

The following procedure describes how to update the Cisco Unified MeetingPlace web conferencing user authentication mode in SQL Server.

Procedure


Step 1 Open a DOS command window.

Step 2 Log in to the SQL server by entering C:\osql -U userid -P password, replacing userid and password with the appropriate value.

Step 3 Specify that you want to access the MPWEB database.

a. Enter use mpweb.

b. Enter go.

Step 4 Enter Update web set AuthMode = 1.

Step 5 Enter Update web set AuthLoginMode = 1.

Step 6 Enter go.

The following tables provide mode definitions as a reference.

AUTHMODE Command
Value

#define SQLCONFIG_AUTHMODE_NONE

0

#define SQLCONFIG_AUTHMODE_MP

1

#define SQLCONFIG_AUTHMODE_LDAP

2

#define SQLCONFIG_AUTHMODE_LDAPMP

3

#define SQLCONFIG_AUTHMODE_TRUSTEXT

4

#define SQLCONFIG_AUTHMODE_BASIC_DOMAIN

5

#define SQLCONFIG_AUTHMODE_WIA

6


AUTHMODE Command
Value

#define SQLCONFIG_AUTHLOGINMODE_NONE

0

#define SQLCONFIG_AUTHLOGINMODE_WEB

1

#define SQLCONFIG_AUTHLOGINMODE_HTTP

2