Troubleshooting guide
1-23
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring Administrative Login Authentication and Authorization
Step 6 (Optional) Enter the administrative username and password in the Administrator Username, Password,
and Confirm Password fields. It is not mandatory to enter the username and password, but in some cases,
the domain controller requires them to perform the unregistration.
Step 7 Click the Leave button.
Note When you click the Leave button, the WAAS Central Manager immediately sends an
unregistration request to the WAAS device (or device group) using SSH. The unregistration
request instructs the device to unregister from the specified Windows Domain Controller.
Request to unregister the device is not allowed when encrypted MAPI is configured to use
machine accounts. You must delete the machine account identity before proceeding with the
leave.
Step 8 Check the status of the unregistration request by waiting a few minutes and clicking the Show Join
Status button.
If you want to use the CLI to unregister a WAE device, you must first use the following commands to
disable windows authentication:
WAE(config)# no authentication login windows-domain enable
WAE(config)# no authentication configuration windows-domain enable
Next, unregister the WAAS device from the Windows domain server by using the following command
(for Kerberos authentication):
WAE# windows-domain leave user UserName password Password
There is no CLI command to unregister the WAAS device if it is using NTLM authentication.
LDAP Server Signing
LDAP server signing is a configuration option of the Microsoft Windows Server’s Network security
settings. This option controls the signing requirements for Lightweight Directory Access Protocol
(LDAP) clients. LDAP signing is used to verify that an intermediate party did not tamper with the LDAP
packets on the network and to guarantee that the packaged data comes from a known source. Windows
Server 2003 administration tools use LDAP signing to secure communications between running
instances of these tools and the servers that they administer.
By using the Transport Layer Security (TLS, RFC 2830) protocol to provide communications privacy
over the Internet, client/server applications can communicate in a way that prevents eavesdropping,
tampering, or message forging. TLS v1 is similar to Secure Sockets Layer (SSL). TLS offers the same
encryption on regular LDAP connections (ldap://:389) as SSL, while operating on a secure connection
(ldaps://:636). A server certificate is used by the TLS protocol to provide a secure, encrypted connection
to the LDAP server. A client certificate and key pair are required for client authentication.
In the WAAS software, login authentication with Windows 2003 domains is supported when the LDAP
server signing requirements option for the Domain Security Policy is set to “Require signing.” The
LDAP server signing feature allows the WAE to join the domain and authenticate users securely.
Note When you configure your Windows domain controller to require an LDAP signature, you must also
configure LDAP signing on the client WAE. By not configuring the client to use LDAP signatures,
communication with the server is affected, and user authentication, group policy settings, and logon