CONFIGURING MICONTACT CENTER ACTIVE DIRECTORY SYNCHRONIZATION AND WINDOWS AUTHENTICATION AUGUST 2014 DOCUMENT RELEASE# 1.0 WHITE PAPER
Contents Document History... 2 Configuring MiContact Center Active Directory Synchronization and Windows Authentication 3 Required Configuration for MiContact Center Multimedia... 3 Preparing Active Directory... 3 Using Organizational Units... 3 Security and Distribution Groups... 4 Configuring Users... 5 Creating Service Accounts... 8 Preparing Microsoft SQL Server... 9 Securing Communication to SQL Server... 9 Configure Service Account... 11 Installing and Configuring MiContact Center... 13 Specifying Service Credentials in the Configuration Wizard... 13 Configuring Active Directory Integration Synchronization Paths... 15 Configuring Microsoft SQL Server Connectivity... 16 Reconfiguring to Utilize the Service Account... 18 Providing the Service Account Access to Microsoft SQL Server... 18 Configuring the Windows Services... 22 Configuring the IIS Application Pool... 25 Configuring MiContact Center... 27 Reconfiguring Synchronization Paths... 28 The information conveyed in this document is confidential and proprietary to Mitel and is intended solely for Mitel employees and members of Mitel s reseller channel who specifically have a need to know this information. If you are not a Mitel employee or a Mitel authorizedpartner, you are not the intended recipient of this information. Please delete or return any related material. Mitel will enforce its right to protect its confidential and proprietary informationand failure to comply with the foregoing may result in legal action against you or your company.
This white paper provides general guidelines and recommended practices as determined by Mitel Systems Engineering. It is provided as-is without any warranty, or support. Mitel reserves the right to modify, alter, or otherwise change information within this documentation without notice. 1 MITEL WHITE PAPER
Document History Change Level Date Author(s) Comments 1P01 1P02 1P03 1P04 August 25 th, 2014 James Renaud, Systems Engineer August 26 th, 2014 James Renaud, Systems Engineer August 27 th, 2014 James Renaud, Systems Engineer August 27 th, 2014 James Renaud, Systems Engineer 1P05 September 3 rd, 2014 James Renaud, Systems Engineer Initial draft. Simplified service account usage to a single account, clarified mandatory steps for software reconfiguration Added note regarding mandatory steps required for Multimedia in release 7.1 Modified steps required for multimedia around the builtin\administrators group Clarified requirement for group scope in multiple domain, single forest Active Directory deployments 2 MITEL WHITE PAPER
Configuring MiContact Center Active Directory Synchronization and Windows Authentication In order to provide a robust, secure, and easy to manage contact center, MiContact Center provides the ability to utilize Microsoft Windows Active Directory for user provisioning and authentication. Not only does this reduce the maintenance overhead for provisioning employees, but also improves contact center security by allowing passwords to be managed through Active Directory and allows administrators to set password complexity and expiration policies for additional security. The purpose of this white paper is to provide general guidelines and recommended practices for configuring Active Directory to prepare for synchronization with MiContact Center, and to provide information on required configuration steps and recommended best practices when utilizing Windows Authentication for Microsoft SQL Server. Required Configuration for MiContact Center Multimedia In order for the proper installation, configuration, and use of the multimedia functionality within MiContact Center you must add BUILTIN\administrators as a SYSADMIN role during the Configure Service Account configuration steps. Upon completion of the Configuration Wizard, the SYSADMIN role can be removed. Preparing Active Directory There are two primary methods to prepare for MiContact Center synchronization with Active Directory which consists of utilizing Organizational Units (OU s) or Security or Distribution Groups to contain users for synchronization. This allows for easy provisioning of users by simply adding a user to an OU or to a designated Security or Distribution Group which is synchronized at regular intervals by the MiContact Center server. Using Organizational Units In many cases OU s may already exist which contain all users who require access to the MiContact Center software, or administrators may wish to create a new OU for such users. Organizational Units provide additional functionality within Active Directory including specific group policy applications, and default alternate domain suffixes. Figure 1 shows an example organizational unit. Note, it is recommended to protect the OU from accidental deletion. 3 MITEL WHITE PAPER
Figure 1: Creating an Organizational Unit for MiContact Center Users Security and Distribution Groups Utilizing Security and Distribution groups provides a fast and easy way to manage Active Directory synchronization, and allows administrators to utilize existing security or distribution groups for users identified who require access to MiContact Center software. MiContact Center can synchronize with Security or Distribution groups, and either can be utilized. Figure 2 shows a typical security group configured for MiContact Center users. The group scope and group type can be configured based upon the organizational best practices and is not required by MiContact Center. Note, when synchronizing security and distribution groups contained within multiple domains in the same forest the group scope must be set to Universal. If the group scope is set to global or domain local, the MiContact Center server will not synchronize users contained within the group. 4 MITEL WHITE PAPER
Figure 2: Configuring a Security Group for MiContact Center Users Configuring Users To ensure seamless integration into MiContact Center users in Active Directory should be configured with their corporate email address which will synchronize into the MiContact Center employee configuration. An example user configuration is shown below in Figure 3. 5 MITEL WHITE PAPER
Figure 3: A Typical User Configuration in Active Directory If leveraging Organizational Units, ensure users are created within that organizational unit or are moved to the OU appropriately once provisioned. If leveraging Security and Distribution groups ensure each user is a member of those groups identified to be synchronized with MiContact Center. 6 MITEL WHITE PAPER
Figure 4: A Typical Organizational Unit Configuration Figure 5: A User Configured as Part of the MiContact Center Users Security Group 7 MITEL WHITE PAPER
Creating Service Accounts In order to facilitate the initial installation and continued operation of the MiContact Center software a service account must be created. This account will be utilized in the installation and initial configuration of AD synchronization and Windows Authentication, in addition to being utilized as the security principal with access to the MiContact Center SQL databases. In this example we use IVRLAB\MiCC_Service. This account should be set to never expire, and have a password that does not expire. In the event that the password expires, or is reset, you must re-enter the new credentials for the account in the services panel, and the IIS Application Pool identity configuration outlined below. Figure 6: Shows the Configured Service Account for MiContact Center Before proceeding you must ensure the service account is configured as a local administrator on the MiContact Center Enterprise Server, and all Remote Server instances. This ensures appropriate system level access required by this account during installation and continued operation of the MiContact Center software. 8 MITEL WHITE PAPER
Figure 7: Service Account Added to the Local Administrator Group on the MiContact Center Enterprise Server Preparing Microsoft SQL Server If utilizing Microsoft SQL Server authentication and using Windows Authentication with SQL Server is not required or utilized for the MiContact Center installation this section can be skipped. It is however highly recommended to utilize Windows Authentication with Microsoft SQL Server to provide secure communication to the database engine. For more information on Microsoft SQL Server authentication models, please see http://msdn.microsoft.com/en-us/library/ms144284.aspx. Securing Communication to SQL Server Optionally to enhance the security of communication between the MiContact Center server and Microsoft SQL Server connection encryption can be forced upon all connecting clients to the SQL Server. To force protocol encryption with connecting clients: 1. Open the SQL Server Configuration Manager on the Microsoft SQL Server 9 MITEL WHITE PAPER
2. Expand SQL Server network Configuration 3. Right click the Protocols for <<INSTANCE NAME>> (where Instance Name is the SQL instance used for MiContact Center) 4. Click Properties 5. Under the Flags tab, set Force Encryption to Yes 6. Restart the Microsoft SQL Server instance for this change to take effect Figure 8: Forcing Connection Encryption in Microsoft SQL Server In order to facilitate secure communications between the MiContact Center server and Microsoft SQL Server a Computer certificate must be issued to both the MiContact Center server and the Microsoft SQL Server through your domain Certificate Authority (CA). For information on requesting certificates through Microsoft Windows please see http://technet.microsoft.com/en-us/library/cc730689.aspx. You can verify connections to Microsoft SQL Server are secure by running the following SQL Script USE Master SELECT * FROM sys.dm_exec_connections 10 MITEL WHITE PAPER
Connection methods are shown under the NET_TRANSPORT column ENCRYPT_OPTION indicates TRUE if the connection is encrypted AUTH_SCHEME indicates the authentication model used, NTLM is Windows Authentication, SQL is SQL Server Authentication CLIENT_NET_ADDRESS indicates the IP address of the connection and CLIENT_TCP_PORT shows the client port utilized for the connection. For more information on securing client communication with Microsoft SQL Server, please see http://support.microsoft.com/kb/316898. Configure Service Account In order to ensure proper database creation the service account must be added as a system adminstrator in the Microsoft SQL Server. This role application is required only during installation of the MiContact Center software and should be removed once complete. It is highly recommended to remove the system administrator role assignment from this user as soon as possible to maintain a secure Microsoft SQL Server. Once the installation is complete and the databases have been created, the MiContact Center service account will be added as an owner of the MiContact Center databases to limit exposure to other databases and Microsoft SQL Server functionality from this account in the event it is compromised. Note, if utilizing a remote instance of Microsoft SQL Server these steps must be performed on the remote SQL instance as well as the local Microsoft SQL Server Express instance installed to the MiContact Center Enterprise Server. To add the installer account as a database creator and security administrator in Microsoft SQL Server: 1. Open the Microsoft SQL Server Management Studio 2. Login to the instance to be used for the MiContact Center databases 3. Expand the Instance name in the Object Explorer window 4. Expand the Security folder 5. Right click the Logins folder 6. Click New Login (Figure 9) 7. In the Login Name text box specify the domain and service user account (Figure 10) 8. Click Server Roles in the left pane 9. Click the SYSADMIN check box (Figure 11) 10. Press OK 11 MITEL WHITE PAPER
Figure 9: Selecting New Login Using Microsoft SQL Server Management Studio Figure 10: Configuring the New Login 12 MITEL WHITE PAPER
Figure 11: Specifying the SYSADMIN Role for the Installer User Installing and Configuring MiContact Center Upon completion of all pre-requisites for MiContact Center including those steps outlined above you are ready to install the MiContact Center Enterprise Server. For detailed instructions regarding software requirements, pre-requisites, installation instructions, and architectural guides please refer to the MiContact Center documentation available through Mitel Online. Specifying Service Credentials in the Configuration Wizard Once installation of the software has been completed the Configuration Wizard will automatically launch and begin the configuration of the software. If you are not currently logged in to Windows using the MiContact Center service account, you can close the MiContact Center Configuration Wizard, and re- 13 MITEL WHITE PAPER
launch it using the installer credentials by right clicking the MiContact Center Configuration Wizard icon in the Mitel programs group in the start menu, and selecting Run as Different User. The Configuration Wizard must be run as the service account. In the Service Credentials group specify the domain and username, and password for the service account and in the Authentication Type group change the Authentication Mode drop down box from CCM Authentication to Windows Authentication. Figure 12 shows a correctly configured Service Credentials page. Once complete, click Next. Figure 12: Configuring the Service Credentials Page of the Configuration Wizard 14 MITEL WHITE PAPER
Configuring Active Directory Integration Synchronization Paths If the service credentials page is validated as a successful configuration the Active Directory Integration page is displayed. If leveraging an Organizational Unit, browse the directory tree to your OU, select it and press the right arrow to show it as a selected synchronization path. Figure 13 shows the OU selected as a synchronization path, note the Entry Count in the bottom right will reflect the number of users contained within that OU. Figure 13: The MiCC Users Organizational Unit Selected as a Synchronization Path If leveraging Security and Distribution Groups, navigate to the Organizational Unit containing your groups, select them and click the right arrow to mark them for synchronization. Figure 14 shows two security groups within the Users Organizational Unit that have been marked for synchronization. Please note the Entry Count will not reflect the number of users in those groups, however each individual user within the group will be synchronized. 15 MITEL WHITE PAPER
Once complete, click Next. Figure 14: Synchronizing Security Groups Configuring Microsoft SQL Server Connectivity Once the synchronization paths have been selected the SQL Server configuration page will appear. Specify the Microsoft SQL Server and instance to be used for the MiContact Center databases. This must be the same server and instance configured above in Preparing Microsoft SQL Server. Ensure the Authentication drop down box specifies Windows Authentication. Figure 15 shows a typical SQL Server configuration page with a remote SQL server utilizing a default instance name (MSSQLSERVER). 16 MITEL WHITE PAPER
Figure 15: A Typical Remote SQL Server Configuration with a Default Instance Name Once complete, click Next. If you are utilizing a Remote SQL instance with Windows Authentication you will be prompted with a warning before continuing. In order to continue, you must click No in the dialog box that appears (Figure 16). 17 MITEL WHITE PAPER
Figure 16: Remote SQL Instance Detected Dialog Box, Select No to Continue Complete the rest of the MiContact Center Configuration Wizard, and once complete continue to the next steps. If you encounter errors during the MiContact Center Configuration Wizard configuration steps, these must be resolved prior to continuing. The most common reason for failure during the SQL Scripts phase is due to the Configuration Wizard not being run as the installation user configured as a system administrator in the Microsoft SQL Server instance. Ensure all steps in Configure Service Account were followed then re-run the Configuration Wizard. Reconfiguring to Utilize the Service Account In order for the MiContact Center software to operate when utilizing Windows Authentication with Microsoft SQL Server, additional steps must be performed upon completion of the installation and Configuration Wizard. Providing the Service Account Access to Microsoft SQL Server In order to limit the scope of the MiContact Center service account in the event that additional databases are stored in the same Microsoft SQL Server instance, the service account can be configured to only have access to the MiContact Center databases. 18 MITEL WHITE PAPER
Note, if utilizing a remote instance of Microsoft SQL Server these steps must be performed on the remote SQL instance as well as the local Microsoft SQL Server Express instance installed to the MiContact Center Enterprise Server. To configure access for the MiContact Center service account: 1. Open the Microsoft SQL Server Management Studio 2. Login to the instance to be used for the MiContact Center databases 3. Expand the Instance name in the Object Explorer window 4. Expand the Security folder 5. Right click the Logins folder 6. Click New Login (Figure 9) 7. In the Login Name text box specify the domain and installation user account (Figure 17) 8. Click Server Roles in the left pane 9. Ensure only Public remains selected (Figure 18) 10. Click User Mapping in the left pane 11. Click the Checkbox for CCMData, then select the db_owner checkbox in the pane below 12. Click the Checkbox for CCMStatisticalData, then select the db_owner checkbox in the pane below 13. For a local SQL Express instance, repeat these steps utilizing the CCMRouting, CCMRuntimeServices, and CCMWa databases. Note, on a clean installation the CCMRouting, CCMRuntimeServices, and CCMWa databases may not exist until the IIS Application Pools and Windows Services have been correctly configured with the service account credentials. If these databases have not been created, follow the steps in Reconfiguring to Utilize the Service Account then return to this step. 14. You can verify the user has been mapped to the database by expanding Databases, CCMData, Security, Users. You should see the MiContact Center service account in addition to the default user mappings (Figure 19) 19 MITEL WHITE PAPER
Figure 17: Configuring the MiContact Center Service Account in Microsoft SQL Server 20 MITEL WHITE PAPER
Figure 18: Ensure the Service Account is Configured as the Public Role Only 21 MITEL WHITE PAPER
Figure 19: Verifying the Service Account has been Mapped to the Databases Configuring the Windows Services By default the Configuration Wizard will configure some MiContact Center Windows Services to run as the service account. At this stage it is important to verify that all required services are running as the service account. In the event that any of the services below are configured to run as Local System, they must be changed to run as the designated service account. A correctly configured services panel should appear as seen in Figure 22. Note, if utilizing a Remote Server for IVR Routing you must perform these steps on all Remote Server instances for the prairiefyre Routing Inbound Service. The service user credentials must be configured for all of the following services prairiefyre.net Enterprise Server prairiefyre Config Service prairiefyre Data Synchronization Service prairiefyre MassTransit Runtime Services prairiefyre Reporting Service prairiefyre Routing Inbound Service prairiefyre Routing Media Service 22 MITEL WHITE PAPER
To reconfigure the service user credentials: 1. Right click the service name 2. Click Properties 3. Click the Log On tab 4. Specify the domain and username, and the password for the account in the Log on as panel (Figure 20) 5. Click OK (If you are prompted that the service has been granted Log On as a Service rights, simply press OK) (Figure 21). 6. The service must be restarted for the account change to take effect, you can restart each service individually or simply restart the MiContact Center server Figure 20: Configuring the Reporting Service to run as the MiContact Center Service Account 23 MITEL WHITE PAPER
Figure 21: The Service Account has been Granted Log On as a Service Rights 24 MITEL WHITE PAPER
Figure 22: A Correctly Configured Services Panel for MiContact Center Configuring the IIS Application Pool This step is only required when leveraging a remote Microsoft SQL Server instance. If you are utilizing only the local Microsoft SQL Express instance you can skip this step. In order to ensure all MiContact Center websites and webservices have the appropriate access to the MiContact Center databases the IIS Application Pool must be configured to run as the MiContact Center service account. To reconfigure the Application Pool identity: 1. Open the IIS Management snapin 2. In the left pane select Application Pools 3. In the list of Application Pools, right click the prairiefyre Application Pool 4. Select Advanced Settings (Figure 23) 5. Under the Process Model group click Identity, and click the box to the right of the credentials 6. Select the Custom Account radio button 25 MITEL WHITE PAPER
7. Enter the MiContact Center service account domain and username, and its password and click OK. 8. Once complete the configuration will show the appropriate domain and username (Figure 24) 9. Stop, then start the Application Pool by right clicking and selecting stop, then start, for the identity change to take effect 10. Repeat these steps for the CCMWa and MCCwa Application Pools Figure 23: Reconfiguring the Application Pool 26 MITEL WHITE PAPER
Figure 24: The Reconfigured IIS Application Pool Configuring MiContact Center The final step to complete the configuration is to specify the default security role, site, and synchronization frequency through YourSite Explorer. Within YourSite Explorer select the Active Directory tab at the top of the Window (if you do not see it, click on Enterprise in the left pane). 27 MITEL WHITE PAPER
Specify the synchronization frequency in Hours and Minutes (in the format of HH:mm). Typically this can be set to 12 to 24 hours. The security role and site will automatically be applied to new users on synchronization, as such it is recommended by default to provide users with the most restrictive security role, and provide additional permissions if required on a case by case basis. Figure 25: A Typical Synchronization Configuration Reconfiguring Synchronization Paths In the event you wish to add or remote Organizational Units or Security and Distribution Groups from the synchronization, within the YourSite Explorer Active Directory tab select the Select Sync Path button. This will show the paths to synchronize. To add an OU or Group simply browse to it, select it in the left pane and click the right arrow. To remove an OU or Group click it in the right pane, and select the left arrow. Figure 26: Reconfiguring Synchronization Paths 28 MITEL WHITE PAPER
GD XXX_XXXX