Active Directory Requirements for Successful Connection with Cisco CDA

Cisco CDA leverages Active Directory login audit events generates by the Active Directory Domain controller to gather user logins information. In order for Cisco CDA to work appropriately, CDA need to be able to connect to Active directory and fetch the user logins information. These steps are necessary on the Active Directory domain controller:

1. Make sure the Active directory version is supported (refer to Supported Active Directory Versions) and there is network connectivity between Active domain controller and CDA (refer to Connectivity Requirements)

2. Make sure relevant Microsoft patches are installed on the Active Directory domain controllers. Active Directory domain controller machines runs Windows Server 2008 or Windows Server 2008 R2 and must have the appropriate Microsoft hotfixes installed.

The following patches for Windows Server 2008 are required:

a. http://support.microsoft.com/kb/958124

This patch fixes a memory leak in Microsoft's WMI, which prevents CDA to establish successful connection with the domain controller (CDA administrator can experience it in CDA Active Directory domain controller GUI page, where the status need to be "up" once the connection establishes successfully).

b. http://support.microsoft.com/kb/973995

This patch fixes different memory leak in Microsoft's WMI, which sporadically prevents the Active Directory domain controller from writing the necessary user login events to the Security Log of the domain controller. As result CDA may not get all user login events from this domain controller.

The following patches for Windows Server 2008 R2 are required (unless SP1 is installed):

a. http://support.microsoft.com/kb/981314

This patch fixes memory leak in Microsoft's WMI, which sporadically prevents the Active Directory domain controller from writing the necessary user login events to the Security Log of the domain controller. As result CDA may not get all user login events from this domain controller.

3. Make sure the Active Directory logs the user login events in the Windows Security Log.

Verify that the settings of the “Audit Policy” (part of the “Group Policy Management” settings) allows successful logons to generate the necessary events in the Windows Security Log (this is the default Windows setting, but you must explicitly ensure that this setting is correct). See Setting the Audit Policy.

4. You must have an Active Directory user with sufficient permissions to be used by CDA to connect to the Active Directory. As of CDA patch 1, you can choose whether this user is member of the Active Directory domain admin group or not. Follow the following instructions to define permissions either for admin domain group user or none admin domain group user:

 – Permission Required when an Active Directory User is a Member of the Domain Admin Group

 – Permission Required when an Active Directory User is Not a Member of the Domain Admin Group

5. The Active Directory user used by CDA can be authenticated either by NTLMv1 or NTLMv2. You need to verify that the Active Directory NTLM settings are aligned with CDA NTLM settings to ensure successful authenticated connection between CDA and the Active Directory Domain Controller. Figure 2-1 illustrates all Microsoft NTLM options. In case CDA is set to NTLMv2, all six options described in Figure 2-1 are supported. In case CDA is set to support NTLMv1, only the first five options are supported. This is also summarized in Table 2-4.

Table 2-4 Supported Authentication Types Based on CDA and AD NTLM Version Settings

CDA NTLM setting options / Active Directory (AD) NTLM setting options

NTLMv1

NTLMv2

Send LM & NTLM responses

connection is allowed

connection is allowed

Send LM & NTLM - use NTLMv2 session security if negotiated

connection is allowed

connection is allowed

Send NTLM response only

connection is allowed

connection is allowed

Send NTLMv2 response only

connection is allowed

connection is allowed

Send NTLMv2 response only. Refuse LM

connection is allowed

connection is allowed

Send NTLMv2 response only. Refuse LM & NTLM

connection is refused

connection is allowed

Figure 2-1 MS NTLM Authentication Type Options

 

Related Topics:

 • Supported Operating Systems

 • Hardware Requirements

 • Connectivity Requirements