Dell Drac 5 User Guide
Have a look at the manual Dell Drac 5 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 327 Dell manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Enabling Single Sign-On151 8 Enabling Single Sign-On Single Sign-On allows you to log into the DRAC without providing your credentials, after you have logged into the operating system using a valid Active Directory account. In this case, DRAC uses the credentials cached in the operating system. DRAC uses Kerberos, a network authentication protocol, for single sign-on. Prerequisites for Setting up Single Sign-On • Configure DRAC 5 for Active Directory login. For more information, see Using Active Directory to Log Into the DRAC 5 on page 142. • Set up Kerberos authentication for DRAC 5. For more information, see Enabling Kerberos Authentication on page 147. Configuring DRAC 5 to Use Single Sign-On 1Navigate to Remote Access Configuration tab Active Directory subtab and selectConfigure Active Directory. 2On the Active Directory Configuration and Management page, select Single Sign-On. This option enables you to log into DRAC 5 directly after logging into your workstation.
152Enabling Single Sign-On Logging Into DRAC 5 Using Single Sign-On NOTE: To log into the DRAC 5, ensure that you have the latest runtime components of Microsoft Visual C++ 2005 Libraries. For more information, see the Microsoft website. 1Log into your system using a valid Active Directory account. 2Type the web address of the DRAC 5 in the address bar of your browser. NOTE: Depending on your browser settings, you may be prompted to download and install the Single Sign-On ActiveX plug-in when using this feature for the first time. You are logged into the DRAC 5.
Configuring Smart Card Authentication153 9 Configuring Smart Card Authentication The Dell Remote Access Controller 5 (DRAC 5) version 1.30 and later support the two-factor-authentication for logging into the DRAC 5 Web interface. This support is provided by the Smart Card Logon feature on the DRAC 5. The traditional authentication schemes use user name and password to authenticate users. This provides minimal security. Two-factor-authentication, on the other hand, provides a higher-level of security by requiring users to have a password or PIN and a private key for a digital certificate. The two-factor authentication requires users to verify their identities by providing both factors. Configuring Smart Card Login in DRAC 5 Enable the DRAC 5 Smart Card logon feature from Remote Access Configuration Smart Card. If you: •Disable Smart Card configuration, you are prompted for a Microsoft Active Directory or local logon username and password. • Enable or Enable with Remote Racadm, you are prompted for a Smart Card logon during any subsequent logon attempts using the GUI. When you select Enable, all command line interface (CLI) out-of-band interfaces, such as telnet, ssh, serial, remote racadm, and IPMI over LAN, are disabled. This is because these services support only single-factor authentication.
154Configuring Smart Card Authentication When you select Enable with Remote Racadm, all CLI out-of-band interfaces, except remote racadm, are disabled. NOTE: Dell recommends that the DRAC 5 administrator use the Enable with Remote Racadm setting only to access the DRAC 5 user interface to run scripts using the remote racadm commands. If the administrator does not need to use the remote racadm, Dell recommends the Enabled setting for Smart Card logon. Also, ensure that the DRAC 5 local user configuration and/or Active Directory configuration is complete before enabling Smart Card Logon. •Enable CRL check for Smart Card Logon, the users DRAC certificate, which is downloaded from the Certificate Revocation List (CRL) distribution server is checked for revocation in the CRL. NOTE: The CRL distribution servers are listed in the Smart Card certificates of the users. Configuring Local DRAC 5 Users for Smart Card Logon You can configure the local DRAC 5 users to log into the DRAC 5 using the Smart Card. Navigate to Remote Access Configuration Users. However, before the user can log into the DRAC 5 using the Smart Card, you must upload the users Smart Card certificate and the trusted Certificate Authority (CA) certificate to the DRAC 5. Exporting the Smart Card Certificate You can obtain the users certificate by exporting the Smart Card certificate using the card management software (CMS) from the Smart Card to a file in the Base64 encoded form. You can usually obtain the CMS from the vendor of the Smart Card. This encoded file should be uploaded as the users certificate to the DRAC 5. The trusted Certificate Authority that issues the Smart Card user certificates should also export the CA certificate to a file in the Base64 encoded form. You should upload this file as the trusted CA certificate for the user. Configure the user with the username that forms the user’s User Principle Name (UPN) in the Smart Card certificate. NOTE: To log into the DRAC 5, the user name that you configure in the DRAC 5 should have the same case as the User Principle Name (UPN) in the Smart Card certificate.
Configuring Smart Card Authentication155 For example, in case the Smart Card certificate has been issued to the user, [email protected], the username should be configured as sampleuser. Configuring Active Directory Users for Smart Card Logon To configure the Active Directory users to log into the DRAC 5 using the Smart Card, the DRAC 5 administrator should configure the DNS server, upload the Active Directory CA certificate to the DRAC 5, and enable the Active Directory logon. See Using the DRAC 5 With Microsoft Active Directory on page 105 for more information on how to set up Active Directory users. You must configure Active Directory and Kerberos for Smart Card Active Directory login. See Using the DRAC 5 With Microsoft Active Directory on page 105 and Enabling Kerberos Authentication on page 147 for information on how to configure them . You are logged into the DRAC with appropriate privileges if you are a local DRAC user. You are logged into the DRAC with appropriate Microsoft Active Directory privileges if: • you are a Microsoft Active Directory user • you are configured in the DRAC for Active Directory login • the DRAC is enabled for Kerberos Active Directory authentication Configuring Smart Card NOTE: To modify these settings, you must have Configure DRAC 5 permission. 1Expand the System tree and click Remote Access. 2Click the Configuration tab and then click Smart Card. 3Configure the Smart Card logon settings. Table 9-1 provides information about the Smart Card page settings. 4Click Apply Changes.
156Configuring Smart Card Authentication Table 9-1. Smart Card Settings Setting Description Configure Smart Card Logon • Disabled — Disables Smart Card logon. Subsequent logins from the graphical user interface (GUI) display the regular login page. All command line out-of-band interfaces including secure shell (SSH), Telnet, Serial, and remote RACADM are set to their default state. • Enabled — Enables Smart Card logon. After applying the changes, logout, insert your Smart Card, enter your Smart Card PIN, and then click Login to log on to the DRAC. Enabling Smart Card logon disables all CLI out-of-band interfaces including SSH, Telnet, Serial, remote RACADM, and IPMI over LAN. • Enabled with Remote Racadm — Enables Smart Card logon along with remote RACADM. All other CLI out-of-band interfaces are disabled. NOTE: The Smart Card logon requires you to configure the local DRAC 5 users with the appropriate certificates. If the Smart Card logon is used to log in a Microsoft Active Directory user, then you must ensure that you configure the Active Directory user certificate for that user. You can configure the user certificate in the Users User Main Menu page. Enable CRL check for Smart Card LogonThis check is available only for Smart Card local users. Select this option if you want the DRAC to check the Certificate Revocation List (CRL) for revocation of the users Smart Card certificate. For the CRL feature to work, the DRAC must have a valid DNS IP address configured as part of its network configuration. You can configure the DNS IP address in DRAC under Remote Access Configuration Network. The user will not be able to login if: • The user certificate is listed as revoked in the CRL file. • DRAC is not able to communicate with the CRL distribution server. • DRAC is not able to download the CRL. NOTE: You must correctly configure the IP address of the DNS server in the Configuration Network page for this check to succeed.
Configuring Smart Card Authentication157 Logging Into the DRAC 5 Using the Smart Card The DRAC 5 Web interface displays the Smart Card login page if you have enabled the Smart Card Logon feature. NOTE: Ensure that the DRAC 5 local user and/or Active Directory configuration is complete before enabling the Smart Card Logon for the user. NOTE: Depending on your browser settings, you may be prompted to download and install the Smart Card reader ActiveX plug-in when using this feature for the first time. 1Access the DRAC 5 Web page using https. https:// If the default HTTPS port number (port 443) has been changed, type: https://: where IP address is the IP address for the DRAC 5 and port number is the HTTPS port number. The DRAC 5 Login page appears prompting you to insert the Smart Card. 2Insert the Smart Card into the reader and enter your Smart Card PIN. 3Click Login. . NOTE: If you are an Active Directory user for whom the Enable CRL check for Smart Card Logon is selected, DRAC 5 attempts to download the CRL and checks the CRL for the users certificate. The login through Active Directory fails if the certificate is listed as revoked in the CRL or if the CRL cannot be downloaded for any reason. Smart Card logon is supported only in Microsoft Internet Explorer.
158Configuring Smart Card Authentication Logging Into the DRAC 5 Using Active Directory Smart Card Authentication 1Log into the DRAC 5 using https. https:// If the default HTTPS port number (port 443) has been changed, type: https://: where IP address is the IP address for the DRAC 5 and port number is the HTTPS port number. The DRAC 5 Login page is displayed prompting you to insert the Smart Card. 2Insert the Smart Card into the reader and enter your Smart Card PIN. 3Click Login. You are logged into the DRAC 5 with your credentials as set in Active Directory. For more information, see Enabling Kerberos Authentication on page 147. Troubleshooting the Smart Card Logon in DRAC 5 Use the following tips to help you debug an inaccessible Smart Card: ActiveX plug-in unable to detect the Smart Card reader Ensure that the Smart Card is supported on the Microsoft Windows operating system. Windows supports a limited number of Smart Card cryptographic service providers (CSPs). Tip: As a general check to see if the Smart Card CSPs are present on a particular client, insert the Smart Card in the reader at the Windows logon (Ctrl-Alt-Del) screen and check to see if Windows detects the Smart Card and displays the PIN dialog-box. Incorrect Smart Card PIN Check to see if the Smart Card has been locked out due to too many attempts with an incorrect PIN. In such cases, the issuer of the Smart Card in the organization will be able to help you get a new Smart Card.
Configuring Smart Card Authentication159 Unable to Log into Local DRAC 5 If a local DRAC 5 user cannot log in, check if the username and the user certificates uploaded to the DRAC 5 have expired. The DRAC 5 trace logs may provide important log messages regarding the errors; although the error messages are sometimes intentionally ambiguous due to security concerns. Unable to Log into DRAC 5 as an Active Directory User If you cannot log into the DRAC 5 as an Active Directory user, try to log into the DRAC 5 without enabling the Smart Card logon. If you have enabled the CRL check, try the Active Directory logon without enabling the CRL check. The DRAC 5 trace log should provide important messages in case of CRL failure. You also have the option of disabling the Smart Card Logon through the local racadm using the following command: racadm config -g cfgActiveDirectory -o cfgADSmartCardLogonEnable 0