Dell Drac 5 User Guide

Using the DRAC 5 With Microsoft Active Directory141
5Click Next and select whether you would like Windows to automatically 
select the certificate store based on the type of certificate, or browse to a 
store of your choice.
6Click Finish and click OK.
Setting the SSL Time on the DRAC 5
When the DRAC 5 authenticates an Active Directory user, the DRAC 5 also 
verifies the certificate published by the Active Directory server to ensure that 
the DRAC is communicating with an authorized Active Directory...

142Using the DRAC 5 With Microsoft Active Directory
DRAC 5 Active Directory supports multiple domain environments provided 
the domain forest function level is Native mode or Windows 2003 mode. In 
addition, the groups among Association Object, RAC user objects, and RAC 
Device Objects (including Association Object) must be universal groups.
 NOTE: The Association Object and the Privilege Object must be in the same 
domain. The Dell-extended Active Directory Users and Computers snap-in forces 
you to...

Using the DRAC 5 With Microsoft Active Directory143
Using Active Directory Single Sign-On
You can enable the DRAC 5 to use Kerberos—a network authentication 
protocol—to enable single sign-on and log into the DRAC 5. For more 
information on setting up the DRAC 5 to use the Active Directory Single 
Sign-On feature, see Enabling Kerberos Authentication on page 147.
Configuring the DRAC 5 to Use Single Sign-On
1Navigate to Remote Access Configuration tab Active Directory 
subtabselectConfigure Active...

144Using the DRAC 5 With Microsoft Active Directory
Frequently Asked Questions
Are there any restrictions on Domain Controller SSL configuration?
Yes. All Active Directory servers’ SSL certificates in the forest must be signed 
by the same root CA since DRAC 5 only allows uploading one trusted CA 
SSL certificate.
I created and uploaded a new RAC certificate and now the Web-based 
interface does not launch.
If you use Microsoft Certificate Services to generate the RAC certificate, one 
possible cause of...

Using the DRAC 5 With Microsoft Active Directory145
eEnsure that your DRAC Name, Root Domain Name, and DRAC 
Domain Name
 match your Active Directory environment 
configuration.
fEnsure that the DRAC 5 password has a maximum of 127 characters. 
While the DRAC 5 can support passwords of up to 256 characters, 
Active Directory only supports passwords that have a maximum 
length of 127 characters.
SSO login fails with Active Directory users on Windows 7 operating systems. 
What should I do to resolve this?...

146Using the DRAC 5 With Microsoft Active Directory
Perform the following additional settings for extended schema:
1
Go to Start and run regedit. 
The 
Registry Editor window is displayed.
2Navigate to HKEY_LOCAL_MACHINESystem
CurrentControlSetControlLSA.
3In the right-pane, right-click and select NewDWORD (32-bit) Value.
4Name the new key as SuppressExtendedProtection.
5Right-click SuppressExtendedProtection and click Modify.
6In the Va l u e  d a t a field, type 1 and click OK.
7Close the...

Enabling Kerberos Authentication147
7
Enabling Kerberos Authentication 
Kerberos is a network authentication protocol that allows systems to 
communicate securely over a non-secure network. It achieves this by allowing 
the systems to prove their authenticity.
Microsoft Windows 2000, Windows XP, Windows Server 2003, 
Windows Vista, and Windows Server 2008 use Kerberos as their default 
authentication method. 
Starting with DRAC 5 version 1.40, the DRAC 5 uses Kerberos to support 
two types of...

148Enabling Kerberos Authentication
cSelect Register DRAC on DNS.
dProvide a valid DNS Domain Name.
 NOTE: Ensure that the DNS name is resolved by the DNS server.
See the DRAC 5 Online Help for more information.
• Synchronize the DRAC 5 time settings with that of the Active Directory 
Domain Controller. Kerberos authentication on DRAC 5 fails if the 
DRAC time differs from the Domain Controller time. A maximum offset 
of 5 minutes is allowed. To enable successful authentication, synchronize 
the server...

Enabling Kerberos Authentication149
eStart a command prompt, and then type the following command: 
C:\>ktpass -princ HOST/dracname.domain-
[email protected] -mapuser account -
crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -
pass password -out c:\krbkeytab
where: 
•
dracname is the DRAC 5’s DNS name. 
•
domain-name is the Active Directory domain name with which 
you want to authenticate. It should be replaced by the actual 
domain name in capital letters. 
•
account is the user name, a valid user...

150Enabling Kerberos Authentication
Configuring DRAC 5 for Kerberos Authentication
Upload the keytab obtained from the Active Directory root domain, to the 
DRAC 5:
1
Navigate to Remote Access  Configuration tab  Active Directory 
subtab.
2Select Upload Kerberos Keytab and click Next.
3On the Kerberos Keytab Upload page, select the keytab file to upload and 
click 
Apply.