iDRAC AD Authentication Guide for Active Directory SSO and Smart Card Login

Prerequisites for Active Directory SSO and Smart Card Authentication

The pre-requisites for both Active Directory SSO and Smart Card authentication are:

•Configure the iDRAC6 for Active Directory login. For more information, see "Using the iDRAC6 Directory Service" on page 143.

•Register the iDRAC6 as a computer in the Active Directory root domain. To do this:

a Click Remote Access→ Network/Security tab→ Network subtab.

b Provide a valid Preferred/Alternate DNS Server IP address. This value is the IP address of the DNS that is part of the root domain,

which authenticates the Active Directory accounts of the users. c Select Register iDRAC on DNS.

dProvide a valid DNS Domain Name.

See the iDRAC6 Online Help for more information.

•To support the two new types of authentication mechanisms, iDRAC6 supports the configuration to enable itself as a kerberized service on a Windows Kerberos network. The Kerberos configuration on iDRAC6 involves the same steps as configuring a non–Windows Server Kerberos service as a security principal in Windows Server Active Directory.

The Microsoft tool ktpass (supplied by Microsoft as part of the server installation CD/DVD) is used to create the Service Principal Name (SPN) bindings to a user account and export the trust information into a MIT–style Kerberos keytab file, which enables a trust relation between an external user or system and the Key Distribution Centre (KDC). The keytab file contains a cryptographic key, which is used to encrypt the information between the server and the KDC. The ktpass tool allows UNIX–based services that support Kerberos authentication to use the interoperability features provided by a Windows Server Kerberos KDC service.

The keytab obtained from the ktpass utility is made available to the iDRAC6 as a file upload and is enabled to be a kerberized service on the network.

188

Configuring iDRAC6 for Single Sign-On or Smart Card Login

Image 188

Dell IDRAC6 manual Click Remote Access→ Network/Security tab→ Network subtab, 188

Contents

User Guide July Contents Updating the iDRAC6 Firmware Installing the Software onAccessing the Web Interface Using Multiple Browser Tabs and Windows Connecting the DB-9 or Null Modem Configuring the Management StationViewing Internal Dual SD Module Cable for the Serial Console Frequently Asked Questions about 125 Using the Web Interface to Configure106 109 Using the Racadm Utility to Configure 139 Supported Active Directory Authentication 148143 Prerequisites for Enabling Microsoft Generic Ldap Directory Service 178 Frequently Asked Questions about168 177 Troubleshooting the Smart Card 191193 198 213 Launching Virtual Console and Virtual 219221 231 Creating a Bootable Image File 240 Using the Ipmi Remote Access 254Configuring Serial Over LAN Using 254 239 255 257259 264 Frequently Asked Questions 288 Power Inventory, Power Budgeting274 284 293 294295 298 Configuring Platform Events 316 Frequently Asked Question about 322325 326 Using the System Event Log SEL 330 Using the Diagnostics Console 337332 333 Using the Secure Shell SSH 353 341342 Removable Flash Media Probes 342 IDRAC6 Express Management Features IDRAC6 Overview IDRAC6 Overview IDRAC6 Feature List IDRAC6 Enterprise and vFlash MediaIDRAC6 Express Enterprise With vFlash Interface and Standards Support Remote Management and Remediation Security and AuthenticationConnectivity Monitoring Logging RAC Log Lifecycle Controller Unified Server Configurator SM-CLP IDRAC6 Overview Supported Remote Access Connections Supported Remote Access Connections FeaturesIDRAC6 Ports IDRAC6 Server Listening Ports Port Number Function Other Documents You May Need IDRAC6 Client Ports Port Number Function IDRAC6 Overview IDRAC6 Overview IDRAC6 Overview Getting Started With the iDRAC6 Getting Started With the iDRAC6 Before You Begin Basic Installation of the iDRAC6Installing the iDRAC6 Express/Enterprise Hardware Configuring Your System to Use an iDRAC6 Select Save Changes and Exit Configuring iDRAC6 Software Installation and Configuration OverviewInstalling iDRAC6 Software Installing the Software on the Managed System Installing the Software on the Management Station Installing Racadm Uninstalling Racadm Downloading the iDRAC6 Firmware Updating the iDRAC6 FirmwareBefore You Begin Updating the iDRAC6 Firmware Using the Web-Based Interface Updating the iDRAC6 Firmware Using Racadm Click Tools, and click Internet Options Configuring a Supported Web BrowserList of Trusted Domains Linux Viewing Localized Versions of the Web-Based InterfaceWindows Updated entry Basic Installation of the iDRAC6 Configuring the iDRAC6 Using the Web Interface Accessing the Web Interface Logging Using Multiple Browser Tabs and Windows Logging Out Click Remote Access→ Network/Security→ Network Configuring the iDRAC6 NICConfiguring the Network and Ipmi LAN Settings Network Settings Setting Description Click the appropriate button to continue. See Table Network Settings Description Common Settings Description Preferred DNS Server and Alternate DNS Server fields Common Settings SettingDescriptionIPv4 Settings Description IPv6 Settings Description Vlan Settings SettingDescription IPv6 Settings SettingDescriptionIpmi Settings Description Apply Configuring IP Filtering and IP BlockingNetwork Configuration Page Buttons Description Network Security Page Settings Description 11. Platform Event Filters Index Configuring Platform Events10. Network Security Page Buttons Description Processor AbsentCritical Assert Click System→ Alerts→ Traps Settings Configuring Platform Event Filters PEFConfiguring Platform Event Traps PET Configuring E-Mail Alerts Configuring Ipmi Using Web Interface Click System→ Alerts→ Email Alert Settings Network/Security tab, click Serial Set the Channel Privilege Level Limit and Flow Control Configuring iDRAC6 Users Secure Sockets Layer SSL Accessing SSL Through the Web-Based Interface Click Remote Access→ Network/SecurityCertificate Signing Request CSR 12. SSL Page Options Field Description View Server Certificate Generating a Certificate Signing RequestUpload Server Certificate Common Name Organization NameOrganization Unit Locality Uploading a Server Certificate Refresh Reloads the Generate Certificate Signing RequestMenu 15. Certificate Upload Page Buttons Description Viewing a Server Certificate 16. Certificate Information Field Description17. View Server Certificate Page Buttons Button Description Configuring and Managing Active Directory Enabled Single Sign-OnSchema Selection Active Directory Timeout User Domain Name Certificate Extended SchemaSettings Print Configuring and Managing Generic LdapConfiguring iDRAC6 Services 20. Local Configuration Setting Description 21. Web Server Settings 21. Web Server Settings SettingDescription 22. SSH Settings Description23. Telnet Settings Port Number 23. Telnet Settings Description 24. Remote Racadm Settings25. Snmp Settings 26. Automated System Recovery Agent Setting Updating the iDRAC6 Firmware/System Services Recovery Image 27. Services Page Buttons Description File upload in progress Remote Syslog IDRAC6 Firmware Rollback 28. Remote Syslog Settings AttributeDescription First Boot Device 29. First Boot Device Attribute DescriptionFirst Boot Device Boot Once Remote File Share 30 lists the remote file share settings 30. Remote File Server Settings Attribute Description Internal Dual SD Module Viewing Internal Dual SD Module Status Using GUI 32. SD Card States Description Advanced iDRAC6 Configuration Click Apply Changes Configuring the iDRAC6 Settings to Enable SSH/TelnetStarting a Text Console Through Telnet or SSH Using a Telnet Console Running Telnet Using Microsoft Windows XP or Windows Enable Telnet in Windows Component Services Using the Secure Shell SSH Configuring Linux for Serial Console During Boot Cryptography Schemes Scheme Type Sample File /etc/grub.conf Serial --unit=1 --speed=57600 terminal --timeout=10 serial Enabling Login to the Virtual Console After Boot Shows a sample file with the new line Sample File /etc/innitab Sample File /etc/innitab Configuring iDRAC6 for Serial Connection Sample File /etc/securetty Racadm config -g cfgSerial -o cfgSerialConsoleEnable For Direct Connect Terminal mode 100 101 Signal Name 102 Configuring Linux Minicom for Serial Console Emulation 103 104 Select Save setup as configname and press EnterRequired Minicom Settings for Serial Console Emulation Configuring HyperTerminal for Serial Console 105 Configuring Serial and Terminal Modes Configuring Ipmi and iDRAC6 SerialManagement Station COM Port Settings Setting Description Ipmi Serial Settings Description 107 IDRAC6 Serial Settings10. Serial Page Settings Configuring Terminal Mode Serial page, click Terminal Mode Settings11. Terminal Mode Settings Description 12. Terminal Mode Settings Page Buttons Description Configuring the iDRAC6 Network Settings Accessing the iDRAC6 Through a Network12. Terminal Mode Settings Page Buttons ButtonDescription 109 13. iDRAC6 Interfaces InterfaceDescription Powercycle, and hardreset commands110 13. iDRAC6 Interfaces Description Using Racadm Remotely111 112 14. racadm Command Options Description Racadm SynopsisRacadm Options 113 114 Racadm SubcommandsEnabling and Disabling the Racadm Remote Capability 15. Racadm Subcommands Command Description 115 116 117 Frequently Asked Questions About Racadm Error MessagesWhat does this message mean? Configuring Multiple iDRAC6 Controllers 118 Creating an iDRAC6 Configuration File 119 120 121 Parsing RulesExample Modifying the iDRAC6 IP Address 122 Configuring iDRAC6 Network Properties 123 124 Frequently Asked Questions about Network Security 16. iDRAC6 NIC Configurations Mode DescriptionIDRAC6 Modes 125 Why doesn’t my DNS server register my iDRAC6? 126 127 128 Adding and Configuring IDRAC6 Users Adding and Configuring iDRAC6 UsersClick Remote Access→ Network/Security→ Users 129 User States and Permissions Setting Description 130 Smart Card Configuration Options OptionDescription Enable User131 Upload Trusted CA General User Settings 132Ipmi User Privileges PropertyDescription IDRAC User Privileges Property Description IDRAC Group Permissions User Group Permissions Granted 133Reasons, assign this privilege carefully Public Key Authentication over SSH User Configuration Page Buttons ActionBefore You Begin 134 135 Generating Public Keys for WindowsGenerating Public Keys for Linux Logging in Using Public Key Authentication Sending racadm commandsLogging 136 SSH Key Configurations Option Description 137Upload SSH Keys Option Description 10. View/Remove SSH Keys Option Description Uploading, Viewing, and Deleting SSH Keys Using Racadm UploadView Delete Using the Racadm Utility to Configure iDRAC6 Users 139 140 Adding an iDRAC6 UserExample 141 Removing an iDRAC6 UserEnabling an iDRAC6 User With Permissions 142 IDRAC6 User Privileges Description Using iDRAC6 With Microsoft Active Directory143 144 Privilege Description 145 Click Start→ Administrative Tools→ Domain Security PolicyEnabling SSL on a Domain Controller 146 Importing the iDRAC6 Firmware SSL Certificate 147 Supported Active Directory Authentication Mechanisms Extended Schema Active Directory OverviewActive Directory Schema Extensions 148 149 Overview of the iDRAC Schema ExtensionsActive Directory Object Overview Typical Setup for Active Directory Objects 150 Accumulating Privileges Using Extended Schema 151 152 Extending the Active Directory Schema 153 Using the Dell Schema Extender 154 155 156 DellPrivileges ClassDellProduct Class 840.113556.1.8000.1280.1.1.1.5 Valued 157Single 158 Installing the Administrator Pack 159 Creating an iDRAC Device Object Select iDRAC Device ObjectCreating a Privilege Object Select Privilege Object Configuring an Association Object Creating an Association ObjectAdding Users or User Groups Adding Privileges Adding iDRAC Devices 162 163 Racadm 164 165 166 167 Standard Schema Active Directory Overview 168 Default Role Group Privileges Single Domain Versus Multiple Domain Scenarios169 Permissions Granted Bit Mask Groups Level Directory Users and Computers Snap-in 170 171 172 173 174 175 176 Testing Your Configurations 177 178 Generic Ldap Directory ServiceLogin Syntax Directory User versus Local User 179 180 181 Configuring Generic Ldap Directory Service Using Racadm View the settings using the below commandsUse Racadm to confirm whether login is possible Additional settings to test BindDN option Frequently Asked Questions about Active Directory 183 184 When do I need to configure Global Catalog Addresses?How does standard schema query work? Why does iDRAC6 enable certificate validation by default? Does iDRAC6 support the NetBIOS name?Does iDRAC6 always use Ldap over SSL? 185 186 Configuring iDRAC6 for Single Sign- On or Smart Card Login About Kerberos Authentication Click Remote Access→ Network/Security tab→ Network subtab 188 189 Browser Settings to Enable Active Directory SSO Select Tools→ Internet Options→ Security→ Local IntranetClick Advanced 190 191 Using Microsoft Active Directory SSOConfiguring iDRAC6 to Use SSO 192 Logging Into iDRAC6 Using SSOUsing Racadm Configuring Smart Card Authentication Configuring Local iDRAC6 Users for Smart Card LogonExporting the Smart Card Certificate 193 Configuring Active Directory Users for Smart Card Logon Configuring Smart Card Using iDRAC6Network/Security→ tab Smart Card 194 Smart Card Settings Description Enabled with Remote Racadm Enables Smart CardIf you select Enabled or Enabled with Remote Racadm, you Enable with Remote Racadm setting only to access Logging Into the iDRAC6 Using the Smart Card IDRAC6 under Remote Access→ Network/Security→196 Network 197 Troubleshooting the Smart Card Logon in iDRAC6 ActiveX plug-in unable to detect the Smart Card readerIncorrect Smart Card PIN Unable to Log into Local iDRAC6 Unable to Log into iDRAC6 as an Active Directory User 199 Frequently Asked Questions About SSO 200 201 202 Using GUI Virtual Console Using Virtual ConsoleOverview 203 Configuring Your Management Station 204 205 206 Clear Your Browser’s CacheJava Cache viewer is displayed Common Settings for Microsoft Windows Operating Systems 207 208 Supported Screen Resolutions and Refresh RatesConfiguring Virtual Console in the iDRAC6 Web Interface Local Server Video 209Remote Presence Port Configuration Page Buttons Definition Opening a Virtual Console Session210 Plug-in Type Virtual Console Enabled Video Encryption EnabledEnabled Remote Presence Port 211 Virtual Console Preview 212Virtual Console and Virtual Media Page Buttons Definition Refresh Reloads the Virtual Console and Virtual Media Using iDRAC6 Virtual Console Video Viewer Settings on the Console/Media Configuration213 Virtual Console Preview Options Descritpion 214 Viewer Menu Bar Selections Menu Item DescriptionPin icon Virtual Launch Virtual 215 216 Viewer Menu Bar Selections Menu Item Item Description 217 218 Click System→ Console/Media→ ConfigurationDisabling or Enabling Local Server Video 219 Launching Virtual Console and Virtual Media RemotelyURL Format 220 General Error ScenariosError Scenarios Reason Behavior Frequently Asked Questions on Virtual Console 221 CfgRacTuneLocalServerVideo Using Virtual Console Frequently Asked Questions Answer222 Bios 223 224 Using the WS-MAN Interface Supported CIM Profiles225 Standard Dmtf Standard Dmtf 227 Standard Dmtf Dell Extensions 229 WS-MAN release notes or readme file Using the iDRAC6 SM-CLP Command Line Interface IDRAC6 SM-CLP Support SM-CLP Features Using SM-CLPSM-CLP Targets 232 233 SM-CLP Targets Definitions 234 Capabilities on the system 235 Dhcp 236 237 238 Deploying Your Operating System Using Vmcli Remote System RequirementsNetwork Requirements 239 Creating a Bootable Image File Configuring the Remote SystemsPreparing for Deployment Creating an Image File for Linux Systems Deploying the Operating System 241 Using the Vmcli Utility 242 243 Installing the Vmcli UtilityCommand Line Options Vmcli Parameters IDRAC6 IP AddressIDRAC6 User Name 244 245 IDRAC6 User PasswordFloppy/Disk Device or Image File CD/DVD Device or Image File 246 Vmcli Operating System Shell Options Version DisplayHelp Display Encrypted Data Vmcli Return Codes 248 Configuring Ipmi Using Web-Based Interface Configuring Ipmi Using the Racadm CLISupport.dell.com\manuals 249 250 251 252 253 254 Using the Ipmi Remote Access Serial InterfaceConfiguring Serial Over LAN Using the Web-Based Interface Configuring and Using Virtual Media 255 Windows-Based Management Station 256 Configuring Virtual Media Virtual Media Configuration Properties Attribute ValueLinux-Based Management Station 257 258 Virtual Media Configuration Properties AttributeValueConfiguration Page Buttons Description Supported Virtual Media Configurations Connecting Virtual MediaRunning Virtual Media 259 Click Launch Virtual Console 260 Booting From Virtual Media Disconnecting Virtual MediaClick Tools→ Launch Virtual Media 261 262 Installing Operating Systems Using Virtual MediaBoot Once Feature Select the Enable Boot Once option under Virtual Media Windows-Based SystemsLinux-Based Systems 263 264 Frequently Asked Questions about Virtual MediaUsing Virtual Media Frequently Asked Questions Answer Using the Dell Systems Management Tools 265 266 267 Answer On Windows Event Collector and click Stop Administrative Tools Services. Right-click268 Configuring vFlash SD Card and Managing vFlash Partitions 269 Size 270SD Card Properties Attribute Description VFlash Enabled 271Available Space Write-protected 272 Configuring vFlash or Standard SD Card UsingDisplaying the vFlash or Standard SD Card Properties Resetting the vFlash or Standard SD Card Enabling or Disabling the vFlash or Standard SD CardInitializing the vFlash or Standard SD Card Getting the Last Status on the vFlash or Standard SD Card 274 Managing vFlash Partitions Using iDRAC6 Web InterfaceCreating an Empty Partition 275 Create Empty Partition Page Options Field DescriptionIndex Label Emulation Type Creating a Partition Using an Image File276 Img nor .iso 277 Image Location Formatting a Partition278 Viewing Available Partitions 279Format Partition Page Options Field Description Format Type 280 Viewing Available Partitions Field DescriptionRead-Only Attached 281 Modifying a PartitionAttaching and Detaching Partition 282 Deleting Existing PartitionsOperating System Behavior for Attached Partitions Downloading Partition Contents Managing vFlash Partitions Using Racadm Booting to a PartitionValid Options 284 285 Options only valid with the create actionOptions only valid with the status action Creating a Partition Deleting a PartitionGetting the Status of a Partition Viewing Partition Information Attaching or Detaching a Partition 287 288 Frequently Asked QuestionsWhen is the vFlash or standard SD card locked? Power Monitoring Management 289 Power Inventory, Power Budgeting, and Capping Power MonitoringConfiguring and Managing Power 290 Viewing the Health Status of the Power Supply Units Using the Web-Based InterfacePower Supplies Redundancy Status The possible values are Individual Power Supply Elements The possible values are Using Racadm 292 Viewing Power Budget Using the Web InterfacePower Budget Information page displays 293 Power Budget Threshold 294 295 Viewing Power MonitoringPower Monitoring 296 Power Tracking StatisticsAmperage Power Consumption HeadroomShow Graph 297 Executing Power Control Operations on the Server 298 299 300 Using the iDRAC6 Configuration Utility 301 302 Starting the iDRAC6 Configuration UtilityUsing the iDRAC6 Configuration Utility 303 IDRAC6 LANIpmi Over LAN LAN Parameters Description LAN Parameters304 IPv4 Settings Ethernet IP Address, Subnet Mask, and Default GatewayWhen Static is selected, the Ethernet IP Address, Subnet 305 IPv6 Settings Selected, the IPv6 Address 1, Prefix Length, and DefaultWhen Static is selected, the IPv6 Address 1, Prefix Length 306 307 Virtual Media ConfigurationVirtual Media VFlash Initialize vFlashVFlash Properties 308 System Services Configuration System Services Cancel System ServicesSmart Card Logon 309 LCD Configuration LCD User ConfigurationCollect System Inventory on Restart 310 LAN User Configuration Reset to DefaultBetween the options Disabled, View And Modify, and View 311 LAN User Configuration Description 312 313 314 Exiting the iDRAC6 Configuration UtilitySystem Event Log Menu Monitoring and Alert Management 315 Disabling the Windows Automatic Reboot Option Disabling the Automatic Reboot Option in Windows ServerClick Advanced System Settings under Tasks on the left Under Startup and Recovery, click Settings 317 318 Configuring PEF Using the Web-Based InterfaceConfiguring PEF Using the Racadm CLI Configuring PET Configuring PET Using the Web User InterfaceConfiguring PET Using the Racadm CLI 319 320 Configuring E-mail Alerts Using the Web User InterfaceConfiguring E-Mail Alerts Using the Racadm CLI Testing E-mail Alerting 321 Frequently Asked Question about Snmp Authentication Testing the RAC Snmp Trap Alert FeatureWhy is the following message displayed 322 323 324 First Steps to Troubleshoot a Remote System 325 Managing Power on a Remote System Selecting Power Control Actions from the iDRAC6 CLIViewing System Information 326 Auto Recovery FieldDescription Main System Chassis327 System Information Field Description Remote Access Controller 328Embedded NIC MAC Addresses Field Description RAC Information Field Description IPv6 Information Fields Description 329IPv4 Information Field Description 330 Using the System Event Log SELStatus Indicator Icons Icon/Category Description Using the Command Line to View System Log 331SEL Page Buttons Button Action Using the Post Boot Logs 332 Viewing the Last System Crash Screen To view the Last Crash Screen333 Last Crash Screen Page Buttons Action 334 Using the RAC Log 335 Using the iDRAC Log Page Buttons 336IDRAC Log Page Information Field Description IDRAC Log Buttons Action 337 Using the Command LineUsing the Diagnostics Console Using Identify Server Click System→ Remote Access→ Troubleshooting→ IdentifyDiagnostic Commands Description 338 339 Using the Trace LogUsing the racdump Using the coredump 340 Battery Probes SensorsFan Probes Chassis Intrusion Probes Power Supplies Probes Power Monitoring ProbesTemperature Probe Removable Flash Media Probes Voltage Probes 343 344 Configuring Security Features 345 Security Options for the iDRAC6 Administrator Disabling the iDRAC6 Local ConfigurationDisabling Local Configuration During System Reboot Disabling Local Configuration From Local Racadm 347 Disabling iDRAC6 Virtual Console 348 349 SSL Main Menu Field Description Accessing the SSL Main Menu350 351 SSL Main Menu Buttons Description Certificate Information Field Description 352Generate Certificate Signing Request CSR Page Buttons 353 Using the Secure Shell SSHConfiguring Services Local Configuration Settings Description Web Server Settings354 Http Port Number SSH Settings Description Telnet Settings10. Remote Racadm Settings 355 11. Snmp Agent Settings Description 12. Automated System Recovery Agent Setting Description13. Services Page Buttons 356 357 Enabling Additional iDRAC6 Security OptionsIP Filtering IpRange Enabling IP Filtering 358 359 IP Filtering GuidelinesIP Blocking 15. Login Retry Restriction Properties Property Definition 360 361 Network Configuration page, click Advanced SettingsEnabling IP Blocking 16. Network Security Page Settings Description Go Back to Network Returns to the Network Configuration362 Penalty Time Index ASR Index Index Ipmi Racadm SEL Index Index