Configuration Guide for Cisco Unified MeetingPlace Web Conferencing Release 5.3.
Configuring User Authentication in Cisco Unified MeetingPlace Web Conferencing Release 5.3(235) and Later Releases

Table Of Contents

Configuring User Authentication in Cisco Unified MeetingPlace Web Conferencing Release 5.3(235) and Later Releases

About User Authentication in Cisco Unified MeetingPlace Web Conferencing Release 5.3(235) and Later Releases

Restrictions: User Authentication and Load Balancing

Restrictions: User Authentication and Segmented Meeting Access Deployments

Allowing Cisco Unified MeetingPlace for Outlook Authentication

About MeetingPlace Authentication

Configuring MeetingPlace Authentication

Verifying the MeetingPlace Authentication Configuration Using the HTTP Form

About LDAP Authentication

Configuring LDAP Authentication

Verifying the LDAP Authentication Configuration Using the Web Page Form

Verifying the LDAP Authentication Configuration Using the HTTP Form

About LDAP then MeetingPlace Authentication

Configuring the LDAP then MeetingPlace Authentication

Verifying the LDAP then MeetingPlace Authentication Configuration Using the Web Page Form

Verifying the LDAP then MeetingPlace Authentication Configuration Using the HTTP Form

About Trust External Authentication

Restrictions: Configuring Trust External Authentication

Configuring Trust External Authentication

Verifying the Trust External Authentication Configuration

About HTTP Basic Authentication (Domain)

Configuring HTTP Basic Authentication (Domain)

Verifying the HTTP Basic Authentication (Domain) Configuration

About Windows Integrated Authentication

Windows Integrated Authentication: Login Behavior

Configuring Windows Integrated Authentication

Verifying the Windows Integrated Authentication Configuration

Troubleshooting Problems with Improper Functionality of Windows Authentication

Adding the URL String to Internet Explorer's Trusted Zone

Modifying Internet Explorer's Internet Zone to Automatically Pass Windows Credentials and Log Users Into a Website


Configuring User Authentication in Cisco Unified MeetingPlace Web Conferencing Release 5.3(235) and Later Releases


This section describes how to configure user authentication in Cisco Unified MeetingPlace Web Conferencing Release 5.3(235) and later releases. For information about how to configure user authentication in Release 5.3(104), see Chapter 4, "Configuring User Authentication in Cisco Unified MeetingPlace Web Conferencing Release 5.3(104)".


Note Though all authentication methods can be applied to internal or external servers, some authentication methods may not make sense for a DMZ environment. For more information about Cisco Unified MeetingPlace Web Conferencing support for DMZ environments, read Chapter 6, "Configuring External Access to Cisco Unified MeetingPlace Web Conferencing."


Topics in this section include:

About User Authentication in Cisco Unified MeetingPlace Web Conferencing Release 5.3(235) and Later Releases

About MeetingPlace Authentication

About LDAP Authentication

About LDAP then MeetingPlace Authentication

About Trust External Authentication

About HTTP Basic Authentication (Domain)

About Windows Integrated Authentication

Troubleshooting Problems with Improper Functionality of Windows Authentication

About User Authentication in Cisco Unified MeetingPlace Web Conferencing Release 5.3(235) and Later Releases

By default, Cisco Unified MeetingPlace Web Conferencing prompts users for login credentials by using an HTML web form; then, authenticates them against the Cisco Unified MeetingPlace user profile database. However, you can choose to authenticate Cisco Unified MeetingPlace against some third-party authentication software that provides different authentication behaviors. This can include different login windows, authentication against other user profile databases, or both.

Integration with third-party authentication software can provide the following benefits:

Centralized user database—Facilitates profile management.

Single Sign-On (SSO)—Allows users who have already been authenticated once to have access to all resources and applications on the network without having to re-enter their credentials.

For SSO to work, you must ensure that Cisco Unified MeetingPlace user IDs are set up so that they match the corresponding user IDs used by the third-party authentication software. Because Cisco Unified MeetingPlace user IDs are case-sensitive, we recommend that you create them as all lowercase characters and that you use Cisco Unified MeetingPlace Directory Services for directory synchronization. This way, matching user IDs between Cisco Unified MeetingPlace and third-party authentication software is easily accomplished.


Note Cisco Unified MeetingPlace Web Conferencing Release 5.3(333) and later automatically converts case so that Cisco Unified MeetingPlace user IDs and corresponding user IDs used by third-party authentication software match.


Cisco Unified MeetingPlace Web Conferencing Release 5.3(235) and later provides the following authentication configuration options:

HTTP Basic Authentication (Domain)

LDAP

LDAP, then MeetingPlace

MeetingPlace

Trust External Authentication

Windows Integrated Authentication


Note Having a Cisco Unified MeetingPlace profile does not guarantee users access to the Cisco Unified MeetingPlace system. Login behaviors vary depending on the authentication configuration and login options that you choose.


Related Topics

Restrictions: User Authentication and Load Balancing

Restrictions: User Authentication and Segmented Meeting Access Deployments

Restrictions: User Authentication and Load Balancing

In a Cisco Unified MeetingPlace load-balancing cluster, all users must enter the Cisco Unified MeetingPlace system through a designated Cisco Unified MeetingPlace web server. In such circumstances, you only need to configure the designated web server for your chosen authentication method. You can configure all other web servers in the cluster to use the default authentication method—MeetingPlace Web Form Authentication.

If, however, you want to configure other web servers in the cluster to use the same authentication method as a failover strategy, you can. However, depending on the type of authentication method used, this configuration can result in undesirable SSO behaviors.

For example, if you configure HTTP Basic Authentication or Windows Integrated Authentication, Cisco Unified MeetingPlace will prompt users for login credentials each time there is a web server redirect. This is because you are altering the hostname in the authentication configuration each time you redirect traffic to an active web server through a DNS change. If you configure LDAP or MeetingPlace authentication, users will not be prompted again for login credentials during a web conferencing redirect.

Related Topics

About User Authentication in Cisco Unified MeetingPlace Web Conferencing Release 5.3(235) and Later Releases

Restrictions: User Authentication and Segmented Meeting Access Deployments

If you configured a segmented meeting access deployment with one server (SMA-1S), you have two authentication options when configuring user authentication:

Configure both internal and external web sites to use the MeetingPlace native login form page

Configure the internal web site to use HTTP Basic Authentication and the external web site to use the MeetingPlace native login form page

Related Topics

About User Authentication in Cisco Unified MeetingPlace Web Conferencing Release 5.3(235) and Later Releases

Allowing Cisco Unified MeetingPlace for Outlook Authentication

If your Cisco Unified MeetingPlace system includes the Cisco Unified MeetingPlace for Outlook integration, you must configure Cisco Unified MeetingPlace Web Conferencing to allow Outlook to authenticate by completing the following steps:

Before You Begin

Make sure that the Cisco Unified MeetingPlace user IDs and Windows domain user IDs of your users match.

Procedure


Step 1 Update the Cisco Unified MeetingPlace Web Conferencing registry key to allow Outlook authentication.

a. From your desktop, choose Start > Run; then, enter regedit.

b. Locate HKEY_LOCAL_MACHINE\SOFTWARE\Latitude\MeetingPlace WebPublisher\mpagent and change to RemoteUserAllowed.

c. To allow Outlook to authenticate, choose 1.

Step 2 Configure Cisco Unified MeetingPlace for Outlook to use integrated windows authentication.

a. Open Explorer and navigate to the \MPWEB\mpoutlook folder.

b. Double-click configclients.exe.

c. From the Outlook control panel, choose the Logins tab and check Use integrated windows authentication. '

d. Click OK.

e. Close the Outlook Configuration Client utility.

Step 3 If you are configuring Cisco Unified MeetingPlace Web Conferencing user authentication, proceed to the next task in your configuration as follows:

If you are configuring Cisco Unified MeetingPlace Web Conferencing Release 5.3(104), proceed to the "Restricting the \MPWeb\Scripts Directory" section on page 4-2.

If you are configuring Cisco Unified MeetingPlace Web Conferencing Release 5.3(235) or a later release, proceed to the "About User Authentication in Cisco Unified MeetingPlace Web Conferencing Release 5.3(235) and Later Releases" section to determine your authentication mode.


About MeetingPlace Authentication

Authenticating users against the profile database on the Cisco Unified MeetingPlace Audio Server system is the default user authentication option. You have two options when configuring this type of authentication:

Logging in with an HTML-based web page form. This is the default option.

Logging in against a login window rendered by your web browser.

Regardless of the login page users see, user IDs and passwords are sent to the Audio Server system for authentication. Both profiles and user passwords must match. Profiles are case-sensitive.

Topics in this section include:

Configuring MeetingPlace Authentication

Verifying the MeetingPlace Authentication Configuration Using the HTTP Form

Configuring MeetingPlace Authentication

Before You Begin

If you are also using Cisco Unified MeetingPlace for Outlook, complete the "Allowing Cisco Unified MeetingPlace for Outlook Authentication" section.

Procedure


Step 1 Sign in to Cisco Unified MeetingPlace Web Conferencing.

Step 2 From the Welcome page, click Admin; then, Web Server.

Step 3 From the "View" section of the page, click the name of the web server that you want to configure.

Step 4 Scroll to the Web Authentication section.

Step 5 For "Step 1: Directory", choose MeetingPlace.

Step 6 For "Step 2: Login Method", choose one of the following options:

To see an HTML-based Cisco Unified MeetingPlace login window, choose Web Page Form. This is the default authentication method.

To see a login window rendered by your web browser, choose HTTP Basic Authentication.


Note If you choose HTTP Basic Authentication, users cannot log in to Cisco Unified MeetingPlace as guests.


Step 7 Click Submit and wait five minutes for the new configuration to take effect.

Step 8 (Optional) If you chose HTTP Basic Authentication, proceed to the "Verifying the MeetingPlace Authentication Configuration Using the HTTP Form" section.


Related Topics

About MeetingPlace Authentication

Verifying the MeetingPlace Authentication Configuration Using the HTTP Form

Before You Begin

Complete the "Configuring MeetingPlace Authentication" section and choose the HTTP Basic Authentication option.

Use a Cisco Unified MeetingPlace end-user profile when completing this procedure.

Procedure


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace Web Conferencing.

Step 2 Verify the following end-user behaviors:

When you access the Cisco Unified MeetingPlace home page, you see an Enter Network Password window.

After you enter your end-user Cisco Unified MeetingPlace user ID and password, you are authenticated to the Audio Server.

The Welcome page displays your name in the order of firstname, lastname.

Sign In and Sign Out links do not display.


Related Topics

About MeetingPlace Authentication

About LDAP Authentication

LDAP authentication compares users' login information against the profile database on an LDAPv2-compliant directory server. Once users are authenticated by the LDAP server, users are automatically logged in to Cisco Unified MeetingPlace as long as their LDAP user IDs also exist in Cisco Unified MeetingPlace. With LDAP authentication, the following restrictions apply:

Cisco Unified MeetingPlace Web Conferencing supports only unencrypted LDAP, that is, queries to the LDAP server are in clear text.

Users cannot log in with their Cisco Unified MeetingPlace passwords for their same LDAP user names.

LDAP profiles are used for authentication; Cisco Unified MeetingPlace profiles are ignored.


Note To authenticate Cisco Unified MeetingPlace Web Conferencing against the LDAP server, make sure that the LDAP server directory is designed to have all users in one container rather than broken into multiple containers (each representing a child OU).


Topics in this section include:

Configuring LDAP Authentication

Verifying the LDAP Authentication Configuration Using the Web Page Form

Verifying the LDAP Authentication Configuration Using the HTTP Form

Configuring LDAP Authentication

Before You Begin

If you are also using Cisco Unified MeetingPlace for Outlook, complete the "Allowing Cisco Unified MeetingPlace for Outlook Authentication" section.

Procedure


Step 1 Sign in to Cisco Unified MeetingPlace Web Conferencing.

Step 2 From the Welcome page, click Admin; then, Web Server.

Step 3 From the "View" section of the page, click the name of the web server that you want to configure.

Step 4 Scroll to the Web Authentication section.

Step 5 For "Step 1: Directory", choose LDAP.

Step 6 For "LDAP Hostname", enter the LDAP hostname, for example ldap.domain.com.

Step 7 For "LDAP Distinguished Name (DN)", enter the DN information for your directory.


Note All users in the LDAP server directory must be in one container rather than broken into multiple containers each representing a child OU.


Example

CN=%USERNAME%, OU=People, DC=mydomain, DC=com

%USERNAME% is the username that the user enters when trying to login.

Before sending the request to the LDAP server %USERNAME% is substituted with the username that the user types in the login username field. No additional modifications are made to the DN value.

%USERNAME% is case-sensitive, that is, all upper case.

Consult your LDAP expert for your DN information.

Step 8 For "Step 2: Login Method", choose one of the following:

To see an HTML-based Cisco Unified MeetingPlace login window, choose Web Page Form.

To see a login window rendered by your web browser, choose HTTP Basic Authentication.


Note If you choose HTTP Basic Authentication, users cannot log in to Cisco Unified MeetingPlace as guests.


Step 9 Click Submit and wait five minutes for the new configuration to take effect.

Step 10 (Optional) If you chose Web Page Form and want to verify your configuration, proceed to the "Verifying the LDAP Authentication Configuration Using the Web Page Form" section.

Step 11 (Optional) If you chose HTTP Basic Authentication and want to verify your configuration, proceed to the "Verifying the LDAP Authentication Configuration Using the HTTP Form" section.


Related Topics

About LDAP Authentication

Verifying the LDAP Authentication Configuration Using the Web Page Form

Before You Begin

Complete the "Configuring LDAP Authentication" section and choose Web Page Form.

Use a Cisco Unified MeetingPlace end-user profile when completing this procedure.

Procedure


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace Web Conferencing.

Step 2 Verify the following end-user behaviors:

If you have a Cisco Unified MeetingPlace profile, you can log in with your LDAP password.

You cannot log in without a password.


Related Topics

About LDAP Authentication

Verifying the LDAP Authentication Configuration Using the HTTP Form

Before You Begin

Complete the "Configuring LDAP Authentication" section and choose HTTP Basic Authentication.

Use a Cisco Unified MeetingPlace end-user profile when completing this procedure.

Procedure


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace Web Conferencing.

Step 2 Verify the following end-user behaviors:

When you access the Cisco Unified MeetingPlace home page, you see an Enter Network Password window.

After you enter your LDAP profile user ID and password, you are authenticated to the Audio Server.

The Welcome page displays your name in the order of firstname, lastname.

Sign In and Sign Out links do not display.


Related Topics

About LDAP Authentication

About LDAP then MeetingPlace Authentication

This authentication mode attempts to authenticate users against two directories if the need arises. When users first log in, they are authenticated against the LDAP directory. If this authentication fails, the login information is sent to the Cisco Unified MeetingPlace Audio Server for a possible match. This behavior allows a company to give non-LDAP users, such as guests or contractors, access to Cisco Unified MeetingPlace.

Before configuring this authentication mode, keep the following points in mind:

To authenticate Cisco Unified MeetingPlace Web Conferencing against the LDAP server, make sure that the LDAP server directory is designed to have all users in one container rather than broken into multiple containers (each representing a child OU).

If a match is made in the LDAP database, the user must provide the proper LDAP password. Three attempts with the incorrect password will lock the user's LDAP profile. Only users who are not found in the LDAP directory are eligible for authentication through the Cisco Unified MeetingPlace directory.

User IDs in the Cisco Unified MeetingPlace profile database are case-sensitive.

Topics in this section include:

Configuring the LDAP then MeetingPlace Authentication

Verifying the LDAP then MeetingPlace Authentication Configuration Using the Web Page Form

Verifying the LDAP then MeetingPlace Authentication Configuration Using the HTTP Form

Configuring the LDAP then MeetingPlace Authentication

Before You Begin

If you are also using Cisco Unified MeetingPlace for Outlook, complete the "Allowing Cisco Unified MeetingPlace for Outlook Authentication" section.

Procedure


Step 1 Sign in to Cisco Unified MeetingPlace Web Conferencing.

Step 2 From the Welcome page, click Admin; then, Web Server.

Step 3 From the "View" section of the page, click the name of the web server that you want to configure.

Step 4 Scroll to the Web Authentication section.

Step 5 For "Step 1: Directory", choose LDAP, then MeetingPlace.

Step 6 For "LDAP Hostname", enter the LDAP hostname, for example ldap.domain.com.

Step 7 For "LDAP Distinguished Name (DN)", enter the DN information for your directory.


Note All users in the LDAP server directory must be in one container rather than broken into multiple containers each representing a child OU.


Example

CN=%USERNAME%, OU=People, DC=mydomain, DC=com

%USERNAME% is the username that the user enters when trying to login.

Before sending the request to the LDAP server %USERNAME% is substituted with the username that the user types in the login username field. No additional modifications are made to the DN value.

%USERNAME% is case-sensitive, that is, all upper case.

Consult your LDAP expert for your DN information.

Step 8 For "Step 2: Login Method" choose one of the following:

To see an HTML-based Cisco Unified MeetingPlace login window, choose Web Page Form.

To see a login window rendered by your web browser, choose HTTP Basic Authentication.


Note If you choose HTTP Basic Authentication, users cannot log in to Cisco Unified MeetingPlace as guests.


Step 9 Click Submit and wait five minutes for the new configuration to take effect.

Step 10 (Optional) If you want to verify your Web Page Form configuration, proceed to the "Verifying the LDAP then MeetingPlace Authentication Configuration Using the Web Page Form" section.

Step 11 (Optional) If you want to verify you HTTP form configuration, proceed to the "Verifying the LDAP then MeetingPlace Authentication Configuration Using the HTTP Form" section.


Related Topics

About LDAP then MeetingPlace Authentication

Verifying the LDAP then MeetingPlace Authentication Configuration Using the Web Page Form

Before You Begin

Complete the "Configuring the LDAP then MeetingPlace Authentication" section and choose Web Page Form.

Use a Cisco Unified MeetingPlace end-user profile when completing this procedure.

Procedure


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace Web Conferencing.

Step 2 Verify the following end-user behaviors:

You can log in with your LDAP password.

You cannot log in without a password.

If you have a Cisco Unified MeetingPlace profile, you can log in and schedule meetings.

If you do not have a Cisco Unified MeetingPlace profile, you can only attend and search public meetings.


Related Topics

About LDAP then MeetingPlace Authentication

Verifying the LDAP then MeetingPlace Authentication Configuration Using the HTTP Form

Before You Begin

Complete the "Configuring the LDAP then MeetingPlace Authentication" section and choose HTTP Basic Authentication.

Use a Cisco Unified MeetingPlace end-user profile when completing this procedure.

Procedure


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace Web Conferencing.

Step 2 Verify the following end-user behaviors:

You can log in with your LDAP password.

You cannot log in without a password.

If you have a Cisco Unified MeetingPlace profile, you can log in and schedule meetings.

This option does not allow you to log in to Cisco Unified MeetingPlace as a guest, that is, without a Cisco Unified MeetingPlace profile.


Related Topics

About LDAP then MeetingPlace Authentication

About Trust External Authentication

Trust External Authentication represents a broad-range of enterprise security software that provides functions like authentication, resource access authorization, Single Sign On (SSO), and intrusion detection. Typically, this software protects your web server by installing a DLL plug-in into the web server service, for example IIS. This DLL plug-in, also called ISAPI Filter, intercepts user login credentials and passes them to a corporate authentication and authorization server. For Release 5.3(235) and later releases to work with this software, the software must be able to output user IDs in the HTTP header so that they can be passed to Cisco Unified MeetingPlace for authentication.


Note User IDs in the Cisco Unified MeetingPlace profile database are case-sensitive. Users cannot log in to Cisco Unified MeetingPlace as guests after you have configured this authentication mode.


Before configuring this authentication mode, make sure that you read the following terms of agreement:

Terms for Single Sign On Software Integration, page 1-7

Terms of Support for Single Sign On Software Integration, page 1-8

Topics in this section include:

Restrictions: Configuring Trust External Authentication

Configuring Trust External Authentication

Verifying the Trust External Authentication Configuration

Restrictions: Configuring Trust External Authentication

When configuring Trust External authentication, make sure that the following directories are not protected by SSO:

/mpweb/scripts/public/

/mpweb/extensions/

Protecting these directories will inhibit Cisco Unified MeetingPlace Web Conferencing from functioning properly.

Configuring Trust External Authentication

When user IDs are sent to the Cisco Unified MeetingPlace Audio Server, Cisco Unified MeetingPlace Web Conferencing can apply transformation to user IDs.

Before You Begin

If you are implementing Single Sign On, read the following terms:

Terms for Single Sign On Software Integration, page 1-7

Terms of Support for Single Sign On Software Integration, page 1-8

If you are also using Cisco Unified MeetingPlace for Outlook, complete the "Allowing Cisco Unified MeetingPlace for Outlook Authentication" section.

Procedure


Step 1 Sign in to Cisco Unified MeetingPlace Web Conferencing.

Step 2 From the Welcome page, click Admin; then, Web Server.

Step 3 From the "View" section of the page, click the name of the web server that you want to configure.

Step 4 Scroll down to the Web Authentication section.

Step 5 For "Step 1: Directory", choose Trust External Authentication.

Step 6 For "HTTP Header Containing Username", enter an appropriate value for an external service, such as HTTP_SM_USER for SiteMinder.

Step 7 For "Username Conversion Function", choose how you want user names transformed.

None applies no transformation to the original user ID string.

Step 8 Click Submit and wait five minutes for the new configuration to take effect.

Step 9 (Optional) If you want to verify your configuration, proceed to the "Verifying the LDAP Authentication Configuration Using the Web Page Form" section.


Related Topics

About Trust External Authentication

Verifying the Trust External Authentication Configuration

Before You Begin

Complete the "Configuring Trust External Authentication" section.

Use a Cisco Unified MeetingPlace end-user profile when completing the this procedure.

Procedure


Step 1 Open your web browser and navigate to the Cisco Unified MeetingPlace Web Conferencing home page.

Step 2 Verify the following end-user behaviors:

Using a SiteMinder environment, you are immediately authenticated to MeetingPlace with your SiteMinder user ID and password.

If you have a Cisco Unified MeetingPlace profile, you can log in with your SiteMinder password and schedule meetings.


Related Topics

About Trust External Authentication

About HTTP Basic Authentication (Domain)

The HTTP basic authentication method is a widely used industry-standard method for collecting user ID and password information. It works as follows:

1. Users are prompted by a pop-up login window that is rendered by their web browser.

2. Users enter valid domain user IDs and passwords. Cisco Unified MeetingPlace profile passwords are ignored and not used in the authentication operation.

3. If the web servers accept the login credentials and the user IDs also exist in Cisco Unified MeetingPlace profile databases, users are logged in automatically to Cisco Unified MeetingPlace and are granted access to the Cisco Unified MeetingPlace home page.


Note Cisco Unified MeetingPlace profile user IDs are case-sensitive and must match the domain user ID of the user. If you choose this authentication mode, users cannot log in to Cisco Unified MeetingPlace as guests.


The advantage of HTTP Basic Authentication is that it is part of the HTTP specification and is supported by most browsers. The disadvantage is that the password is Base64 encoded before being sent over the network. Since Base64 is not a true encryption, it can be easily deciphered. You can mitigate this security issue by implementing Secure Socket Layer (SSL) on the web server.

Topics in this section include:

Configuring HTTP Basic Authentication (Domain)

Verifying the HTTP Basic Authentication (Domain) Configuration

Configuring HTTP Basic Authentication (Domain)

Before You Begin

This option restricts users from logging in to Cisco Unified MeetingPlace as guest users. All users must have Cisco Unified MeetingPlace profiles.

If you are also using Cisco Unified MeetingPlace for Outlook, complete the "Allowing Cisco Unified MeetingPlace for Outlook Authentication" section.

Procedure


Step 1 Sign in to Cisco Unified MeetingPlace Web Conferencing.

Step 2 From the Welcome page, click Admin; then, Web Server.

Step 3 From the "View" section of the page, click the name of the web server that you want to configure.

Step 4 Scroll down to the Web Authentication section.

Step 5 For "Step 1: Directory", choose HTTP Basic Authentication (Domain).

"Step 2: Login Method" is automatically set to HTTP Basic Authentication and cannot be changed.

Users cannot log in to Cisco Unified MeetingPlace as guests.

Step 6 Click Submit and wait five minutes for the new configuration to take effect.

Step 7 (Optional) To verify your configuration, see the "Verifying the HTTP Basic Authentication (Domain) Configuration" section.


Related Topics

About HTTP Basic Authentication (Domain)

Verifying the HTTP Basic Authentication (Domain) Configuration

Before You Begin

Complete the "Configuring HTTP Basic Authentication (Domain)" section.

Use a Cisco Unified MeetingPlace end-user profile when completing this procedure.

Procedure


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace Web Conferencing.

Step 2 Verify the following end-user behaviors:

You see an Enter Network Password dialog when accessing the home page.

If you have a local account on the Windows server and a matching profile user ID, you are authenticated to the Audio Server when you enter your domain user ID and password.

If you have a Cisco Unified MeetingPlace profile, your name appears on the Welcome page as firstname, lastname and the Sign In link no longer displays.

You can only log in to Cisco Unified MeetingPlace if you are authenticated by the Cisco Unified MeetingPlace web server.

In IIS, the MPWeb/Scripts folder is set to Basic Authentication.


Related Topics

About HTTP Basic Authentication (Domain)

About Windows Integrated Authentication

Windows Integrated Authentication (WIA) uses an algorithm to generate a hash based on the credentials and computers that users are using. WIA then sends this hash to the server; user passwords are not sent to the server.

If WIA fails for some reason, such as improper user credentials, users are prompted by their browsers to enter their user IDs and passwords. The Windows logon credentials are encrypted before being passed from the client to the web server.


Note You can configure Internet Explorer version 4.0 or later versions to initially prompt for user information if needed. For more information, see the Internet Explorer documentation.


Although Windows Integrated Authentication (WIA) is secure, it does have the following limitations:

Only Microsoft Internet Explorer version 4.0 or later versions support this authentication method.

WIA does not work across proxy servers or other firewall applications.

WIA works only under the browser's Intranet Zone connections and for any trusted sites you have configured.'

Therefore, WIA is best suited for an intranet environment where both users and the web server are in the same domain and where administrators can ensure that every user has Microsoft Internet Explorer. The web server must be in a Windows domain.

To further ensure or verify that your network supports WIA, refer to Microsoft online documentation at http://support.microsoft.com. An example of suggested documentation includes the following:

http://support.microsoft.com/kb/q264921/

Topics in this section include:

Windows Integrated Authentication: Login Behavior

Configuring Windows Integrated Authentication

Verifying the Windows Integrated Authentication Configuration

Windows Integrated Authentication: Login Behavior

The following describes the login behavior when WIA works:

Users log in to their workstations by using their Windows NT domain accounts.

If their NT account user IDs also exist in the Cisco Unified MeetingPlace profile database, users are automatically logged in to Cisco Unified MeetingPlace and granted access to the home page. Cisco Unified MeetingPlace profile passwords are ignored and not used in the SSO operation.

The home page does not have Sign In links to the HTML-based login form because users are already logged in through the SSO process. For SSO terms of agreement, see the "Terms for Single Sign On Software Integration" section on page 1-7 and the "Terms of Support for Single Sign On Software Integration" section on page 1-8.

If their NT account user IDs do not match any user IDs in the Cisco Unified MeetingPlace directory, users see the Cisco Unified MeetingPlace Web Conferencing home page, but with Sign In links to the HTML-based login form. Users must then enter valid Cisco Unified MeetingPlace user IDs and passwords.


Note Cisco Unified MeetingPlace user IDs are case-sensitive. Cisco Unified MeetingPlace Web Conferencing Release 5.3(333) and later converts case from lower case to upper case and vice-versa automatically. However, if you are using Release 5.3(333) and later in a segmented meeting access configuration with one server (SMA-1S), case conversion affects the internal server only.


The following describes the login behavior when WIA does not work:

Users see a popup window prompting them for their Cisco Unified MeetingPlace user IDs and passwords.

If their credentials are authenticated in the Cisco Unified MeetingPlace directory, users see the Cisco Unified MeetingPlace home Page.

If authentication fails, users are prompted continually for their valid login credentials.

Related Topics

About Windows Integrated Authentication

Configuring Windows Integrated Authentication

Windows Integrated Authentication (WIA) is best suited for an intranet environment, where both users and the web server are in the same domain, and where administrators can ensure that every user has Microsoft Internet Explorer. The web server must be in a Windows domain.

Before You Begin

If you are also using Cisco Unified MeetingPlace for Outlook, complete the "Allowing Cisco Unified MeetingPlace for Outlook Authentication" section.

Restrictions

Users must have local accounts on Windows servers with matching profile user IDs.

Only Microsoft Internet Explorer version 4.0 or later supports this authentication method.

WIA works only under the browsers' Intranet Zone connections.

WIA does not work across proxy servers or other firewall applications.

You cannot have any dots in your URL. Using IP or FQDN causes users to be prompted for login credentials.

Procedure


Step 1 Sign in to Cisco Unified MeetingPlace Web Conferencing.

Step 2 From the Welcome page, click Admin; then, Web Server.

Step 3 From the "View" section of the page, click the name of the web server that you want to configure.

Step 4 Scroll down to the Web Authentication section.

Step 5 For "Step 1: Directory", choose Windows Integrated Authentication.

"Step 2: Login Method" is automatically set to HTTP Basic Authentication and cannot be changed.

Users cannot log in to Cisco Unified MeetingPlace as guests.

Step 6 Click Submit and wait five minutes for the new configuration to take effect.

Step 7 (Optional) To verify your configuration, see the "Verifying the Windows Integrated Authentication Configuration" section.


Related Topics

About Windows Integrated Authentication

Verifying the Windows Integrated Authentication Configuration

Before You Begin

Complete the "Configuring Windows Integrated Authentication" section.

Use a Cisco Unified MeetingPlace end-user profile when completing this procedure.

Procedure


Step 1 Open a web browser and navigate to Cisco Unified MeetingPlace Web Conferencing.

Step 2 Verify the following end-user behaviors:

If you are on the same domain, you are immediately authenticated to the web server and see the Welcome page with your name displayed in firstname, lastname order. The Sign In link does not display.

If you are on a different domain, you see an Enter Network Password window that includes the Domain field.

If you are on a different domain, enter your Windows NT account user ID and password. You are then authenticated to the Cisco Unified MeetingPlace web server and see the Welcome page with your name displayed in firstname, lastname order. The Sign In link does not display.

Only users authenticated by the web server can log in.

In IIS, the MPWeb/Scripts folder is set to Integrated Windows Authentication.


Troubleshooting Tips

If you configured your web server hostname by using an IP address or FQDN, you will be prompted for your Windows login information even if you log in by using your domain Windows account.

For a workaround to this problem, see the "Troubleshooting Problems with Improper Functionality of Windows Authentication" section.

For information about configuring your web server hostname, see the "Configuring the Web Server" section on page 2-32.

Related Topics

About Windows Integrated Authentication

Troubleshooting Problems with Improper Functionality of Windows Authentication

If the server name in a URL request to the web server contains any periods, such as the dots in an IP address or a FQDN, the request is automatically routed to Internet Explorer's Internet Zone. Internet Explorer's default Internet Zone is configured to not pass Windows credentials to the web server.

Consequently, if you configured Windows authentication but used an IP address or FQDN when setting your web server Host Name parameter in the "Configuring the Web Server" section on page 2-32, Internet Explorer prompts you for your Windows login information when you try to access Cisco Unified MeetingPlace Web Conferencing even if you are already logged on to your computer with your domain Windows account.

The following procedures provide instructions for two workarounds for this issue:

Adding the URL String to Internet Explorer's Trusted Zone

Modifying Internet Explorer's Internet Zone to Automatically Pass Windows Credentials and Log Users Into a Website

We recommend that you use the workaround provided in the "Adding the URL String to Internet Explorer's Trusted Zone" section.

Related Topics

About Windows Integrated Authentication

About User Authentication in Cisco Unified MeetingPlace Web Conferencing Release 5.3(104), page 4-1

Adding the URL String to Internet Explorer's Trusted Zone

This is the preferred method for working around Internet Explorer's Internet Zone configuration.

Restrictions

If you choose this workaround, you must apply this change to all your end users' computers.

Procedure


Step 1 Open Internet Explorer. From Tools > Internet Options, click the Security tab.

Step 2 From the Security tab, click Trusted Zone.

Step 3 Click Edit.

Step 4 From the Trusted Sites window, add the URL of your web server.

For example, if you set your web server's Hostname parameter to abc.company.com, then enter http://abc.company.com in to the list of trusted websites and click Add.

Step 5 Click OK.


Modifying Internet Explorer's Internet Zone to Automatically Pass Windows Credentials and Log Users Into a Website

Restrictions

If you choose this workaround, you must apply this change to all your end users' computers.

Procedure


Step 1 Open Internet Explorer. From Tools > Internet Options, click the Security tab.

Step 2 From the Security tab, click Internet Zone; then, click Custom Level.

Step 3 From the Security Settings window, scroll to the bottom to the User Authentication section.

Step 4 For Logon, click Authenticate logon with current username and password.

Step 5 Click OK.