Configure Active Directory Authentication

You can configure Active Directory Authentication to allow MiCollab -IDS users to use their directory server credentials (domain name and password) to log into the following MiCollab end-user interfaces:

MiCollab End User Portal
MiCollab Audio, Web and Video Conferencing user login
MiCollab Client to MiCollab Audio, Web and Video Conferencing collaboration launch (authenticated by MiCollab Audio, Web and Video Conferencing)
MiCollab Client Thick Windows desktop client
MiCollab Client Web client
All currently supported MiCollab Client mobile clients.

The following conditions apply:

IDS Integration must be configured (enabled) on MiCollab .
Synchronization is required for Authentication in MiVoice Business integrations.
Do not enable Authentication only in MiVoice Business integrations.
Periodic synchronizations must be enabled.
Active Directory authentication is only supported across a single directory service domain.
The MiCollab domain must be distinguishable from the directory server domain.
Active Directory authentication is only supported for MiCollab user interfaces; it's not supported for administration interfaces (for example, MiCollab server manager). Also, it is not supported for MiVoice Business user interfaces (for example the MiVoice Business Desktop Programming Tool).
If Active Directory authentication is configured, users cannot log in with their MiCollab user names and passwords. They must use their directory server credentials.
Users of the MiCollab End User portal or MiCollab Clients (Desktop Client, Web Client, PC Client, Mobile Client and the Web portal page) cannot change their Active Directory (AD) password. See Change Password Restrictions.
If connectivity to the directory server is lost, then users will not be able to log into the MiCollab Clients.
Active Directory v3 authentication is supported.
If a user does not enter a directory server domain, the system attempts to log the user into the interface using the MiCollab domain.
To support Active Directory authentication, a MiCollab user must have his or her IDS Manageable option enabled and must be paired with an entry in the directory server. These users will have their password options in the MiCollab applications disabled.
If you disable the IDS manageable option for a user, Active Directory authentication will cease to function for that user. You must reset the user’s password from the USP application. Then send a Welcome E-mail to the user to inform him or her of the password change.
SMB port 445 must be open from the MSL Server to the SMB File Server.

Note: If MiCollab Audio, Web and Video Conferencing has previously been configured to use LDAP and is now using MiCollab IDS Users and Services, you must first delete the users from MiCollab Audio, Web and Video Conferencing and create new users under MiCollab Users and Services.
It is not possible to do LDAP authentication with an AD server which uses a certificate with RSASSA-PSS signature algorithm. Renew the CA Certificates to perform the LDAP authentication.
Note: Active Directory or LDAP Synchronization is supported by Exchange 2019.

Renew and re-issue CA Certificates
1. Renew the certificates.
  - For Root CA:
    1. Remove the alternatesignaturealgorithm=1 line (or change it to 0) in the CAPolicy.inf.
    2. Renew the root CA certificate.
    3. Verify the signature on the certificate to ensure it is RSASHA256.
  - For each Issuing CA:
    1. Remove the alternatesignaturealgorithm=1 line (or change it to 0) in the CAPolicy.inf.
    2. Renew the root CA certificate.
    3. Verify the signature on the certificate to ensure it is RSASHA256.
  - For each certificate template, ensure that you do not enable the option for alternate signature algorithm on the Cryptography tab.
2. Re-issue all affected certificates.

Configuring Active Directory Authentication

If you are configuring authentication for a MiVoice 5000 integration:
- Log into the MiVoice 5000 Management Portal (MMP) or the MiVoice 5000 Manager.
- Access the Telephony Service > Subscribers > Terminals and Applications > MiCollab > Connections menu.
- Check the Windows Login for Authentication box.
Log into the MiCollab server manager.
Under Configuration, under Integrated Directory Service, click Edit next to the domain. The IDS Connection page opens for the directory server.
- If a secondary directory server is configured for the domain, authentication requests are automatically directed to the secondary server if the primary is unavailable.
- Secure authentication requests are required as part of the IDS connection. Set the Connection Method to either TLS or SSL. The Connection Method cannot be Unsecured.
- You can only enable Active Directory Authentication on a single domain. Before you can select a different domain, you must first disable the currently selected domain.
Check the Enable authentication box. Do not check the Enable authentication box for MiVoice 5000 and Generic LDAP integrations.
Click Save. Active Directory authentication does not take effect until after the next periodic synchronization occurs.
Click Sync.
After the synchronization is complete, verify that you can log into a user's End User portal using the user's directory service credentials.
The system sends a Welcome Email to all users that you have configured for Active Directory Authentication. The Welcome Email informs the users that they must use their directory server credentials to log into their application interfaces.

Disabling Active Directory Authentication

If you disable Active Directory authentication, users will no longer be able to log into their MiCollab user interfaces using their directory server credentials (domain name and password). You must set a MiCollab temporary replacement password to allow them to log into the MiCollab user interfaces. A user's directory service domain password is not affected by this replacement password.

Log into the MiCollab server manager.
Under Configuration, under Integrated Directory Service.
Click Edit for the desired domain.
Clear the Enable authentication option.
Click Save. You are prompted to enter a replacement password for the users.
Enter and confirm the password and then click Save. A Welcome E-mail which includes the replacement password is sent to the select users.
After initial login with this temporary replacement password, users are prompted to change it.

Change Password Restriction

Users of the MiCollab End User portal or MiCollab Clients (Desktop Client, Web Client, PC Client, Mobile Client and the Web portal page) cannot change their Active Directory (AD) password.

There are some situations where an AD password change is enforced by the AD server. Whenever this is the case, users cannot fulfill the request of changing the password from the MiCollab Clients; therefore, they cannot login until they change their password from an Active Directory terminal (for example, from their Windows PC). After their login and password is changed, users are once again able to login via the MiCollab End User portal or MiCollab Client.

The following activities trigger a password change which cannot be automatically resolved from the MiCollab Clients:

A password lifetime policy which requires the password to be changed within a predefined interval. This is only an issue for the user if the password expires before it is changed on another Active Directory terminals. Windows normally warns a user several days before the password needs to change.
A new user is created on the AD server and the “User must change password at next logon” is set (see screen below). In this case the user must first log into a terminal which allows a password change.
The admin resets the password on the AD server and the “User must change password at next logon” option is enabled (see screen below).

↑