Chapter 10 Setting Up Authentication for the Cisco Unity Administrator

Determining the Authentication Method to Use for the Cisco Unity Administrator

Table 10-2lists the advantages and disadvantages of using Anonymous authentication with the Cisco Unity Administrator.

Table 10-2 Using Anonymous Authentication with the Cisco Unity Administrator

Advantages

Disadvantages

 

 

When subscribers log on to the Cisco Unity Administrator from

When a subscriber enters Windows domain

another domain, they can enter the applicable credentials on the

account credentials on the Cisco Unity Log

Cisco Unity Log On page for the domain that the Cisco Unity server

On page, the credentials are sent across the

is in. Thus, you do not need to configure each subscriber browser to

network in clear text. To solve this problem,

prompt for a user name and password, nor do you need to establish

set up Cisco Unity to use SSL.

trusts across domains.

By default, IIS is not set up so that the

 

When subscribers log on to the Cisco Unity Administrator from

Cisco Unity Administrator uses the

another domain, they are not prompted to re-enter their credentials

Anonymous authentication method. You must

each time that they want to use the phone as a recording and playback

configure it.

device for the Media Master.

 

 

 

How Integrated Windows Authentication Works with the Cisco Unity Administrator

When IIS is configured so that the Cisco Unity Administrator uses Integrated Windows authentication, Cisco Unity does not authenticate the subscriber. Instead, the identity of the user is verified by Windows.

1.A Cisco Unity subscriber starts Internet Explorer and attempts to browse to the Cisco Unity Administrator website.

2.Internet Explorer tries to get the home page for the Cisco Unity Administrator from IIS.

3.IIS indicates that it cannot authenticate the user.

4.When Internet Explorer is configured to prompt for a user name and password, it displays a dialog box and waits for the subscriber to enter the Windows domain account credentials. Once the subscriber enters the credentials, Internet Explorer tries to get the Cisco Unity Administrator web page again, but this time, it sends IIS an encrypted message regarding the Windows domain account based on the credentials that the subscriber entered in the dialog box.

When Internet Explorer is not configured to prompt for a user name and password, Internet Explorer tries to get the Cisco Unity Administrator web page again, but this time, it sends IIS an encrypted message regarding the Windows domain account based on the credentials that the subscriber entered to log on to Windows.

In both scenarios, the user password—or any representation of the password—is not sent across the network because authentication relies on Windows challenge/response.

5.If Windows can confirm the identity of the Windows domain user, then IIS sends the user and domain name to Cisco Unity, and the process continues with Step 6.

If Windows cannot validate the identity of the Windows domain user (as would be the case if the subscriber logged on to an untrusted domain), Internet Explorer prompts the subscriber for a user name and password. Once again, the credentials are not sent across the network; instead, Internet Explorer sends IIS an encrypted message regarding the Windows domain account based on the credentials that were entered in the dialog box. If Windows still cannot authenticate the user, Internet Explorer displays a message indicating that access to the website is denied because the domain account is unknown.

Installation Guide for Cisco Unity 4.0(5) and Later Voice Messaging with Microsoft Exchange 2003/2000 (With Failover Configured)

 

OL-7371-02

10-3

 

 

 

Page 109
Image 109
Cisco Systems OL-7371-02 manual 10-3