Dell Drac 5 User Guide
Have a look at the manual Dell Drac 5 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 327 Dell manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Using the DRAC 5 With Microsoft Active Directory141 5Click Next and select whether you would like Windows to automatically select the certificate store based on the type of certificate, or browse to a store of your choice. 6Click Finish and click OK. Setting the SSL Time on the DRAC 5 When the DRAC 5 authenticates an Active Directory user, the DRAC 5 also verifies the certificate published by the Active Directory server to ensure that the DRAC is communicating with an authorized Active Directory server. This check also ensures that the validity of the certificate is within the time range specified by the DRAC 5. However, there could be a mismatch between the time zones specified on the certificate and the DRAC 5. This could happen when the DRAC 5 time reflects the local system time and the certificate reflects time in GMT. To ensure that the DRAC 5 uses the GMT time to compare with the certificate times, you must set the time zone offset object. racadm config -g cfgRacTuning -o cfgRacTuneTimeZoneOffset See cfgRacTuneTimezoneOffset (Read/Write) on page 380 for more details. Supported Active Directory Configuration The Active Directory querying algorithm of the DRAC 5 supports multiple trees in a single forest. DRAC 5 Active Directory Authentication supports mixed mode (that is, the domain controllers in the forest run different operating systems, such as Microsoft Windows NT 4.0, Windows 2000, or Windows Server 2003). However, all objects used by the DRAC 5 querying process (among user, RAC Device Object, and Association Object) should be in the same domain. The Dell-extended Active Directory Users and Computers snap-in checks the mode and limits users in order to create objects across domains if in mixed mode.
142Using the DRAC 5 With Microsoft Active Directory DRAC 5 Active Directory supports multiple domain environments provided the domain forest function level is Native mode or Windows 2003 mode. In addition, the groups among Association Object, RAC user objects, and RAC Device Objects (including Association Object) must be universal groups. NOTE: The Association Object and the Privilege Object must be in the same domain. The Dell-extended Active Directory Users and Computers snap-in forces you to create these two objects in the same domain. Other objects can be in different domains. Using Active Directory to Log Into the DRAC 5 You can use Active Directory to log in to the DRAC 5 using one of the following methods: • Web-based interface • Remote RACADM • Serial or telnet console. The login syntax is the same for all three methods: or \ or / where username is an ASCII string of 1–256 bytes. White space and special characters (such as \, /, or @) cannot be used in the user name or the domain name. NOTE: You cannot specify NetBIOS domain names, such as Americas, because these names cannot be resolved. You can also log into the DRAC 5 using the Smart Card. For more information, see Logging Into the DRAC 5 Using the Smart Card on page 157.
Using the DRAC 5 With Microsoft Active Directory143 Using Active Directory Single Sign-On You can enable the DRAC 5 to use Kerberos—a network authentication protocol—to enable single sign-on and log into the DRAC 5. For more information on setting up the DRAC 5 to use the Active Directory Single Sign-On feature, see Enabling Kerberos Authentication on page 147. Configuring the DRAC 5 to Use Single Sign-On 1Navigate to Remote Access Configuration tab Active Directory subtabselectConfigure Active Directory. 2On the Active Directory Configuration and Management page, select Single Sign-On. This option enables you to log into the DRAC 5 directly after logging into your workstation. Logging Into the DRAC 5 Using Single Sign-On 1Log into your work station using your network account. 2Access DRAC Web page using https. https:// If the default HTTPS port number (port 443) has been changed, type: https://: where IP address is the IP address for the DRAC 5 and port number is the HTTPS port number. The DRAC 5 Single Sign-On page appears. 3Click Login. The DRAC 5 logs you in, using your credentials that were cached in the operating system when you logged in using your valid Active Directory account .
144Using the DRAC 5 With Microsoft Active Directory
Frequently Asked Questions
Are there any restrictions on Domain Controller SSL configuration?
Yes. All Active Directory servers’ SSL certificates in the forest must be signed
by the same root CA since DRAC 5 only allows uploading one trusted CA
SSL certificate.
I created and uploaded a new RAC certificate and now the Web-based
interface does not launch.
If you use Microsoft Certificate Services to generate the RAC certificate, one
possible cause of this is you inadvertently chose User Certificate instead of
Web Certificate when creating the certificate.
To recover, generate a CSR and then create a new web certificate from
Microsoft Certificate Services and load it using the RACADM CLI from the
managed system by using the following racadm commands:
racadm sslcsrgen [-g] [-u] [-f {filename}]
racadm sslcertupload -t 1 -f {web_sslcert}
What can I do if I cannot log into the DRAC 5 using Active Directory
authentication? How do I troubleshoot the issue?
1
Ensure that you use the correct user domain name during a login and not
the NetBIOS name.
2If you have a local DRAC user account, log into the DRAC 5 using your
local credentials.
After you are logged in:
aEnsure that you have checked the Enable Active Directory box on the
DRAC 5 Active Directory configuration page.
bEnsure that the DNS setting is correct on the DRAC 5 Networking
configuration page.
cEnsure that you have uploaded the Active Directory certificate from
your Active Directory root CA to the DRAC 5.
dCheck the Domain Controller SSL certificates to ensure that they
have not expired.
Using the DRAC 5 With Microsoft Active Directory145 eEnsure that your DRAC Name, Root Domain Name, and DRAC Domain Name match your Active Directory environment configuration. fEnsure that the DRAC 5 password has a maximum of 127 characters. While the DRAC 5 can support passwords of up to 256 characters, Active Directory only supports passwords that have a maximum length of 127 characters. SSO login fails with Active Directory users on Windows 7 operating systems. What should I do to resolve this? You must enable the encryption types for Windows 7. To enable the encryption types (for standard and extended schema): 1 Log in as administrator or as a user with adminstrative privilege. 2Go to Start and run gpedit.msc. The Local Group Policy Editor window is displayed. 3Navigate to Local Computer SettingsWindows SettingsSecurity Settings Local PoliciesSecurity Options. 4Right-click Network Security: Configure encryption types allowed for kerberos and select Properties. 5Enable all the options and click OK. You can now log in to iDRAC using SSO. 6In the Local Group Policy Editor window, navigate to Local Computer Settings Windows Settings Security Settings Local Policies Security Options. 7Right-click Network Security: Restrict NTLM: Outgoing NTLM traffic to remote server and select Properties. 8Select Allow all, click OK, and then close the Local Group Policy Editor window. 9Go to Start and run cmd. The command prompt window is displayed. 10Run the command gpupdate /force. The group policies are updated. 11Close the command prompt window.
146Using the DRAC 5 With Microsoft Active Directory Perform the following additional settings for extended schema: 1 Go to Start and run regedit. The Registry Editor window is displayed. 2Navigate to HKEY_LOCAL_MACHINESystem CurrentControlSetControlLSA. 3In the right-pane, right-click and select NewDWORD (32-bit) Value. 4Name the new key as SuppressExtendedProtection. 5Right-click SuppressExtendedProtection and click Modify. 6In the Va l u e d a t a field, type 1 and click OK. 7Close the Registry Editor window. You can now log in to iDRAC using SSO.
Enabling Kerberos Authentication147 7 Enabling Kerberos Authentication Kerberos is a network authentication protocol that allows systems to communicate securely over a non-secure network. It achieves this by allowing the systems to prove their authenticity. Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 use Kerberos as their default authentication method. Starting with DRAC 5 version 1.40, the DRAC 5 uses Kerberos to support two types of authentication mechanisms—single sign-on and Active Directory Smart Card login. For the single-sign on, the DRAC 5 uses the user credentials cached in the operating system after the user has logged in using a valid Active Directory account. Starting with DRAC 5 version 1.40, Active Directory authentication will use the Smart Card-based two factor authentication (TFA) in addition to the username-password combination, as valid credentials. Prerequisites for Setting up Kerberos Authentication • Configure the DRAC 5 for Active Directory login. For more information, see Using Active Directory to Log Into the DRAC 5 on page 142. • For the Active Directory users for whom you want to provide Kerberos authentication, set the following properties: • Use DES encryption types for this account • Do not require Kerberos pre-authentication • Register the DRAC 5 as a computer in the Active Directory root domain. aNavigate to Remote Access Configuration tab Network subtab Network Settings. bProvide a valid Preferred/Static DNS Server IP address. This value is the IP address of the DNS that is part of the root domain, which authenticates the Active Directory accounts of the users.
148Enabling Kerberos Authentication cSelect Register DRAC on DNS. dProvide a valid DNS Domain Name. NOTE: Ensure that the DNS name is resolved by the DNS server. See the DRAC 5 Online Help for more information. • Synchronize the DRAC 5 time settings with that of the Active Directory Domain Controller. Kerberos authentication on DRAC 5 fails if the DRAC time differs from the Domain Controller time. A maximum offset of 5 minutes is allowed. To enable successful authentication, synchronize the server time with the Domain Controller time and then reset the DRAC time. You can also use the following RACADM time zone offset command to synchronize the time: racadm config -g cfgRacTuning -o cfgRacTuneTimeZoneOffset offset-value Offset value is the offset time in minutes. • Install Microsoft Visual C++ 2005 Redistributable Package on the client system. • Run the ktpass utility on Active Directory Server. DRAC 5 is a device with a non-Windows operating system, so you need to run the ktpass utility— part of Microsoft Windows — on the Domain Controller (Active Directory server) where you want to map the DRAC 5 to a user account in Active Directory. To do this, aStart the Active Directory Management tool. bRight-click the Users folder, select New, and then click User. cType the name of the DRAC5 host for which you want to add Kerberos support. dSave the user.
Enabling Kerberos Authentication149 eStart a command prompt, and then type the following command: C:\>ktpass -princ HOST/dracname.domain- [email protected] -mapuser account - crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL - pass password -out c:\krbkeytab where: • dracname is the DRAC 5’s DNS name. • domain-name is the Active Directory domain name with which you want to authenticate. It should be replaced by the actual domain name in capital letters. • account is the user name, a valid user account that you created in Active Directory in step b and step c. It should be provided in the domain-name.com/user-name format. • password is the password for the user account. • DES-CBC-MD5 is the encryption type that DRAC 5 uses for Kerberos authentication. • KRB5_NT_PRINCIPAL is the principal type. fUpload the resulting keytab file to the DRAC 5 host. NOTE: It is recommended that you use the latest ktpass utility to create the keytab file. This procedure will produce a keytab file that you should upload to the DRAC 5. NOTE: The keytab contains an encryption key and should be kept secure. For more information on the ktpass utility, see the Microsoft website at: http://technet2.microsoft.com/windowsserver/en/library/64042138-9a5a- 4981-84e9-d576a8db0d051033.mspx?mfr=true
150Enabling Kerberos Authentication Configuring DRAC 5 for Kerberos Authentication Upload the keytab obtained from the Active Directory root domain, to the DRAC 5: 1 Navigate to Remote Access Configuration tab Active Directory subtab. 2Select Upload Kerberos Keytab and click Next. 3On the Kerberos Keytab Upload page, select the keytab file to upload and click Apply.