10-3
Installation Guide for Cisco Unity 4.0(5) and Later Voice Messaging with Microsoft Exchange 2003/2000 (With Failover Configured)
OL-7371-02
Chapter 10 Setting Up Authentication for the Cisco Unity Administrator
Determining the Authentication Method to Use for the Cisco Unity Administrator
Table 10-2 lists the advantages and disadvantages of using Anonymous authentication with the
Cisco Unity Administrator.
How Integrated Windows Authentication Works with the Cisco Unity AdministratorWhen IIS is configured so that the Cisco Unity Administrator uses Integrated Windows authentication,
Cisco Unity does not authenticate the subscriber. Instead, the identity of the user is verified by Windows.
1. A Cisco Unity subscriber starts Internet Explorer and attempts to browse to the Cisco Unity
Administrator website.
2. Internet Explorer tries to get the home page for the Cisco Unity Administrator from IIS.
3. IIS indicates that it cannot authenticate the user.
4. When Internet Explorer is configured to prompt for a user name and password, it displays a dialog
box and waits for the subscriber to enter the Windows domain account credentials. Once the
subscriber enters the credentials, Internet Explorer tries to get the Cisco Unity Administrator web
page again, but this time, it sends IIS an encrypted message regarding the Windows domain account
based on the credentials that the subscriber entered in the dialog box.
When Internet Explorer is not configured to prompt for a user name and password, Internet Explorer
tries to get the Cisco Unity Administrator web page again, but this time, it sends IIS an encrypted
message regarding the Windows domain account based on the credentials that the subscriber entered
to log on to Windows.
In both scenarios, the user password—or any representation of the password—is not sent across the
network because authentication relies on Windows challenge/response.
5. If Windows can confirm the identity of the Windows domain user, then IIS sends the user and
domain name to Cisco Unity, and the process continues with Step 6.
If Windows cannot validate the identity of the Windows domain user (as would be the case if the
subscriber logged on to an untrusted domain), Internet Explorer prompts the subscriber for a user
name and password. Once again, the credentials are not sent across the network; instead, Internet
Explorer sends IIS an encrypted message regarding the Windows domain account based on the
credentials that were entered in the dialog box. If Windows still cannot authenticate the user,
Internet Explorer displays a message indicating that access to the website is denied because the
domain account is unknown.
Tab l e 10-2 Using Anonymous Authentication with the Cisco Unity Administrator
Advantages Disadvantages
• When subscribers log on to the Cisco Unity Administrator from
another domain, they can enter the applicable credentials on the
Cisco Unity Log On page for the domain that the Cisco Unity server
is in. Thus, you do not need to configure each subscriber browser to
prompt for a user name and password, nor do you need to establish
trusts across domains.
• When subscribers log on to the Cisco Unity Administrator from
another domain, they are not prompted to re-enter their credentials
each time that they want to use the phone as a recording and playback
device for the Media Master.
• When a subscriber enters Windows domain
account credentials on the Cisco Unity Log
On page, the credentials are sent across the
network in clear text. To solve this problem,
set up Cisco Unity to use SSL.
• By default, IIS is not set up so that the
Cisco Unity Administrator uses the
Anonymous authentication method. You must
configure it.