Two-factor authentication login | HP 232664-006 manual

Two-factor authentication login

When you connect to RILOE II and two-factor authentication is required, the Client Authentication page prompts you to select the certificate you want to use. The Client Authentication page displays all of the certificates available to authenticate a client. Select your certificate. The certificate can be a certificate mapped to a local user in RILOE II, or a user specific certificate issued for authenticating to the domain.

After you have selected a certificate, if the certificate is protected with a password or if the certificate is stored on a smart card, a second page appears prompting you to enter the PIN or password associated with the chosen certificate.

The certificate is examined by RILOE II to ensure it was issued by a trusted CA by checking the signature against the CA certificate configured in RILOE II. RILOE II determines if the certificate has been revoked and if it maps to a user in the RILOE II local user database. If all of these tests pass, then the normal RILOE II user interface appears.

If your credential authentication fails, the Login Failed page appears. If login fails, you are instructed to close the browser, open a new browser page, and try connecting again. If directory authentication is enabled, and local user authentication fails, RILOE II displays a login page with the directory user name field populated with either the User Principal Name from the certificate or the Distinguished Name (derived from the subject of the certificate). RILOE II requests the password for the account. After providing the password, you are authenticated.

Using two-factor authentication with directory authentication

In some cases, configuring two-factor authentication with directory authentication is complicated. RILOE II can use HP Extended schema or Default Directory schema to integrate with directory services. To ensure security when two-factor authentication is enforced, RILOE II uses an attribute from the client certificate as the directory user's login name. Which client certificate attribute RILOE II uses is determined by the Certificate Owner configuration setting on the Two-Factor Authentication Settings page. If Certificate

RILOE II security 65

Image 65

HP 232664-006 manual Two-factor authentication login

Contents

HP Remote Insight Lights-Out Edition II User Guide Audience assumptions Contents Systems Insight Manager integration Directory servicesRiloe II security Scripting, command line, and utility options 110 Directory-enabled remote management 103 Troubleshooting the Riloe 173 Technical support 194 Directory Services schema 187Regulatory compliance notices 195 Acronyms and abbreviations 199 Index 202 New in this release Riloe II kit contentsOperational overview Virtual Power Button cable 4-pin Preparing to install Riloe Installing the Riloe Keyboard/mouse adapter cable configuration Remote Insight cable configuration Installing Riloe II in the server Installing Internal Cables Installing a Virtual Power Button cable 4-pin Connecting external cables to RiloeInstalling a Remote Insight cable 16-pin Installing a Remote Insight cable 30-pin Keyboard/mouse adapter cable connection Monitor cable connection Headless server deployment LAN cable connection AC power adapter connection Powering up the server Configuration options Configuring the RiloeRemote setup ROM-Based Setup Utility F8 SmartStart setup of Riloe Installing Riloe II device driversMicrosoft device driver support Novell NetWare device driver support Linux device driver support Disabling DNS/DHCP Configuring the Riloe II Accessing Riloe II for the first time Using the Riloe Using the Riloe II User configurations and settings Features of the RiloeManaging the user and configuration settings of the Riloe Click Restore User Information Click User Settings on the Administration tabAdding authorized users Modifying an existing users profile Click Network Settings in the Administration tab Network settings Parameter Default value Definition Administration Click Global Settings Global settings External power connector to the operating system agent Riloe Snmp alerts and settings Snmp Pass-through Status Click Apply Snmp SettingsGenerating Test Alerts Disabling Alerts Two-Factor Authentication Settings Riloe II firmware updates Security Settings Using the Remote Console Remote Console Information Option Using Enhanced Features of the Remote ConsoleLocal Cursor Refresh Remote Console Linux settings Recommended client settingsRecommended server settings Microsoft Windows 2000 settings Microsoft Windows NT 4.0 and Windows 2000 settings Microsoft Windows Server 2003 settingsRed Hat Linux and Suse Linux server settings Novell NetWare settings Supported hot keys Windows EMS console Video replays of previous server Reset SequencesClick Reset Sequences on the Remote Console tab Terminal Services Client requirements Terminal Services pass-through option Windows 2000 Terminal Services port change Windows RDP Pass-Through serviceTerminal Services pass-through installation Terminal Services Pass-Through status Enabling the Terminal Services Pass-Through optionTerminal Services warning message FileImport Troubleshooting Terminal Services Remote Console and Terminal Services clientsTerminal Services button display ComputerPropertiesRemoteRemote Desktop ManagementSystem ToolsEvent ViewerApplication Using virtual devices Virtual media Virtual power Click Connect Riloe II Virtual FloppySelect Local Media Drive MS-DOS Virtual Floppy operating systems notes Uploading a diskette image to the remote server Virtual Floppy screenMounting USB Virtual Media Floppy in Linux Submit Changes Changing Virtual Floppy drive settings Diskette Image Utility Copying files on the host server to the Virtual Floppy drive Using the Riloe II Using the Riloe II Select Local CD-ROM Drive Riloe II Virtual CD-ROM Virtual Media CD-ROM operating system notes Click Create Disk Image Creating Riloe II disk image filesMounting USB Virtual Media CD-ROM in Linux Virtual Media applet timeout Resetting the Riloe II to the factory default settingsCancel Riloe II Virtual Media privilege Getting help Pocket PC access with Riloe Using the Riloe II Using the Riloe II Using the Riloe II Riloe II security Password guidelinesGeneral security guidelines Encryption Setting up two-factor authentication for the first time Two-factor authenticationSetting up local user accounts Click View/Modify Click Add a certificate Click View/Modify Two-factor authentication user certificatesSetting up directory user accounts Two-factor authentication login Introduction to certificate services Certificates Verifying directory services Installing certificate servicesConfiguring Automatic Certificate Request Select FinishCloseOK Securing Rbsu Systems Insight Manager functional overview Systems Insight Manager integrationIntegrating Riloe II with Systems Insight Manager Systems Insight Manager links Systems Insight Manager identification and associationSystems Insight Manager status Systems Insight Manager systems lists Configuring Systems Insight Manager identification Systems Insight Manager port matching Receiving Snmp alerts in Systems Insight Manager Systems Insight Manager integration Benefits of directory integration Directory servicesOverview of directory integration How directory integration works Schema-freeHP Extended schema Schema-free browser-based setup Setup for Schema-free directory integrationSchema-free scripted setup Active Directory preparation Minimum Login Flexibility Schema-free HPLOMIG-based setup Schema-free setup optionsBetter Login Flexibility Maximum Login Flexibility Setting up directory services Setting up HP schema directory integrationFeatures supported by HP schema directory integration Schema required software Directory services support Setup Schema installerSchema Preview Directory services Directory services for Active Directory Management snap-in installerActive Directory installation prerequisites Results Directory services preparation for Active Directory Snap-in installation and initialization for Active Directory NewHPObject Directory services Active Directory snap-ins Directory services objects Active Directory role restrictions Directory services Active Directory Lights-Out management Snap-in installation and initialization for eDirectory Directory services for eDirectoryEDirectory installation prerequisites Directory services Directory services Directory Services objects for eDirectory Members Role managed devices Time restrictions Enforced client IP address or DNS name accessEDirectory Role Restrictions Lights-Out Management User login using directory services Directory settings Name or multi-host DNS name. If an IP address is Group administration Directory tests Click Test Directory Settings Introduction to directory-enabled remote management Directory-enabled remote managementUsing existing groups Creating roles to follow organizational structure Using multiple roles Restricting roles How directory login restrictions are enforcedRole time restrictions Role address restrictions How user time restrictions are enforced User restrictionsUser address restrictions Creating multiple restrictions and roles Using bulk import tools Directory-enabled remote management Command line arguments Scripting, command line, and utility optionsOverview of the Lights-Out DOS utility Cpqlodos general guidelines Virtfloppy Ribcl XML Commands for Cpqlodos Adduser runtime errors Cpqlodos runtime errorCpqlodos parameter Adduser parameters Compatibility Pre-migration checklistLights-Out directories migration utilities Finding management processors HP Lights-Out directory packageHpqlomig operation 16.100.225.20RILOEII1.20RILOE2DBuserpasswordDefault Schema Upgrading firmware on management processors Selecting a directory access method Naming management processors Configuring directories when HP Extended schema is selected Scripting, command line, and utility options Setting up management processors for directories Hpqlomgc operation Firmware version is validated and updated if necessary Launching Hpqlomgc using application launchManagement processor directory settings are updated Directory is updated RILOE2CONFIG Hpqlomgc command language RILOE2CONFIG Lights-Out Configuration Utility Create a task Create a custom commandCreate a customized list Query definition in Systems Insight Manager Application Launch using Systems Insight ManagerClick QueriesDevice Select Management Processor and click OK Lights-Out Configuration Utility parameters Batch processing using the Lights-Out Configuration Utility XML enhancements Using Perl with the XML scripting interface Opening an SSL connection Readloop Sending the XML header and script body Scripting, command line, and utility options Hponcfg requirements Hponcfg supported operating systems Using Hponcfg Installing HponcfgWindows server installation Linux server installation Hponcfg command line parameters Using Hponcfg on Linux servers Obtaining an entire configuration Using Hponcfg on Windows servers Obtaining a specific configuration Ribcl sample scripts Ribcl general guidelines Remote Insight command languageSetting a configuration Response definitions XML headerData types Ribcl runtime errors LoginLogin parameters Ribcl Userinfo runtime error Login runtime errorsUserinfo Adduser Adduser parameters Deleteuser runtime errors Adduser runtime errorsDeleteuser Deleteuser parameter Getuser Getuser runtime errorsGetuser parameter Getuser return messages Moduser Parameters Moduser Getallusers Moduser runtime errors Getalluserinfo Getallusers runtime errorsGetallusers parameters Getallusers return messages Ribinfo Getalluserinfo runtime errorsGetalluserinfo parameters Getalluserinfo return messages Getnetworksettings Resetrib Getnetworksettings Return Messages Getnetworksettings ParametersGetnetworksettings Runtime Errors Modnetworksettings Parameters Modnetworksettings Scripting, command line, and utility options Modnetworksettings Runtime Errors GetglobalsettingsGetglobalsettings parameters Getglobalsettings runtime errors Modglobalsettings parameters Modglobalsettings Scripting, command line, and utility options Modglobalsettings runtime errors UpdateribfirmwareCleareventlog Runtime Errors Cleareventlog Getfwversion Hotkeyconfig parameters Hotkeyconfig Dirinfo Getdirconfig Getdirconfig return messages Getdirconfig runtime errors Dirinfo Login Ribcl Moddirconfig Moddirconfig parameters Serverinfo Resetserver Insertvirtualfloppy Runtime Errors Resetserver parametersInsertvirtualfloppy Ejectvirtualfloppy Getvfstatus Copyvirtualfloppy Setvfstatus Getvfstatus Runtime ErrorsGetvfstatus Parameters Getvfstatus Return Messages Sethostpower Gethostpowerstatus Getvpbcablestatus Getallcablesstatus Runtime Errors GettwofactorsettingsGetallcablesstatus Getallcablesstatus Parameters Gettwofactorsettings parameters ModtwofactorsettingsGettwofactorsettings runtime errors Gettwofactorsettings return messages Importing a CA and a user certificate example Example of enabling Two-Factor Authentication Modtwofactorsettings runtime errors Modtwofactorsettings parameters Supported hardware and software Troubleshooting the RiloeSupported client operating systems and browsers USB Server PCI Slot and Cable Matrix PCI Inability to connect to the board through the NIC Network connection problems Web browser not connecting to the Riloe II IP address Alert and trap problemsNetWare initialization errors NetWare error message table Miscellaneous problemsAccessing System Partition Utilities Inability to reboot the server Interpreting LED indicators Inability to upgrade the Riloe II firmwareSwitch settings SW3 to force ROM upgrade Incorrect time or date of entries in the event log Remote Console mouse control issue Login name and password problemsResetting the Riloe II to Factory Default Settings Virtual Floppy media applet is unresponsive Video Problems Troubleshooting the host serverAdditional information on the state of the host server Information logs Event Log Entries Integrated Management Log Not connect to the specified IP address Subsystem Failure Codes Restarting the host server Directory Services errors Directory Server connect failed Directory Server timeoutInvalid credentials Invalid Directory Server address or port HP Management Core Ldap OID classes and attributes Directory Services schema Core class definitions Core attributesHpqTarget HpqRole Core attribute definitions HpqRoleIPRestrictionDefaultHpqPolicyDN HpqRoleMembership HpqRoleIPRestrictions HpqRoleTimeRestriction Lights-Out Management attributes Lights-Out Management classesLights-Out Management class definitions HpqLOMv100 Lights-Out Management attribute definitions HpqLOMRightLoginHpqLOMRightRemoteConsole HpqLOMRightVirtualMedia HpqLOMRightConfigureSettings HpqLOMRightServerResetHpqLOMRightLocalUserAdmin HP contact information Technical supportBefore you contact HP Federal Communications Commission notice Regulatory compliance noticesClass a equipment Class B equipment European Union regulatory notice Canadian notice Avis CanadienModifications Class a equipment France Italy Bsmi notice Japanese notice ILO Acronyms and abbreviations IML Ribcl Index 77, 78, 81, 83, 85, 92, 99, 106, 114 16, 20, 21 Index