Owner is set to SAN, RILOE II obtains the directory user's login name from the UPN attribute of the SAN. If the Certificate Owner setting is set to Subject, RILOE II obtains the directory user's distinguished name from the subject of the certificate.

Which one of these settings to choose depends on which directory integration method is used, how the directory architecture is designed, and what information is contained in user certificates that are issued. The following examples assume you have the appropriate permissions.

Authentication using Default Directory Schema, part 1: The distinguished name for a user in the directory is CN=John Doe,OU=IT,DC=MyCompany,DC=com, and the following are the attributes of John Doe's certificate:

Subject: DC=com/DC=MyCompany/OU=IT/CN=John Doe

SAN/UPN: john.doe@MyCompany.com

Authenticating to RILOE II with username:john.doe@MyCompany.com and password, will work if two- factor authentication is not enforced. After two-factor authentication is enforced, if SAN is selected on the Two-Factor Authentication Settings page, the login page automatically populates the Directory User field with john.doe@MyCompany.com. The password can be entered, but the user will not be authenticated. The user is not authenticated because john.doe@MyCompany.com, which was obtained from the certificate, is not the distinguished name for the user in the directory. In this case, you must select Subject on the Two-Factor Authentication Settings page. Then the Directory User field on the login page will be populated with CN=John Doe,OU=IT,DC=MyCompany,DC=com, which is the user's actual distinguished name. If the correct password is entered, the user is authenticated.

Authentication using Default Directory Schema, part 2: The distinguished name for a user in the directory is CN=john.doe@MyCompany.com,OU=IT,DC=MyCompany,DC=com, and the following are the attributes of John Doe's certificate:

Subject: DC=com/DC=MyCompany/OU=Employees/CN=John Doe/E=john.doe@MyCompany.com

SAN/UPN: john.doe@MyCompany.com

Search context on the Directory Settings page is set to: OU=IT,DC=MyCompany,DC=com

In this example, if SAN is selected on the Two-Factor Authentication Settings page, the Directory User field on the login page is populated with john.doe@MyCompany.com. After the correct password is entered, the user is authenticated. The user is authenticated even though john.doe@MyCompany.com is not the distinguished name for the user. The user is authenticated because RILOE II attempts to authenticate using the search context fields (CN=john.doe@MyCompany.com, OU=IT, DC=MyCompany, DC=com) configured on the Directory Settings page. Becasue this is the correct distinguished name for the user, RILOE II successfully finds the user in the directory.

NOTE: Selecting Subject on the Two-Factor Authentication Settings page causes authentication to fail, because the subject of the certificate is not the distinguished name for the user in the directory.

When using the HP Extended schema method, HP recommends selecting the SAN option on the Two- factor Authentication Settings page.

Introduction to certificate services

Certificate Services are used to issue signed digital certificates to network hosts. The certificates are used to establish SSL connections with the host and verify the authenticity of the host.

Installing Certificate Services allows Active Directory to receive a certificate that allows Lights-Out processors to connect to the directory service. Without a certificate, RILOE II cannot connect to the directory server.

RILOE II security 66

Page 66
Image 66
HP 232664-006 manual Introduction to certificate services