CONFIGURING MICONTACT CENTER ACTIVE DIRECTORY SYNCHRONIZATION AND WINDOWS AUTHENTICATION

(1)

CONFIGURING MICONTACT

CENTER ACTIVE DIRECTORY

SYNCHRONIZATION AND

WINDOWS AUTHENTICATION

AUGUST 2014

(2)

Document History ... 2

Configuring MiContact Center Active Directory Synchronization and Windows Authentication 3

Required Configuration for MiContact Center Multimedia ... 3

Preparing Active Directory ... 3

Using Organizational Units ... 3

Security and Distribution Groups ... 4

Configuring Users ... 5

Creating Service Accounts... 8

Preparing Microsoft SQL Server ... 9

Securing Communication to SQL Server ... 9

Configure Service Account ... 11

Installing and Configuring MiContact Center ... 13

Specifying Service Credentials in the Configuration Wizard ... 13

Configuring Active Directory Integration Synchronization Paths ... 15

Configuring Microsoft SQL Server Connectivity ... 16

Reconfiguring to Utilize the Service Account ... 18

Providing the Service Account Access to Microsoft SQL Server ... 18

Configuring the Windows Services ... 22

Configuring the IIS Application Pool ... 25

Configuring MiContact Center ... 27

Reconfiguring Synchronization Paths ... 28

(3)

1 | MITEL WHITE PAPER

CONFIGURING MICONTACT CENTER ACTIVE DIRECTORY SYNCHRONIZATION AND WINDOWS AUTHENTICATION

(4)

Document History

Change

Level Date Author(s) Comments

1P01 August 25th_{, 2014 James Renaud,}

Systems Engineer

Initial draft.

Systems Engineer

Simplified service account usage to a single account, clarified mandatory steps for software reconfiguration 1P03 August 27th_{, 2014 James Renaud,}

Systems Engineer

Added note regarding mandatory steps required for Multimedia in release 7.1

Systems Engineer

Modified steps required for multimedia around the builtin\administrators group

1P05 September 3rd_,

2014

James Renaud, Systems Engineer

(5)

Configuring MiContact Center Active Directory Synchronization and

Windows Authentication

In order to provide a robust, secure, and easy to manage contact center, MiContact Center provides the ability to utilize Microsoft Windows Active Directory for user provisioning and authentication. Not only does this reduce the maintenance overhead for provisioning employees, but also improves contact center security by allowing passwords to be managed through Active Directory and allows administrators to set password complexity and expiration policies for additional security.

The purpose of this white paper is to provide general guidelines and recommended practices for configuring Active Directory to prepare for synchronization with MiContact Center, and to provide information on required configuration steps and recommended best practices when utilizing Windows Authentication for Microsoft SQL Server.

Required Configuration for MiContact Center Multimedia

In order for the proper installation, configuration, and use of the multimedia functionality within

MiContact Center you must add BUILTIN\administrators as a SYSADMIN role during the Configure Service

Account configuration steps. Upon completion of the Configuration Wizard, the SYSADMIN role can be

removed.

Preparing Active Directory

There are two primary methods to prepare for MiContact Center synchronization with Active Directory which consists of utilizing Organizational Units (OU’s) or Security or Distribution Groups to contain users for synchronization. This allows for easy provisioning of users by simply adding a user to an OU or to a designated Security or Distribution Group which is synchronized at regular intervals by the MiContact Center server.

Using Organizational Units

(6)

Figure 1: Creating an Organizational Unit for MiContact Center Users

Security and Distribution Groups

Utilizing Security and Distribution groups provides a fast and easy way to manage Active Directory synchronization, and allows administrators to utilize existing security or distribution groups for users identified who require access to MiContact Center software. MiContact Center can synchronize with Security or Distribution groups, and either can be utilized. Figure 2 shows a typical security group configured for MiContact Center users. The group scope and group type can be configured based upon the organizational best practices and is not required by MiContact Center.

Note, when synchronizing security and distribution groups contained within multiple domains in the

(7)

Figure 2: Configuring a Security Group for MiContact Center Users

Configuring Users

(8)

Figure 3: A Typical User Configuration in Active Directory

(9)

Figure 4: A Typical Organizational Unit Configuration

(10)

Creating Service Accounts

In order to facilitate the initial installation and continued operation of the MiContact Center software a service account must be created. This account will be utilized in the installation and initial configuration of AD synchronization and Windows Authentication, in addition to being utilized as the security principal with access to the MiContact Center SQL databases. In this example we use IVRLAB\MiCC_Service. This account should be set to never expire, and have a password that does not expire. In the event that the password expires, or is reset, you must re-enter the new credentials for the account in the services panel, and the IIS Application Pool identity configuration outlined below.

Figure 6: Shows the Configured Service Account for MiContact Center

(11)

Figure 7: Service Account Added to the Local Administrator Group on the MiContact Center Enterprise Server

Preparing Microsoft SQL Server

If utilizing Microsoft SQL Server authentication and using Windows Authentication with SQL Server is not required or utilized for the MiContact Center installation this section can be skipped. It is however highly recommended to utilize Windows Authentication with Microsoft SQL Server to provide secure

communication to the database engine. For more information on Microsoft SQL Server authentication models, please see http://msdn.microsoft.com/en-us/library/ms144284.aspx.

Securing Communication to SQL Server

Optionally to enhance the security of communication between the MiContact Center server and

Microsoft SQL Server connection encryption can be forced upon all connecting clients to the SQL Server. To force protocol encryption with connecting clients:

(12)

2. Expand SQL Server network Configuration

3. Right click the Protocols for <<INSTANCE NAME>> (where Instance Name is the SQL instance used for MiContact Center)

4. Click Properties

5. Under the Flags tab, set Force Encryption to Yes

6. Restart the Microsoft SQL Server instance for this change to take effect

Figure 8: Forcing Connection Encryption in Microsoft SQL Server

In order to facilitate secure communications between the MiContact Center server and Microsoft SQL Server a Computer certificate must be issued to both the MiContact Center server and the Microsoft SQL Server through your domain Certificate Authority (CA). For information on requesting certificates through Microsoft Windows please see http://technet.microsoft.com/en-us/library/cc730689.aspx.

You can verify connections to Microsoft SQL Server are secure by running the following SQL Script USE Master

(13)

 Connection methods are shown under the NET_TRANSPORT column  ENCRYPT_OPTION indicates TRUE if the connection is encrypted

 AUTH_SCHEME indicates the authentication model used, NTLM is Windows Authentication, SQL is SQL Server Authentication

 CLIENT_NET_ADDRESS indicates the IP address of the connection and CLIENT_TCP_PORT shows the client port utilized for the connection.

For more information on securing client communication with Microsoft SQL Server, please see

http://support.microsoft.com/kb/316898.

Configure Service Account

In order to ensure proper database creation the service account must be added as a system adminstrator in the Microsoft SQL Server. This role application is required only during installation of the MiContact Center software and should be removed once complete. It is highly recommended to remove the system administrator role assignment from this user as soon as possible to maintain a secure Microsoft SQL Server.

Once the installation is complete and the databases have been created, the MiContact Center service account will be added as an owner of the MiContact Center databases to limit exposure to other databases and Microsoft SQL Server functionality from this account in the event it is compromised.

Note, if utilizing a remote instance of Microsoft SQL Server these steps must be performed on the remote

SQL instance as well as the local Microsoft SQL Server Express instance installed to the MiContact Center Enterprise Server.

To add the installer account as a database creator and security administrator in Microsoft SQL Server: 1. Open the Microsoft SQL Server Management Studio

2. Login to the instance to be used for the MiContact Center databases 3. Expand the Instance name in the Object Explorer window

4. Expand the Security folder 5. Right click the Logins folder 6. Click New Login (Figure 9)

7. In the Login Name text box specify the domain and service user account (Figure 10) 8. Click Server Roles in the left pane

(14)

Figure 9: Selecting New Login Using Microsoft SQL Server Management Studio

(15)

Figure 11: Specifying the SYSADMIN Role for the Installer User

Installing and Configuring MiContact Center

Upon completion of all pre-requisites for MiContact Center including those steps outlined above you are ready to install the MiContact Center Enterprise Server. For detailed instructions regarding software requirements, pre-requisites, installation instructions, and architectural guides please refer to the MiContact Center documentation available through Mitel Online.

Specifying Service Credentials in the Configuration Wizard

(16)

re-14 | MITEL WHITE PAPER

launch it using the installer credentials by right clicking the MiContact Center Configuration Wizard icon in the Mitel programs group in the start menu, and selecting “Run as Different User”. The Configuration Wizard must be run as the service account.

In the Service Credentials group specify the domain and username, and password for the service account and in the Authentication Type group change the Authentication Mode drop down box from CCM Authentication to Windows Authentication. Figure 12 shows a correctly configured Service Credentials page.

Figure 12: Configuring the Service Credentials Page of the Configuration Wizard

(17)

Configuring Active Directory Integration Synchronization Paths

If the service credentials page is validated as a successful configuration the Active Directory Integration page is displayed. If leveraging an Organizational Unit, browse the directory tree to your OU, select it and press the right arrow to show it as a selected synchronization path. Figure 13 shows the OU selected as a synchronization path, note the Entry Count in the bottom right will reflect the number of users contained within that OU.

Figure 13: The MiCC Users Organizational Unit Selected as a Synchronization Path

(18)

Figure 14: Synchronizing Security Groups

Once complete, click Next.

Configuring Microsoft SQL Server Connectivity

Once the synchronization paths have been selected the SQL Server configuration page will appear. Specify the Microsoft SQL Server and instance to be used for the MiContact Center databases. This must be the same server and instance configured above in Preparing Microsoft SQL Server. Ensure the

(19)

Figure 15: A Typical Remote SQL Server Configuration with a Default Instance Name

(20)

Figure 16: Remote SQL Instance Detected Dialog Box, Select No to Continue

Complete the rest of the MiContact Center Configuration Wizard, and once complete continue to the next steps.

If you encounter errors during the MiContact Center Configuration Wizard configuration steps, these must be resolved prior to continuing. The most common reason for failure during the SQL Scripts phase is due to the Configuration Wizard not being run as the installation user configured as a system

administrator in the Microsoft SQL Server instance. Ensure all steps in Configure Service Account were followed then re-run the Configuration Wizard.

Reconfiguring to Utilize the Service Account

In order for the MiContact Center software to operate when utilizing Windows Authentication with Microsoft SQL Server, additional steps must be performed upon completion of the installation and Configuration Wizard.

Providing the Service Account Access to Microsoft SQL Server

(21)

Note, if utilizing a remote instance of Microsoft SQL Server these steps must be performed on the remote

SQL instance as well as the local Microsoft SQL Server Express instance installed to the MiContact Center Enterprise Server.

To configure access for the MiContact Center service account: 1. Open the Microsoft SQL Server Management Studio

2. Login to the instance to be used for the MiContact Center databases 3. Expand the Instance name in the Object Explorer window

4. Expand the Security folder 5. Right click the Logins folder 6. Click New Login (Figure 9)

7. In the Login Name text box specify the domain and installation user account (Figure 17) 8. Click Server Roles in the left pane

9. Ensure only Public remains selected (Figure 18) 10. Click User Mapping in the left pane

11. Click the Checkbox for CCMData, then select the db_owner checkbox in the pane below

12. Click the Checkbox for CCMStatisticalData, then select the db_owner checkbox in the pane below 13. For a local SQL Express instance, repeat these steps utilizing the CCMRouting,

CCMRuntimeServices, and CCMWa databases.

Note, on a clean installation the CCMRouting, CCMRuntimeServices, and CCMWa databases may

not exist until the IIS Application Pools and Windows Services have been correctly configured with the service account credentials. If these databases have not been created, follow the steps in Reconfiguring to Utilize the Service Account then return to this step.

(22)

(23)

(24)

Figure 19: Verifying the Service Account has been Mapped to the Databases

Configuring the Windows Services

By default the Configuration Wizard will configure some MiContact Center Windows Services to run as the service account. At this stage it is important to verify that all required services are running as the service account. In the event that any of the services below are configured to run as Local System, they must be changed to run as the designated service account. A correctly configured services panel should appear as seen in Figure 22.

Note, if utilizing a Remote Server for IVR Routing you must perform these steps on all Remote Server

instances for the prairieFyre Routing Inbound Service.

The service user credentials must be configured for all of the following services

 prairieFyre .NET Enterprise Server  prairieFyre Config Service

 prairieFyre Data Synchronization Service  prairieFyre MassTransit Runtime Services  prairieFyre Reporting Service

(25)

To reconfigure the service user credentials: 1. Right click the service name 2. Click Properties

3. Click the Log On tab

4. Specify the domain and username, and the password for the account in the “Log on as” panel (Figure 20)

5. Click OK (If you are prompted that the service has been granted Log On as a Service rights, simply press OK) (Figure 21).

6. The service must be restarted for the account change to take effect, you can restart each service individually or simply restart the MiContact Center server

(26)

(27)

Figure 22: A Correctly Configured Services Panel for MiContact Center

Configuring the IIS Application Pool

This step is only required when leveraging a remote Microsoft SQL Server instance. If you are utilizing only the local Microsoft SQL Express instance you can skip this step.

In order to ensure all MiContact Center websites and webservices have the appropriate access to the MiContact Center databases the IIS Application Pool must be configured to run as the MiContact Center service account.

To reconfigure the Application Pool identity: 1. Open the IIS Management snapin 2. In the left pane select Application Pools

3. In the list of Application Pools, right click the prairieFyre Application Pool 4. Select Advanced Settings (Figure 23)

(28)

7. Enter the MiContact Center service account domain and username, and its password and click OK.

8. Once complete the configuration will show the appropriate domain and username (Figure 24) 9. Stop, then start the Application Pool by right clicking and selecting stop, then start, for the

identity change to take effect

10. Repeat these steps for the CCMWa and MCCwa Application Pools

(29)

Figure 24: The Reconfigured IIS Application Pool

Configuring MiContact Center

The final step to complete the configuration is to specify the default security role, site, and

(30)

Specify the synchronization frequency in Hours and Minutes (in the format of HH:mm). Typically this can be set to 12 to 24 hours. The security role and site will automatically be applied to new users on

synchronization, as such it is recommended by default to provide users with the most restrictive security role, and provide additional permissions if required on a case by case basis.

Figure 25: A Typical Synchronization Configuration

Reconfiguring Synchronization Paths

In the event you wish to add or remote Organizational Units or Security and Distribution Groups from the synchronization, within the YourSite Explorer Active Directory tab select the Select Sync Path button. This will show the paths to synchronize. To add an OU or Group simply browse to it, select it in the left pane and click the right arrow. To remove an OU or Group click it in the right pane, and select the left arrow.

(31)

CONFIGURING MICONTACT CENTER ACTIVE DIRECTORY SYNCHRONIZATION AND WINDOWS AUTHENTICATION

CONFIGURING MICONTACT

CENTER ACTIVE DIRECTORY

SYNCHRONIZATION AND

WINDOWS AUTHENTICATION

Contents

Document History ... 2

Configuring MiContact Center Active Directory Synchronization and Windows Authentication 3

Document History

Configuring MiContact Center Active Directory Synchronization and

Windows Authentication

Required Configuration for MiContact Center Multimedia

Preparing Active Directory

Preparing Microsoft SQL Server

Installing and Configuring MiContact Center

Reconfiguring to Utilize the Service Account

Configuring MiContact Center

Reconfiguring Synchronization Paths