Home » Dell Manuals » Servers » Dell PowerEdge R830 » Manual Viewer

Dell PowerEdge R830 Integrated Remote Access Controller 8 Version 2.70.70.70 U - Page 144

Registering iDRAC as a computer in Active Directory root domain, Generating Kerberos keytab file,

View all Dell PowerEdge R830 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 144 highlights

Registering iDRAC as a computer in Active Directory root domain To register iDRAC in Active Directory root domain: 1. Click Overview > iDRAC Settings > Network > Network. The Network page is displayed. 2. Provide a valid Preferred/Alternate DNS Server IP address. This value is a valid DNS server IP address that is part of the root domain. 3. Select Register iDRAC on DNS. 4. Provide a valid DNS Domain Name. 5. Verify that network DNS configuration matches with the Active Directory DNS information. For more information about the options, see the iDRAC Online Help. Generating Kerberos keytab file To support the SSO and smart card login authentication, iDRAC supports the configuration to enable itself as a kerberized service on a Windows Kerberos network. The Kerberos configuration on iDRAC involves the same steps as configuring a non-Windows Server Kerberos service as a security principal in Windows Server Active Directory. The ktpass tool (available from Microsoft as part of the server installation CD/DVD) is used to create the Service Principal Name (SPN) bindings to a user account and export the trust information into a MIT-style Kerberos keytab file, which enables a trust relation between an external user or system and the Key Distribution Centre (KDC). The keytab file contains a cryptographic key, which is used to encrypt the information between the server and the KDC. The ktpass tool allows UNIX-based services that support Kerberos authentication to use the interoperability features provided by a Windows Server Kerberos KDC service. For more information on the ktpass utility, see the Microsoft website at: technet.microsoft.com/en-us/library/cc779157(WS.10).aspx Before generating a keytab file, you must create an Active Directory user account for use with the -mapuser option of the ktpass command. Also, you must have the same name as iDRAC DNS name to which you upload the generated keytab file. To generate a keytab file using the ktpass tool: 1. Run the ktpass utility on the domain controller (Active Directory server) where you want to map iDRAC to a user account in Active Directory. 2. Use the following ktpass command to create the Kerberos keytab file: C:\> ktpass.exe -princ HTTP/[email protected] -mapuser DOMAINNAME \username -mapOp set -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass [password] -out c:\krbkeytab The encryption type is AES256-SHA1. The principal type is KRB5_NT_PRINCIPAL. The properties of the user account to which the Service Principal Name is mapped to must have Use AES 256 encryption types for this account property enabled. NOTE: Use lowercase letters for the iDRACname and Service Principal Name. Use uppercase letters for the domain name as shown in the example. 3. Run the following command: C:\>setspn -a HTTP/iDRACname.domainname.com username A keytab file is generated. NOTE: If you find any issues with iDRAC user for which the keytab file is created, create a new user and a new keytab file. If the same keytab file which was initially created is again executed, it does not configure correctly. Creating Active Directory objects and providing privileges Perform the following steps for Active Directory Extended schema based SSO login: 1. Create the device object, privilege object, and association object in the Active Directory server. 2. Set access privileges to the created privilege object. It is recommended not to provide administrator privileges as this could bypass some security checks. 3. Associate the device object and privilege object using the association object. 144 Configuring iDRAC for Single Sign-On or smart card login

Section	Page
Integrated Dell Remote Access Controller 8 Version 2.70.70.70 User’s Guide	3
Overview	14
Benefits of using iDRAC with Lifecycle Controller	14
Key features	15
New in this release	17
How to use this user guide	17
Supported web browsers	17
Supported OS, Hypervisors	17
Managing licenses	18
Types of licenses	18
Methods for acquiring licenses	18
License operations	18
Importing license after replacing motherboard	19
Managing licenses using iDRAC web interface	19
Managing licenses using RACADM	19
Licensed features in iDRAC7 and iDRAC8	19
Interfaces and protocols to access iDRAC	23
iDRAC port information	25
Other documents you may need	26
Social media reference	27
Contacting Dell	27
Accessing documents from the Dell EMC support site	27
Logging in to iDRAC	29
Logging in to iDRAC as local user, Active Directory user, or LDAP user	29
Logging in to iDRAC using a smart card	30
Logging in to iDRAC as a local user using a smart card	30
Logging in to iDRAC as an Active Directory user using a smart card	31
Logging in to iDRAC using Single Sign-On	31
Logging in to iDRAC SSO using iDRAC web interface	32
Logging in to iDRAC SSO using CMC web interface	32
Accessing iDRAC using remote RACADM	32
Validating CA certificate to use remote RACADM on Linux	32
Accessing iDRAC using local RACADM	33
Accessing iDRAC using firmware RACADM	33
Accessing iDRAC using SMCLP	33
Logging in to iDRAC using public key authentication	33
Multiple iDRAC sessions	33
Changing default login password	34
Changing default login password using web interface	34
Changing default login password using RACADM	34
Changing default login password using iDRAC settings utility	35
Enabling or disabling default password warning message	35
Enabling or disabling default password warning message using web interface	35
Enabling or disabling warning message to change default login password using RACADM	35
IP Blocking	35
Invalid password credentials	36
Setting up managed system and management station	38
Setting up iDRAC IP address	38
Setting up iDRAC IP using iDRAC settings utility	39
Network settings	39
Common settings	41
IPv4 settings	41
IPv6 settings	41
IPMI settings	41
VLAN settings	42
Setting up iDRAC IP using CMC web interface	42
Enabling provisioning server	42
Configuring servers and server components using Auto Config	43
Auto Config sequence	44
DHCP options	44
Configuring option 43 on Windows	45
Configuring option 60 on Windows	45
Configuring option 43 and option 60 on Linux	46
Prerequisites before enabling Auto Config	47
Enabling Auto Config using iDRAC web interface	47
Enabling Auto Config using RACADM	48
Using hash passwords for improved security	48
Hash password using RACADM	48
Hash password in server configuration profile	48
Generating hash password without SNMPv3 and IPMI authentication	48
Setting up management station	49
Accessing iDRAC remotely	49
Setting up managed system	49
Modifying local administrator account settings	50
Setting up managed system location	50
Setting up managed system location using web interface	50
Setting up managed system location using RACADM	50
Setting up managed system location using iDRAC settings utility	50
Optimizing system performance and power consumption	50
Modifying thermal settings using iDRAC web interface	50
Modifying thermal settings using RACADM	52
Modifying thermal settings using iDRAC settings utility	55
Configuring supported web browsers	56
Configuring Internet Explorer	56
Resetting Internet Explorer security settings	56
Adding iDRAC IP to the trusted-sites list	56
Configuring Internet Explorer to enable Active Directory SSO	56
Configuring Mozilla Firefox	57
Disabling whitelist feature in Firefox	57
Configuring Firefox to enable Active Directory SSO	57
Configuring web browsers to use virtual console	57
Configuring Internet Explorer to use HTML5-based plug-in	58
Configuring the web browser to use Java plug-in	58
Configuring IE to use ActiveX plug-in	58
Additional settings for Windows Vista or newer Microsoft operating systems	59
Clearing browser cache	59
Clearing earlier Java versions	60
Importing CA certificates to management station	60
Importing CA certificate to Java trusted certificate store	60
Importing CA certificate to ActiveX trusted certificate store	60
Viewing localized versions of web interface	60
Updating device firmware	61
Updating firmware using iDRAC web interface	63
Updating single device firmware	63
Updating firmware using repository	63
Updating firmware using FTP, TFTP, or HTTP	64
Updating device firmware using RACADM	65
Scheduling automatic firmware updates	65
Scheduling automatic firmware update using web interface	65
Scheduling automatic firmware update using RACADM	66
Updating firmware using CMC web interface	67
Updating firmware using DUP	67
Updating firmware using remote RACADM	67
Updating firmware using Lifecycle Controller Remote Services	68
Updating CMC firmware from iDRAC	68
CMC settings to update CMC firmware from iDRAC	68
iDRAC settings to update CMC firmware	68
Viewing and managing staged updates	68
Viewing and managing staged updates using iDRAC web interface	68
Viewing and managing staged updates using RACADM	69
Rolling back device firmware	69
Rollback firmware using iDRAC web interface	70
Rollback firmware using CMC web interface	70
Rollback firmware using RACADM	70
Rollback firmware using Lifecycle Controller	70
Rollback firmware using Lifecycle Controller-Remote Services	70
Recovering iDRAC	71
Using TFTP server	71
Backing up server profile	71
Backing up server profile using iDRAC web interface	72
Backing up server profile using RACADM	72
Scheduling automatic backup server profile	72
Scheduling automatic backup server profile using web interface	72
Scheduling automatic backup server profile using RACADM	73
Importing server profile	73
Importing server profile using iDRAC web interface	74
Importing server profile using RACADM	74
Restore operation sequence	74
Monitoring iDRAC using other Systems Management tools	75
Configuring iDRAC	76
Viewing iDRAC information	77
Viewing iDRAC information using web interface	77
Viewing iDRAC information using RACADM	77
Modifying network settings	77
Modifying network settings using web interface	78
Modifying network settings using local RACADM	78
Configuring IP filtering	78
Configure IP filtering using iDRAC web interface	78
Configuring IP filtering using RACADM	79
Cipher suite selection	79
Configuring cipher suite selection using iDRAC web interface	79
Configuring cipher suite selection using RACADM	80
FIPS mode	80
Enabling FIPS Mode	80
Enabling FIPS mode using web interface	80
Enabling FIPS mode using RACADM	81
Disabling FIPS mode	81
Configuring services	81
Configuring services using web interface	81
Configuring services using RACADM	81
Enabling or disabling HTTPs redirection	82
Configuring TLS	82
Configuring TLS using web interface	82
Configuring TLS using RACADM	82
Using VNC client to manage remote server	82
Configuring VNC server using iDRAC web interface	83
Configuring VNC server using RACADM	83
Setting up VNC viewer with SSL encryption	83
Setting up VNC viewer without SSL encryption	84
Configuring front panel display	84
Configuring LCD setting	84
Configuring LCD setting using web interface	84
Configuring LCD setting using RACADM	84
Configuring LCD setting using iDRAC settings utility	85
Configuring system ID LED setting	85
Configuring system ID LED setting using web interface	85
Configuring system ID LED setting using RACADM	85
Configuring time zone and NTP	85
Configuring time zone and NTP using iDRAC web interface	85
Configuring time zone and NTP using RACADM	86
Setting first boot device	86
Setting first boot device using web interface	86
Setting first boot device using RACADM	86
Setting first boot device using virtual console	86
Enabling last crash screen	87
Enabling or disabling OS to iDRAC Pass-through	87
Supported cards for OS to iDRAC Pass-through	88
Supported operating systems for USB NIC	88
Installing VIB file	90
Enabling or disabling OS to iDRAC Pass-through using web interface	90
Enabling or disabling OS to iDRAC Pass-through using RACADM	90
Enabling or disabling OS to iDRAC Pass-through using iDRAC settings utility	91
Obtaining certificates	91
SSL server certificates	92
Generating a new certificate signing request	93
Generating CSR using web interface	93
Generating CSR using RACADM	93
Uploading server certificate	93
Uploading server certificate using web interface	93
Uploading server certificate using RACADM	94
Viewing server certificate	94
Viewing server certificate using web interface	94
Viewing server certificate using RACADM	94
Uploading custom signing certificate	94
Uploading custom signing certificate using web interface	94
Uploading custom SSL certificate signing certificate using RACADM	95
Downloading custom SSL certificate signing certificate	95
Downloading custom signing certificate	95
Downloading custom SSL certificate signing certificate using RACADM	95
Deleting custom SSL certificate signing certificate	95
Deleting custom signing certificate using iDRAC web interface	95
Deleting custom SSL certificate signing certificate using RACADM	95
Configuring multiple iDRACs using RACADM	95
Creating an iDRAC configuration file	96
Disabling access to modify iDRAC configuration settings on host system	96
Viewing iDRAC and managed system information	98
Viewing managed system health and properties	98
Viewing system inventory	98
Viewing sensor information	99
Monitoring performance index of CPU, memory, and IO modules	101
Monitoring performance index for of CPU, memory, and IO modules using web interface	101
Monitoring performance index for of CPU, memory, and IO modules using RACADM	102
Checking the system for fresh air compliance	102
Viewing historical temperature data	102
Viewing historical temperature data using iDRAC web interface	103
Viewing historical temperature data using RACADM	103
Configuring warning threshold for inlet temperature	103
Configuring warning threshold for inlet temperature using web interface	103
Viewing network interfaces available on host OS	103
Viewing network interfaces available on host OS using web interface	104
Viewing network interfaces available on host OS using RACADM	104
Viewing FlexAddress mezzanine card fabric connections	104
Viewing or terminating iDRAC sessions	105
Terminating iDRAC sessions using web interface	105
Terminating iDRAC sessions using RACADM	105
Setting up iDRAC communication	106
Communicating with iDRAC through serial connection using DB9 cable	107
Configuring BIOS for serial connection	107
Enabling RAC serial connection	108
Enabling RAC serial connection using web interface	108
Enabling RAC serial connection using RACADM	108
Enabling IPMI serial connection basic and terminal modes	108
Enabling serial connection using web interface	108
Enabling serial connection IPMI mode using RACADM	109
Enabling serial connection IPMI serial settings using RACADM	109
Additional settings for ipmi serial terminal mode	109
Configuring additional settings for IPMI serial terminal mode using web interface	109
Configuring additional settings for IPMI serial terminal mode using RACADM	110
Switching between RAC serial and serial console while using DB9 cable	110
Switching from serial console to RAC serial	110
Switching from RAC serial to serial console	110
Communicating with iDRAC using IPMI SOL	110
Configuring BIOS for serial connection	110
Configuring iDRAC to use SOL	111
Configuring iDRAC to use SOL using iDRAC web interface	111
Configuring iDRAC to use SOL using RACADM	111
Enabling supported protocol	112
Enabling supported protocol using web interface	112
Enabling supported protocol using RACADM	112
SOL using IPMI protocol	113
SOL using SSH or Telnet protocol	113
Using SOL from PuTTY on Windows	114
Using SOL from OpenSSH or Telnet on Linux	114
Using Telnet virtual console	115
Configuring backspace key for your Telnet session	115
Disconnecting SOL session in iDRAC command line console	115
Communicating with iDRAC using IPMI over LAN	115
Configuring IPMI over LAN using web interface	116
Configuring IPMI over LAN using iDRAC settings utility	116
Configuring IPMI over LAN using RACADM	116
Enabling or disabling remote RACADM	116
Enabling or disabling remote RACADM using web interface	117
Enabling or disabling remote RACADM using RACADM	117
Disabling local RACADM	117
Enabling IPMI on managed system	117
Configuring Linux for serial console during boot	117
Enabling login to the virtual console after boot	118
Supported SSH cryptography schemes	119
Using public key authentication for SSH	120
Generating public keys for Windows	120
Generating public keys for Linux	121
Uploading SSH keys	121
Uploading SSH keys using web interface	121
Uploading SSH keys using RACADM	121
Viewing SSH keys	122
Viewing SSH keys using web interface	122
Viewing SSH keys using RACADM	122
Deleting SSH keys	122
Deleting SSH keys using web interface	122
Deleting SSH keys using RACADM	122
Configuring user accounts and privileges	123
Recommended characters in user names and passwords	123
Configuring local users	124
Configuring local users using iDRAC web interface	124
Configuring local users using RACADM	124
Adding iDRAC user using RACADM	125
Enabling iDRAC user with permissions	125
Configuring Active Directory users	125
Prerequisites for using Active Directory authentication for iDRAC	126
Enabling SSL on domain controller	127
Installing SSL certificate for each domain controller	127
Exporting domain controller root CA certificate to iDRAC	127
Importing iDRAC firmware SSL certificate	127
Supported Active Directory authentication mechanisms	128
Standard schema Active Directory overview	128
Single domain versus multiple domain scenarios	129
Configuring Standard schema Active Directory	129
Configuring Active Directory with Standard schema using iDRAC web interface	129
Configuring Active Directory with Standard schema using RACADM	130
Extended schema Active Directory overview	131
Active directory schema extensions	131
Overview of iDRAC schema extensions	132
Accumulating privileges using Extended Schema	132
Configuring Extended schema Active Directory	133
Extending Active Directory schema	133
Using Dell Schema Extender	134
Classes and attributes	134
Installing Dell extension to the Active Directory users and computers snap-in	137
Adding iDRAC users and privileges to Active Directory	137
Creating iDRAC device object	137
Creating privilege object	138
Creating association object	138
Providing user access privileges for association objects	138
Adding objects to association object	138
Adding users or user groups	138
Adding privileges	139
Adding iDRAC devices or iDRAC device groups	139
Configuring Active Directory with Extended schema using iDRAC web interface	139
Configuring Active Directory with Extended schema using RACADM	139
Testing Active Directory settings	140
Testing Active Directory settings using iDRAC web interface	140
Testing Active Directory settings using RACADM	141
Configuring generic LDAP users	141
Configuring generic LDAP directory service using iDRAC web-based interface	141
Configuring generic LDAP directory service using RACADM	142
Testing LDAP directory service settings	142
Testing LDAP directory service settings using iDRAC web interface	142
Testing LDAP directory service settings using RACADM	142
Configuring iDRAC for Single Sign-On or smart card login	143
Prerequisites for Active Directory Single Sign-On or smart card login	143
Registering iDRAC as a computer in Active Directory root domain	144
Generating Kerberos keytab file	144
Creating Active Directory objects and providing privileges	144
Configuring iDRAC SSO login for Active Directory users	145
Configuring iDRAC SSO login for Active Directory users using web interface	145
Configuring iDRAC SSO login for Active Directory users using RACADM	145
Configuring iDRAC smart card login for local users	145
Uploading smart card user certificate	146
Uploading smart card user certificate using web interface	146
Uploading smart card user certificate using RACADM	146
Uploading trusted CA certificate for smart card	146
Uploading trusted CA certificate for smart card using web interface	146
Uploading trusted CA certificate for smart card using RACADM	146
Configuring iDRAC smart card login for Active Directory users	146
Enabling or disabling smart card login	147
Enabling or disabling smart card login using web interface	147
Enabling or disabling smart card login using RACADM	147
Enabling or disabling smart card login using iDRAC settings utility	147
Configuring iDRAC to send alerts	149
Enabling or disabling alerts	149
Enabling or disabling alerts using web interface	150
Enabling or disabling alerts using RACADM	150
Enabling or disabling alerts using iDRAC settings utility	150
Filtering alerts	150
Filtering alerts using iDRAC web interface	150
Filtering alerts using RACADM	151
Setting event alerts	151
Setting event alerts using web interface	151
Setting event alerts using RACADM	151
Setting alert recurrence event	151
Setting alert recurrence events using iDRAC web interface	152
Setting alert recurrence events using RACADM	152
Setting event actions	152
Setting event actions using web interface	152
Setting event actions using RACADM	152
Configuring email alert, SNMP trap, or IPMI trap settings	152
Configuring IP alert destinations	153
Configuring IP alert destinations using web interface	153
Configuring IP alert destinations using RACADM	153
Configuring IP alert destinations using iDRAC settings utility	154
Configuring email alert settings	154
Configuring email alert settings using web interface	154
Configuring email alert settings using RACADM	155
Configuring SMTP email server address settings	155
Configuring SMTP email server address settings using iDRAC web interface	155
Configuring SMTP email server address settings using RACADM	156
Configuring WS Eventing	156
Configuring Redfish Eventing	156
Monitoring chassis events	156
Monitoring chassis events using the iDRAC web interface	156
Monitoring chassis events using RACADM	156
Alerts message IDs	157
Managing logs	160
Viewing System Event Log	160
Viewing System Event Log using web interface	160
Viewing System Event Log using RACADM	160
Viewing System Event Log using iDRAC settings utility	161
Viewing Lifecycle log	161
Viewing Lifecycle log using web interface	161
Filtering Lifecycle logs	162
Adding comments to Lifecycle logs	162
Viewing Lifecycle log using RACADM	162
Exporting Lifecycle Controller logs	162
Exporting Lifecycle Controller logs using web interface	162
Exporting Lifecycle Controller logs using RACADM	162
Adding work notes	163
Configuring remote system logging	163
Configuring remote system logging using web interface	163
Configuring remote system logging using RACADM	163
Monitoring and managing power	164
Monitoring power	164
Monitoring power using web interface	164
Monitoring power using RACADM	165
Setting warning threshold for power consumption	165
Setting warning threshold for power consumption using web interface	165
Executing power control operations	165
Executing power control operations using web interface	165
Executing power control operations using RACADM	166
Power capping	166
Power capping in Blade servers	166
Viewing and configuring power cap policy	166
Configuring power cap policy using web interface	166
Configuring power cap policy using RACADM	167
Configuring power cap policy using iDRAC settings utility	167
Configuring power supply options	167
Configuring power supply options using web interface	167
Configuring power supply options using RACADM	167
Configuring power supply options using iDRAC settings utility	168
Enabling or disabling power button	168
Inventorying, monitoring, and configuring network devices	169
Inventorying and monitoring network devices	169
Monitoring network devices using web interface	169
Monitoring network devices using RACADM	170
Inventorying and monitoring FC HBA devices	170
Monitoring FC HBA devices using web interface	170
Monitoring FC HBA devices using RACADM	170
Dynamic configuration of virtual addresses, initiator, and storage target settings	170
Supported cards for IO Identity Optimization	171
Supported NIC firmware versions for IO Identity Optimization	172
Virtual or Flex Address and Persistence Policy behavior when iDRAC is set to Flex Address mode or Console mode	172
System behavior for FlexAddress and IO Identity	173
Enabling or disabling IO Identity Optimization	174
Enabling or disabling IO Identity Optimization using web interface	174
Enabling or disabling IO Identity Optimization using RACADM	174
Configuring persistence policy settings	174
Configuring persistence policy settings using iDRAC web interface	175
Configuring persistence policy settings using RACADM	175
iSCSI initiator and storage target default values	176
Managing storage devices	178
Understanding RAID concepts	179
RAID	179
Hardware and software RAID	180
RAID concepts	180
RAID levels	180
Organizing data storage for availability and performance	180
Choosing RAID levels	181
RAID level 0 - striping	181
RAID level 1 - mirroring	182
RAID level 5 -striping with distributed parity	182
RAID level 6 - striping with additional distributed parity	183
RAID level 50 - striping over RAID 5 sets	184
RAID level 60 - striping over RAID 6 sets	184
RAID level 10 - striped-mirrors	185
Comparing RAID level performance	186
Supported controllers	187
Supported enclosures	187
Summary of supported features for storage devices	188
Inventorying and monitoring storage devices	190
Monitoring storage devices using web interface	190
Monitoring storage devices using RACADM	190
Monitoring backplane using iDRAC settings utility	190
Viewing storage device topology	191
Managing physical disks	191
Assigning or unassigning physical disk as global hot spare	191
Assigning or unassigning global hot spare using web interface	191
Assigning or unassigning global hot spare using RACADM	192
Converting a physical disk to RAID or non-RAID mode	192
Converting physical disks to RAID capable or non-RAID mode using the iDRAC web interface	192
Converting physical disks to RAID capable or non-RAID mode using RACADM	193
Managing virtual disks	193
Creating virtual disks	193
Considerations before creating virtual disks	194
Creating virtual disks using web interface	194
Creating virtual disks using RACADM	194
Editing virtual disk cache policies	194
Deleting virtual disks	195
Checking virtual disk consistency	196
Initializing virtual disks	196
Encrypting virtual disks	196
Assigning or unassigning dedicated hot spares	197
Managing virtual disks using web interface	197
Managing virtual disks using RACADM	198
Managing controllers	198
Configuring controller properties	199
Configuring controller properties using web interface	200
Configuring controller properties using RACADM	200
Importing or auto importing foreign configuration	201
Importing foreign configuration using web interface	202
Importing foreign configuration using RACADM	202
Clearing foreign configuration	202

Match case Limit results 1 per page

Registering iDRAC as a computer in Active Directory root

domain

To register iDRAC in Active Directory root domain:

Click

Overview

iDRAC Settings

Network

The

Network

page is displayed.

Provide a valid

Preferred/Alternate DNS Server

IP address. This value is a valid DNS server IP address that is part of the root

domain.

Select

Provide a valid

DNS Domain Name

Verify that network DNS configuration matches with the Active Directory DNS information.

For more information about the options, see the

iDRAC Online Help

Generating Kerberos keytab file

To support the SSO and smart card login authentication, iDRAC supports the configuration to enable itself as a kerberized service on a

Windows Kerberos network. The Kerberos configuration on iDRAC involves the same steps as configuring a non–Windows Server

Kerberos service as a security principal in Windows Server Active Directory.

The

ktpass

tool (available from Microsoft as part of the server installation CD/DVD) is used to create the Service Principal Name (SPN)

bindings to a user account and export the trust information into a MIT–style Kerberos

keytab

file, which enables a trust relation between

an external user or system and the Key Distribution Centre (KDC). The keytab file contains a cryptographic key, which is used to encrypt

the information between the server and the KDC. The ktpass tool allows UNIX–based services that support Kerberos authentication to

use the interoperability features provided by a Windows Server Kerberos KDC service. For more information on the

ktpass

utility, see the

Microsoft website at:

technet.microsoft.com/en-us/library/cc779157(WS.10).aspx

Before generating a keytab file, you must create an Active Directory user account for use with the

-mapuser

option of the

ktpass

command. Also, you must have the same name as iDRAC DNS name to which you upload the generated keytab file.

To generate a keytab file using the ktpass tool:

Run the

ktpass

utility on the domain controller (Active Directory server) where you want to map iDRAC to a user account in Active

Directory.

Use the following ktpass command to create the Kerberos keytab file:

C:\> ktpass.exe -princ HTTP/[email protected] -mapuser DOMAINNAME

\username -mapOp set -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass [password] -out

c:\krbkeytab

The encryption type is AES256-SHA1. The principal type is KRB5_NT_PRINCIPAL. The properties of the user account to which the

Service Principal Name is mapped to must have

Use AES 256 encryption types for this account

property enabled.

NOTE:

Use lowercase letters for the iDRACname and Service Principal Name. Use uppercase letters for the domain

name as shown in the example.

Run the following command:

C:\>setspn -a HTTP/iDRACname.domainname.com username

A keytab file is generated.

NOTE:

If you find any issues with iDRAC user for which the keytab file is created, create a new user and a new

keytab file. If the same keytab file which was initially created is again executed, it does not configure correctly.

Creating Active Directory objects and providing privileges

Perform the following steps for Active Directory Extended schema based SSO login:

Create the device object, privilege object, and association object in the Active Directory server.

Set access privileges to the created privilege object. It is recommended not to provide administrator privileges as this could bypass

some security checks.

Associate the device object and privilege object using the association object.

144

Configuring iDRAC for Single Sign-On or smart card login