Home > Dell > System > Dell Drac 5 User Guide

Dell Drac 5 User Guide

    Download as PDF Print this page Share this page

    Have a look at the manual Dell Drac 5 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 327 Dell manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    Page
    of 418
    							Enabling Single Sign-On151
    8
    Enabling Single Sign-On
    Single Sign-On allows you to log into the DRAC without providing your 
    credentials, after you have logged into the operating system using a valid 
    Active Directory account. In this case, DRAC uses the credentials cached in 
    the operating system. DRAC uses Kerberos, a network authentication 
    protocol, for single sign-on.
    Prerequisites for Setting up Single Sign-On
    • Configure DRAC 5 for Active Directory login. For more information, see 
    Using Active Directory to Log Into the DRAC 5 on page 142.
    • Set up 
    Kerberos authentication for DRAC 5. For more information, see 
    Enabling Kerberos Authentication
     on page 147.
    Configuring DRAC 5 to Use Single Sign-On
    1Navigate to Remote Access Configuration tab Active Directory 
    subtab and selectConfigure Active Directory.
    2On the Active Directory Configuration and Management page, select 
    Single Sign-On.
    This option enables you to log into DRAC 5 directly after logging into your 
    workstation. 
    						
    							152Enabling Single Sign-On
    Logging Into DRAC 5 Using Single Sign-On
     NOTE: To log into the DRAC 5, ensure that you have the latest runtime 
    components of Microsoft Visual C++ 2005 Libraries. For more information, 
    see the Microsoft website.
    1Log into your system using a valid Active Directory account.
    2Type the web address of the DRAC 5 in the address bar of your browser.
     NOTE: Depending on your browser settings, you may be prompted to 
    download and install the Single Sign-On ActiveX plug-in when using this 
    feature for the first time. 
    You are logged into the DRAC 5. 
    						
    							Configuring Smart Card Authentication153
    9
    Configuring Smart Card 
    Authentication
    The Dell Remote Access Controller 5 (DRAC 5) version 1.30 and later 
    support the two-factor-authentication for logging into the DRAC 5 Web 
    interface. This support is provided by the Smart Card Logon feature on the 
    DRAC 5. 
    The traditional authentication schemes use user name and password to 
    authenticate users. This provides minimal security.
    Two-factor-authentication, on the other hand, provides a higher-level of 
    security by requiring users to have a password or PIN and a private key for 
    a digital certificate.
    The two-factor authentication requires users to verify their identities by 
    providing both factors.
    Configuring Smart Card Login in DRAC 5
    Enable the DRAC 5 Smart Card logon feature from Remote Access 
    Configuration Smart Card. 
    If you:
    •Disable Smart Card configuration, you are prompted for a Microsoft 
    Active Directory or local logon username and password. 
    •
    Enable or Enable with Remote Racadm, you are prompted for a Smart 
    Card logon during any subsequent logon attempts using the GUI. 
    When you select 
    Enable, all command line interface (CLI) out-of-band 
    interfaces, such as telnet, ssh, serial, remote racadm, and IPMI over LAN, 
    are disabled. This is because these services support only single-factor 
    authentication.  
    						
    							154Configuring Smart Card Authentication
    When you select Enable with Remote Racadm, all CLI out-of-band 
    interfaces, except remote racadm, are disabled. 
     NOTE: Dell recommends that the DRAC 5 administrator use the Enable with 
    Remote Racadm setting only to access the DRAC 5 user interface to run 
    scripts using the remote racadm commands. If the administrator does not 
    need to use the remote racadm, Dell recommends the Enabled setting for 
    Smart Card logon. Also, ensure that the DRAC 5 local user configuration 
    and/or Active Directory configuration is complete before enabling Smart 
    Card Logon. 
    •Enable CRL check for Smart Card Logon, the users DRAC certificate, 
    which is downloaded from the Certificate Revocation List (CRL) 
    distribution server is checked for revocation in the CRL.
     NOTE: The CRL distribution servers are listed in the Smart Card certificates of 
    the users.
    Configuring Local DRAC 5 Users for 
    Smart Card Logon
    You can configure the local DRAC 5 users to log into the DRAC 5 using the 
    Smart Card. Navigate to Remote Access Configuration Users.
    However, before the user can log into the DRAC 5 using the Smart Card, 
    you must upload the users Smart Card certificate and the trusted Certificate 
    Authority (CA) certificate to the DRAC 5. 
    Exporting the Smart Card Certificate
    You can obtain the users certificate by exporting the Smart Card certificate 
    using the card management software (CMS) from the Smart Card to a file in 
    the Base64 encoded form. You can usually obtain the CMS from the vendor 
    of the Smart Card. This encoded file should be uploaded as the users 
    certificate to the DRAC 5. The trusted Certificate Authority that issues the 
    Smart Card user certificates should also export the CA certificate to a file in 
    the Base64 encoded form. You should upload this file as the trusted CA 
    certificate for the user. Configure the user with the username that forms the 
    user’s User Principle Name (UPN) in the Smart Card certificate. 
     NOTE: To log into the DRAC 5, the user name that you configure in the DRAC 5 
    should have the same case as the User Principle Name (UPN) in the Smart Card 
    certificate. 
    						
    							Configuring Smart Card Authentication155
    For example, in case the Smart Card certificate has been issued to the user, 
    [email protected], the username should be configured as 
    sampleuser.
    Configuring Active Directory Users for 
    Smart Card Logon
    To configure the Active Directory users to log into the DRAC 5 using the 
    Smart Card, the DRAC 5 administrator should configure the DNS server, 
    upload the Active Directory CA certificate to the DRAC 5, and enable the 
    Active Directory logon. See Using the DRAC 5 With Microsoft Active 
    Directory on page 105 for more information on how to set up Active 
    Directory users.
    You must configure Active Directory and Kerberos for Smart Card Active 
    Directory login. See Using the DRAC 5 With Microsoft Active Directory on 
    page 105 and Enabling Kerberos Authentication on page 147
     for 
    information on how to configure them
    .
    You are logged into the DRAC with appropriate privileges if you are a local 
    DRAC user.
    You are logged into the DRAC with appropriate Microsoft Active Directory 
    privileges if:
    • you are a Microsoft Active Directory user
    • you are configured in the DRAC for Active Directory login
    • the DRAC is enabled for Kerberos Active Directory authentication
    Configuring Smart Card
     NOTE: To modify these settings, you must have Configure DRAC 5 permission.
    1Expand the System tree and click Remote Access.
    2Click the Configuration tab and then click Smart Card.
    3Configure the Smart Card logon settings.
    Table 9-1 provides information about the 
    Smart Card page settings. 
    4Click Apply Changes. 
    						
    							156Configuring Smart Card Authentication
    Table 9-1. Smart Card Settings
    Setting Description
    Configure Smart Card 
    Logon
    • Disabled — Disables Smart Card logon. Subsequent logins 
    from the graphical user interface (GUI) display the regular 
    login page. All command line out-of-band interfaces 
    including secure shell (SSH), Telnet, Serial, and remote 
    RACADM are set to their default state.
    • Enabled — Enables Smart Card logon. After applying the 
    changes, logout, insert your Smart Card, enter your Smart 
    Card PIN, and then click 
    Login to log on to the DRAC. 
    Enabling Smart Card logon disables all CLI out-of-band 
    interfaces including SSH, Telnet, Serial, remote RACADM, 
    and IPMI over LAN.
    • Enabled with Remote Racadm — Enables Smart Card logon 
    along with remote RACADM. All other CLI out-of-band 
    interfaces are disabled.
    NOTE: The Smart Card logon requires you to configure the local 
    DRAC 5 users with the appropriate certificates. If the Smart 
    Card logon is used to log in a Microsoft Active Directory user, 
    then you must ensure that you configure the Active Directory 
    user certificate for that user. You can configure the user 
    certificate in the Users User Main Menu page.
    Enable CRL check for 
    Smart Card LogonThis check is available only for Smart Card local users. Select 
    this option if you want the DRAC to check the Certificate 
    Revocation List (CRL) for revocation of the users Smart 
    Card certificate. For the CRL feature to work, the DRAC 
    must have a valid DNS IP address configured as part of its 
    network configuration. You can configure the DNS IP address 
    in DRAC under Remote Access Configuration Network.
    The user will not be able to login if:
    • The user certificate is listed as revoked in the CRL file. 
    • DRAC is not able to communicate with the CRL 
    distribution server.
    • DRAC is not able to download the CRL.
    NOTE: You must correctly configure the IP address of the DNS 
    server in the Configuration Network page for this check 
    to succeed. 
    						
    							Configuring Smart Card Authentication157
    Logging Into the DRAC 5 Using the Smart Card
    The DRAC 5 Web interface displays the Smart Card login page if you have 
    enabled the Smart Card Logon feature.
     NOTE: Ensure that the DRAC 5 local user and/or Active Directory configuration is 
    complete before enabling the Smart Card Logon for the user. 
     
    NOTE: Depending on your browser settings, you may be prompted to download and 
    install the Smart Card reader ActiveX plug-in when using this feature for the first time. 
    1Access the DRAC 5 Web page using https.
    https://
    If the default HTTPS port number (port 443) has been changed, type:
    https://: 
    where IP address is the IP address for the DRAC 5 and port number 
    is the HTTPS port number.
    The DRAC 5 
    Login page appears prompting you to insert the Smart Card.
    2Insert the Smart Card into the reader and enter your Smart Card PIN.
    3Click Login.
    . NOTE: If you are an Active Directory user for whom the Enable CRL check for 
    Smart Card Logon is selected, DRAC 5 attempts to download the CRL and checks 
    the CRL for the users certificate. The login through Active Directory fails if the 
    certificate is listed as revoked in the CRL or if the CRL cannot be downloaded for 
    any reason. Smart Card logon is supported only in Microsoft Internet Explorer. 
    						
    							158Configuring Smart Card Authentication
    Logging Into the DRAC 5 Using Active Directory 
    Smart Card Authentication
    1Log into the DRAC 5 using https. 
    https://
    If the default HTTPS port number (port 443) has been changed, type:
    https://: 
    where IP address is the IP address for the DRAC 5 and port number 
    is the HTTPS port number.
    The DRAC 5 Login page is displayed prompting you to insert the Smart 
    Card.
    2Insert the Smart Card into the reader and enter your Smart Card PIN.
    3Click Login.
    You are logged into the DRAC 5 with your credentials as set in Active 
    Directory. For more information, see Enabling Kerberos Authentication 
    on page 147.
    Troubleshooting the Smart Card Logon in DRAC 5
    Use the following tips to help you debug an inaccessible Smart Card: 
    ActiveX plug-in unable to detect the Smart Card reader
    Ensure that the Smart Card is supported on the Microsoft Windows 
    operating system. Windows supports a limited number of Smart Card 
    cryptographic service providers (CSPs).
    Tip: As a general check to see if the Smart Card CSPs are present on a 
    particular client, insert the Smart Card in the reader at the Windows logon 
    (Ctrl-Alt-Del) screen and check to see if Windows detects the Smart Card 
    and displays the PIN dialog-box. 
    Incorrect Smart Card PIN
    Check to see if the Smart Card has been locked out due to too many attempts 
    with an incorrect PIN. In such cases, the issuer of the Smart Card in the 
    organization will be able to help you get a new Smart Card.  
    						
    							Configuring Smart Card Authentication159
    Unable to Log into Local DRAC 5
    If a local DRAC 5 user cannot log in, check if the username and the user 
    certificates uploaded to the DRAC 5 have expired. The DRAC 5 trace logs 
    may provide important log messages regarding the errors; although the error 
    messages are sometimes intentionally ambiguous due to security concerns.
    Unable to Log into DRAC 5 as an Active Directory User
    If you cannot log into the DRAC 5 as an Active Directory user, try to log into 
    the DRAC 5 without enabling the Smart Card logon. If you have enabled the 
    CRL check, try the Active Directory logon without enabling the CRL check. 
    The DRAC 5 trace log should provide important messages in case of CRL 
    failure. 
    You also have the option of disabling the Smart Card Logon through the local 
    racadm using the following command:
    racadm config -g cfgActiveDirectory -o 
    cfgADSmartCardLogonEnable 0 
    						
    							160Configuring Smart Card Authentication 
    						
    All Dell manuals Comments (0)