3.
Select
Register iDRAC on DNS
.
4.
Provide a valid
DNS Domain Name
.
5.
Verify that network DNS configuration matches with the Active Directory DNS information.
For more information about the options, see the
iDRAC Online Help
.
Generating Kerberos keytab file
To support the SSO and smart card login authentication, iDRAC supports the configuration to enable itself as a kerberized service
on a Windows Kerberos network. The Kerberos configuration on iDRAC involves the same steps as configuring a non–Windows
Server Kerberos service as a security principal in Windows Server Active Directory.
The
ktpass
tool (available from Microsoft as part of the server installation CD/DVD) is used to create the Service Principal Name
(SPN) bindings to a user account and export the trust information into a MIT–style Kerberos
keytab
file, which enables a trust
relation between an external user or system and the Key Distribution Centre (KDC). The keytab file contains a cryptographic key,
which is used to encrypt the information between the server and the KDC. The ktpass tool allows UNIX–based services that
support Kerberos authentication to use the interoperability features provided by a Windows Server Kerberos KDC service. For more
information on the
ktpass
utility, see the Microsoft website at:
technet.microsoft.com/en-us/library/cc779157(WS.10).aspx
Before generating a keytab file, you must create an Active Directory user account for use with the
-mapuser
option of the
ktpass
command. Also, you must have the same name as iDRAC DNS name to which you upload the generated keytab file.
To generate a keytab file using the ktpass tool:
1.
Run the
ktpass
utility on the domain controller (Active Directory server) where you want to map iDRAC to a user account in
Active Directory.
2.
Use the following ktpass command to create the Kerberos keytab file:
C:\> ktpass.exe -princ HTTP/[email protected] -mapuser DOMAINNAME
\username -mapOp set -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass [password] -out
c:\krbkeytab
The encryption type is AES256-SHA1. The principal type is KRB5_NT_PRINCIPAL. The properties of the user account to
which the Service Principal Name is mapped to must have
Use AES 256 encryption types for this account
property enabled.
NOTE: Use lowercase letters for the iDRACname and Service Principal Name. Use uppercase letters for the domain
name as shown in the example.
3.
Run the following command:
C:\>setspn -a HTTP/iDRACname.domainname.com username
A keytab file is generated.
NOTE: If you find any issues with iDRAC user for which the keytab file is created, create a new user and a new
keytab file. If the same keytab file which was initially created is again executed, it does not configure correctly.
Creating Active Directory objects and providing privileges
Perform the following steps for Active Directory Extended schema based SSO login:
1.
Create the device object, privilege object, and association object in the Active Directory server.
2.
Set access privileges to the created privilege object. It is recommended not to provide administrator privileges as this could
bypass some security checks.
3.
Associate the device object and privilege object using the association object.
4.
Add the preceding SSO user (login user) to the device object.
5.
Provide access privilege to
Authenticated Users
for accessing the created association object.
Related links
Adding iDRAC users and privileges to Active Directory
149
Содержание iDRAC 7
Страница 1: ...iDRAC 8 7 v2 40 40 40 User s Guide ...
Страница 108: ...For more information see the iDRAC RACADM Command Line Interface Reference Guide available at dell com idracmanuals 108 ...
Страница 268: ...By default the logs are available at Event viewer Applications and Services Logs System 268 ...