Single Sign-On
SSO login fails on Windows Server 2008 R2 x64. What are the settings required to resolve this?
1. Run the technet.microsoft.com/en-us/library/dd560670(WS.10).aspx for the domain controller
and domain policy.
2. Configure the computers to use the DES-CBC-MD5 cipher suite.
These settings may affect compatibility with client computers or services and applications in your
environment. The Configure encryption types allowed for Kerberos policy setting is located at
Computer ConfigurationSecurity SettingsLocal PoliciesSecurity Options.
3. Make sure that the domain clients have the updated GPO.
4. At the command line, type gpupdate /force and delete the old key tab with klist purge
command.
5. After the GPO is updated, create the new keytab.
6. Upload the keytab to iDRAC.
You can now log in to iDRAC using SSO.
Why does SSO login fail with Active Directory users on Windows 7 and Windows Server 2008 R2?
You must enable the encryption types for Windows 7 and Windows Server 2008 R2. To enable the
encryption types:
1. Log in as administrator or as a user with administrative privilege.
2. Go to Start and run gpedit.msc. The Local Group Policy Editor window is displayed.
3. Go to Local Computer Settings Windows Settings Security SettingsLocal Policies
Security Options.
4. Right-click Network Security: Configure encryption types allowed for kerberos and select
Properties.
5. Enable all the options.
6. Click OK. You can now log in to iDRAC using SSO.
Perform the following additional settings for Extended Schema:
1. In the Local Group Policy Editor window, navigate to Local Computer SettingsWindows
SettingsSecurity SettingsLocal PoliciesSecurity Options .
2. Right-click Network Security: Restrict NTLM: Outgoing NTLM traffic to remote server and select
Properties.
3. Select Allow all, click OK, and close the Local Group Policy Editor window.
4. Go to Start and run cmd. The command prompt window is displayed.
5. Run the command gpupdate /force. The group policies are updated. Close the command
prompt window.
6. Go to Start and run regedit. The Registry Editor window is displayed.
7. Navigate to HKEY_LOCAL_MACHINESystemCurrentControlSetControlLSA .
8. In the right-pane, right-click and select NewDWORD (32-bit) Value.
9. Name the new key as SuppressExtendedProtection.
10. Right-click SuppressExtendedProtection and click Modify.
11. In the Value data field, type 1 and click OK.
327