Become a member today

register/login

DrVoip.com

Member Login

Not a member yet? Sign Up!

Get immediate access to hot downloads such as DrVoIP VoIP planning guide(pdf) and more.

Register

Implementing Active Directory Integration with ShoreTel 11

October 16th, 2010

Historically I have recommended that the ShoreTel server not be a computer in your domain.   To many times, an Active Directory administrator will create a new Group Policy and forget about the ShoreTel user account.  The end result is a down ShoreTel server and a call to TAC support!  I still feel strongly about this, but you can still integrate Active Directory authentication for your ShoreTel users.

Generally, ShoreTel users do not actually log in and log out of their Call Managers, or their Communicators as ShoreTel has renamed them in Version 11.   Most implementations have the ShoreTel desktop application launched automatically when the user starts up their desktop computers.  Most users do not even know that they are in fact logging into ShoreTel.  Active Directory administrators however, most certainly know that a login has occurred. With ShoreTel 11 Active Directory integration has matured and the reasons for implementing active directory user authentication are increasingly more obvious.  For example, now that ShoreTel has a complete Call Manager application running within your favorite internet browser, users will become aware that they are logging in as they will need to provide credentials each time they access the web application (see previous video this subject).

ShoreTel Active Directory integration is relatively straight forward, stress-free integration. Once implemented, ShoreTel system administrators have the opportunity to determine which users will require AD authentication as it is possible, using this integration that they can remain authenticated by the ShoreTel directory system.  The Version 11 web based Call Manager, for example, provides two links: one for the ShoreTel authentication and one for AD authentication.  It is important that you first create a user in ShoreTel that has both ShoreTel administration privileges and an AD user account in your domain.   You will also need to have the LDAP directory URL for your domain.

For those of us that are not Microsoft wizards, you might need some help locating the LDAP directory URL.  We were able to locate a tool from Softerra that can be of great help in searching your AD for user information.   You can locate this very useful tool at http://www.softerra.com/portfolio_ldap-browser.htm and you can download a free versions.  Once in ShoreTel Director you will navigate to System Parameters and to the Option page.  Check the enable box and enter your AD LDAP URL and your are done.  The next time you login to ShoreTel you will use your Active Directory credentials.   You will notice that the Shoreware Directory login screen has changed, and each of your user accounts has a new field for Active Directory login credentials that can be synchronized with your domain based LDAP directory.  The video clip shows you how this process is executed.   As always we welcome your feedback!

15 Responses to “Implementing Active Directory Integration with ShoreTel 11”

  1. Jeff says:

    Are any OTHER LDAP services supported?

  2. Chad says:

    Do you know if multiple domains are supported? Our Shortel implementation covers two organizations on different AD forests.

  3. Chris says:

    Basically, the only integration available is for single sign on. I cannot import users directly from AD? isn’t it?

  4. adam says:

    hate to be annoying, but the integration actually fails in this video. When you first setup the integration in “Other Parameters” it states that shoretel cannot verify the LDAP connection and later when you click “Show from AD”, the LDAP query is returning “NULL” for all fields. I finally got this working on our domain by simply using the root host in LDAP. (LDAP://DomainControler/). Then when I go into my individual shortel account, the “Show from AD” pulls the info from AD correctly and syncs correctly. To be fair though, I’m having the worst time getting communicator to sync correctly.

  5. Most implementations have the ShoreTel desktop application launched automatically when the user starts up their desktop computers. Most users do not even know that they are in fact logging into ShoreTel. Active Directory administrators however, most certainly know that a login has occurred. With ShoreTel 11 Active Directory integration has matured and the reasons for implementing active directory user authentication are increasingly more obvious.

  6. Adam says:

    So I just tried this and it doesn’t work for me. I can’t get it to verify the AD path and it doesn’t accept my AD credentials. I read a Shoretel guide and it stated something about delegating authorization to the Shoretel server. Did you not have to do that here? The server in the video is not part of the domain?

  7. Sachin says:

    Does the shoretel server need to be a member of the domain for AD integration?

  8. DrVoIP says:

    No it does not, and we generally recommend against putting ShoreTel servers in a domain. Sooner or later someone will create a Group Policy that forgets to take note of teh ShoreTel ipbxuser account and bad things happen!

  9. Dan says:

    I cannot get this to work. Specifically, (I assume) since the ShoreTel server is not a member of the domain, I am still authenticating to the ShoreTel Administrator as a local account. That said, I too am getting “nul” when choosing show from AD. Another indicator is that although I have an Active Directory login button it is formatted as servername/login.name rather than domain/login.name. If I am authenticating locally then I surmise I have no credentials to Active Directory from the server. Final indicator is that when I choose a user that matches a domain account and check the AD box, it does not show the domain/login.name. I don’t see how this can work if the ShoreTel server is not joined to the domain since one can ONLY login locally.

  10. Troy says:

    Like Dan, I am struggling to integrate our non-domain ShoreTel server (Version 13) with our AD domain.

    I’ve tried everything from both this blog and from the ShoreTel White Paper (including manually creating the server in our AD domain and delegating auth privs to it), to no avail; if I try to access the server as any user other than Local Administrator (with the same password as our Domain Administrator account), it chokes.

    There are a couple of things I’m noting across several Web sites that I’ve searched for answers to this challenge:

    1) Most Web sites are including XML in the “web.config” file of their application to specify an LDAP “MembershipProvider” (which seems to indicate the logical provider to use for verifying membership); this XML code is absent from the ShoreTelDirector “web.config” file.

    The only place in the entire Shoreline Communications tree that I’m finding any reference to LDAP at all is in “{PATH_TO_FOLDER}\Shoreline Communications\ShoreWare Director\Ruby\lib\ruby\1.9.1\uri\ldap.rb” (and “ldaps.rb” in the same folder).

    Not being a Ruby programmer, I can’t say for certain I understand the code entirely, but it does not look as if there is any “authentication” mechanism built into the Ruby code; thus, I don’t understand how ShoreWare Director (or Communicator) are supposed to be passing the credentials along to LDAP.

    2) A couple of users in Net-land who have corrected these issues with other Web apps have suggested setting the IIS Application Pool (or the World Wide Web Publishing Service) to run as a “Network Service” account.

    The “DefaultAppPool” for the IIS server is running as “NetworkService”; the rest of the app pools are running as “LocalSystem”. Could the issue be here?

    Any advice would be valuable (even as a negative example!).

  11. Mark says:

    Sorry, I don’t mean to hijack this “logging in” thread, but this “installation” is AD related.

    During installation, ShoreTel Communicator attempts to retrieve the ShoreTel server name from the user’s ShoreTelServer Active Directory Custom Attribute.

    In a fully configured AD environment, the “Set Up Your ShoreTel Account” screen in the Getting Started Wizard is automatically pre-populated with the Server Name, the User Name, and the Password.

    The installation process is continued simply by clicking “Next.”

    Where can I plug this information into AD?

  12. denny says:

    I am having an issue where I put my AD credentials in for communicator but it pulls the admin extension number instead of my assigned extension… any ideas?

    Thanks

  13. Bill says:

    Is it possible to integrate ShoreTel without PRI circuit?

  14. DrVoIP says:

    Bill not following this question? ShoreTel has a PRI switch. If you are asking can you add PRI to a virtual switch, the answer would be no.

  15. Robert says:

    Back to the AD problem (LDAP query is returning “NULL” for all fields): For me it turned out that I wrote ldap in lowercase. “ldap://domain.com” does *not* work. “LDAP://domain.com” works. Strange but true.

Leave a Reply

Training Videos

   

DrVoIP VoIP Network Readiness Assessment Checklist

Download Free DrVoIP VoIP Planning Guide

Ads

Small Business Voip Business VoIP Support Hosted Voip VoiP Video Library Contact us
Cost saving Annual voip support contract Hosted pbx Free voip videos Get a quote
Disaster recovery Pay as you go support Small office solutions ShoreTel Training My account
Business voip features Pay per incident Call center solutions Cisco training Make a payment
Google+ Installation service VoIP Glossary Sitemap Privacy Policy
© Copyright DrVoIP.com 2014 - site by: Web Design San Diego