Introduction
This document describes the reasons why the automatic-logon feature on Cisco TelePresence Management Suite (TMS) might fail to work.
Automatic Logon Does Not Work
Sometimes you encounter a problem where the automatic logon does not work in Cisco TMS, and you are prompted for your username and password. Single sign-on with Integrated Authentication requires web browser, URL, and network compatibility.
Note: Ensure the username and password used to log on to Microsoft Windows is used to log on to Cisco TMS.
Compatible Browsers
Automatic logon is supported in Internet Explorer (IE) on Microsoft Windows, but might be disabled due to Security Settings and Zones in the browser's Internet Options. This can be modified if you either add the Cisco TMS server to a more trusted security zone in IE, or if you change the User Authentication settings in the zone's security settings.
Mozilla Firefox does not support single sign-on by default, but it can be configured to do so:
- In the URL field, type about:config.
- In the Filter field, type ntlm.
- Double-click or right-click network.automatic-ntlm-auth.trusted-uris in order to modify the setting.
- Type in the Cisco TMS domain. If you need to add more domains, separate them with commas without any spaces.
- Click OK. The change is applied immediately.
Compatible URL
Automatic logon requires the use of a URL that maps to the correct internal Fully Qualified Domain Name (FQDN) for the machine, not just the correct IP address of the server.
For example, if the machine is named CORPTMS2.example.int and its IP address is 43.33.23.2, then automatic logon:
- is possible if a user enters http://CORPTMS2.example.int/tms
- is not possible if the user enters http://43.33.23.2/tms
The use of a Domain Name System (DNS) name that maps to the IP address, but not the internal FQDN, does not allow automatic logon.
For example, if you have DNS A record mapping tms.example.com to 43.33.23.2, then users who enter http://tms.example.com/tms will not be able to log on automatically. This is because the address maps directly to the IP address instead of to the Active Directory FQDN name of the machine.
Compatible Network
Networks that include web proxies often break Kerberos or Windows NT LAN Manager (NTLM) authentication methods, which renders Integrated Authentication unusable, because Integrated Authentication was designed for internal networks that do not require web proxies to be traversed. In these situations, the web browser and web server negotiate the next available authentication method.