The Active Directory Single Sign–On or Smart Card log in normally takes less than 10 seconds, but it may take up to four minutes to
log in if you have specified the preferred DNS server and the alternate DNS server, and the preferred DNS server has failed. DNS
time-outs are expected when a DNS server is down. iDRAC logs you in using the alternate DNS server.
The Active Directory is configured for a domain present in Windows Server 2008 Active Directory. A child or sub domain is
present for the domain, the user and group is present in the same child domain, and the user is a member of that group. When
trying to log in to iDRAC using the user present in the child domain, Active Directory Single Sign-On login fails.
This may be because of the an incorrect group type. There are two kinds of Group types in the Active Directory server:
•
Security — Security groups allow you to manage user and computer access to shared resources and to filter group policy
settings.
•
Distribution — Distribution groups are intended to be used only as email distribution lists.
Always make sure that the group type is Security. You cannot use distribution groups to assign permission on any object, however
use them to filter group policy settings.
Single Sign-On
SSO login fails on Windows Server 2008 R2 x64. What are the settings required to resolve this?
1.
Run the
technet.microsoft.com/en-us/library/dd560670(WS.10).aspx
for the domain controller and domain policy.
2.
Configure the computers to use the DES-CBC-MD5 cipher suite.
These settings may affect compatibility with client computers or services and applications in your environment. The Configure
encryption types allowed for Kerberos policy setting is located at
Computer Configuration
→
Security Settings
→
Local
Policies
→
Security Options
.
3.
Make sure that the domain clients have the updated GPO.
4.
At the command line, type
gpupdate /force
and delete the old key tab with
klist purge
command.
5.
After the GPO is updated, create the new keytab.
6.
Upload the keytab to iDRAC.
You can now log in to iDRAC using SSO.
Why does SSO login fail with Active Directory users on Windows 7 and Windows Server 2008 R2?
You must enable the encryption types for Windows 7 and Windows Server 2008 R2. To enable the encryption types:
1.
Log in as administrator or as a user with administrative privilege.
2.
Go to
Start
and run
gpedit.msc
. The
Local Group Policy Editor
window is displayed.
3.
Go to
Local Computer Settings
→
Windows Settings
→
Security Settings
→
Local Policies
→
Security Options
.
4.
Right-click
Network Security: Configure encryption types allowed for kerberos
and select
Properties
.
5.
Enable all the options.
6.
Click
OK
. You can now log in to iDRAC using SSO.
Perform the following additional settings for Extended Schema:
1.
In the
Local Group Policy Editor
window, navigate to
Local Computer Settings
→
Windows Settings
→
Security Settings
→
Local Policies
→
Security Options
.
2.
Right-click
Network Security: Restrict NTLM: Outgoing NTLM traffic to remote server
and select
Properties
.
3.
Select
Allow all
, click
OK
, and close the
Local Group Policy Editor
window.
4.
Go to
Start
and run cmd. The command prompt window is displayed.
5.
Run the command
gpupdate /force
. The group policies are updated. Close the command prompt window.
6.
Go to
Start
and run regedit. The
Registry Editor
window is displayed.
7.
Navigate to
HKEY_LOCAL_MACHINE
→
System
→
CurrentControlSet
→
Control
→
LSA
.
293