Dell Drac 5 User Manual
Have a look at the manual Dell Drac 5 User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 327 Dell manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Configuring Smart Card Authentication141 Configuring Local DRAC 5 Users for Smart Card Logon You can configure the local DRAC 5 users to log into the DRAC 5 using the Smart Card. Navigate to Remote Access→ Configuration→ Users. Figure 7-1. User Management Page for Smart Card However, before the user can log into the DRAC 5 using the Smart Card, you must upload the users Smart Card certificate and the trusted Certificate Authority (CA) certificate to the DRAC 5. Exporting the Smart Card Certificate You can obtain the users certificate by exporting the Smart Card certificate using the card management software (CMS) from the Smart Card to a file in the Base64 encoded form. You can usually obtain the CMS from the vendor of the Smart Card. This encoded file should be uploaded as the users certificate to the DRAC 5. The trusted Certificate Authority that issues the Smart Card user certificates should also export the CA certificate to a file in
142Configuring Smart Card Authentication the Base64 encoded form. You should upload this file as the trusted CA certificate for the user. Configure the user with the username that forms the user’s User Principle Name (UPN) in the Smart Card certificate. NOTE: To log into the DRAC 5, the user name that you configure in the DRAC 5 should have the same case as the User Principle Name (UPN) in the Smart Card certificate. For example, in case the Smart Card certificate has been issued to the user, [email protected], the username should be configured as sampleuser. Configuring Active Directory Users for Smart Card Logon To configure the Active Directory users to log into the DRAC 5 using the Smart Card, the DRAC 5 administrator should configure the DNS server, upload the Active Directory CA certificate to the DRAC 5, and enable the Active Directory logon. See Using the DRAC 5 With Microsoft Active Directory for more information on how to set up Active Directory users. You can configure the Active Directory from Remote Access→ Configuration→ Active Directory. Configuring Smart Card NOTE: To modify these settings, you must have Configure DRAC 5 permission. 1Expand the System tree and click Remote Access. 2Click the Configuration tab and then click Smart Card. 3Configure the Smart Card logon settings. Table 7-1 provides information about the Smart Card page settings. 4Click Apply Changes.
Configuring Smart Card Authentication143 Table 7-1. Smart Card Settings Setting Description Configure Smart Card Logon Disabled — Disables Smart Card logon. Subsequent logins from the graphical user interface (GUI) display the regular login page. All command line out-of-band interfaces including secure shell (SSH), Telnet, Serial, and remote RACADM are set to their default state. Enabled — Enables Smart Card logon. After applying the changes, logout, insert your Smart Card and then click Login to enter your Smart Card PIN. Enabling Smart Card logon disables all CLI out-of-band interfaces including SSH, Telnet, Serial, remote RACADM, and IPMI over LAN. Enabled with Remote Racadm — Enables Smart Card logon along with remote RACADM. All other CLI out-of-band interfaces are disabled. NOTE: The Smart Card logon requires you to configure the local DRAC 5 users with the appropriate certificates. If the Smart Card logon is used to log in a Microsoft Active Directory user, then you must ensure that you configure the Active Directory user certificate for that user. You can configure the user certificate in the Users→ User Main Menu page. Enable CRL check for Smart Card LogonThis check is available only for Active Directory login users. Select this option if you want the DRAC 5 to check the Certificate Revocation List (CRL) for revocation of the users Smart Card certificate. The user will not be able to login if: The user certificate is listed as revoked in the CRL file. DRAC is not able to communicate with the CRL distribution server. DRAC is not able to download the CRL. NOTE: You must correctly configure the IP address of the DNS server in the Configuration→ Network page for this check to succeed.
144Configuring Smart Card Authentication Logging Into the DRAC 5 Using the Smart Card The DRAC 5 Web interface displays the Smart Card logon page for all users who are configured to use the Smart Card. NOTE: Ensure that the DRAC 5 local user and/or Active Directory configuration is complete before enabling the Smart Card Logon for the user. NOTE: Depending on your browser settings, you may be prompted to download and install the Smart Card reader ActiveX plug-in when using this feature for the first time. Figure 7-2. Logging into the DRAC 5 Using the Smart Card 1Access the DRAC 5 Web page using https. https:// If the default HTTPS port number (port 443) has been changed, type: https://: where IP address is the IP address for the DRAC 5 and port number is the HTTPS port number. The DRAC 5 Login page appears prompting you to insert the Smart Card.
Configuring Smart Card Authentication145 2Insert the Smart Card into the reader and click Login. The DRAC 5 prompts you for the Smart Card’s PIN. 3Enter the Smart Card PIN and click OK. . NOTE: If you are an Active Directory user for whom the Enable CRL check for Smart Card Logon is selected, DRAC 5 attempts to download the CRL and checks the CRL for the users certificate. The login through Active Directory fails if the certificate is listed as revoked in the CRL or if the CRL cannot be downloaded for any reason. You are logged into the DRAC 5. However, if the Smart Card login fails, and if: you have enabled Active Directory login for your user account and you are a valid Active Directory user you should have configured Active Directory for using Smart Card authentication. (for more information, see Enabling Kerberos Authentication.) the DRAC 5 will automatically log you in. Logging Into the DRAC 5 Using Active Directory Smart Card Authentication 1Log into the DRAC 5 using https. https:// If the default HTTPS port number (port 443) has been changed, type: https://: where IP address is the IP address for the DRAC 5 and port number is the HTTPS port number. The DRAC 5 Login page appears prompting you to insert the Smart Card. 2Insert the Smart Card and click Login. The PIN pop-up dialog box appears.
146Configuring Smart Card Authentication 3Enter the PIN and click OK. You are logged into the DRAC 5 with your credentials as set in Active Directory. For more information, see Enabling Kerberos Authentication. Troubleshooting the Smart Card Logon in DRAC 5 Use the following tips to help you debug an inaccessible Smart Card: ActiveX plug-in unable to detect the Smart Card reader Ensure that the Smart Card is supported on the Microsoft Windows® operating system. Windows supports a limited number of Smart Card cryptographic service providers (CSPs). Tip: As a general check to see if the Smart Card CSPs are present on a particular client, insert the Smart Card in the reader at the Windows logon (Ctrl-Alt-Del) screen and check to see if Windows detects the Smart Card and displays the PIN dialog-box. Incorrect Smart Card PIN Check to see if the Smart Card has been locked out due to too many attempts with an incorrect PIN. In such cases, the issuer of the Smart Card in the organization will be able to help you get a new Smart Card. Unable to Log into Local DRAC 5 If a local DRAC 5 user cannot log in, check if the username and the user certificates uploaded to the DRAC 5 have expired. The DRAC 5 trace logs may provide important log messages regarding the errors; although the error messages are sometimes intentionally ambiguous due to security concerns.
Configuring Smart Card Authentication147 Unable to Log into DRAC 5 as an Active Directory User If you cannot log into the DRAC 5 as an Active Directory user, try to log into the DRAC 5 without enabling the Smart Card logon. If you have enabled the CRL check, try the Active Directory logon without enabling the CRL check. The DRAC 5 trace log should provide important messages in case of CRL failure. You also have the option of disabling the Smart Card Logon through the local racadm using the following command: racadm config -g cfgActiveDirectory -o cfgADSmartCardLogonEnable 0
Enabling Kerberos Authentication149 Enabling Kerberos Authentication Kerberos is a network authentication protocol that allows systems to communicate securely over a non-secure network. It achieves this by allowing the systems to prove their authenticity. Microsoft ® Windows® 2000, Windows XP, Windows Server® 2003, Windows Vista®, and Windows Server 2008 use Kerberos as their default authentication method. Starting with DRAC 5 version 1.40, the DRAC 5 uses Kerberos to support two types of authentication mechanisms—single sign-on and Active Directory Smart Card login. For the single-sign on, the DRAC 5 uses the user credentials cached in the operating system after the user has logged in using a valid Active Directory account. Starting with DRAC 5 version 1.40, Active Directory authentication will use the Smart Card-based two factor authentication (TFA) in addition to the username-password combination, as valid credentials. Prerequisites for Single Sign-On and Active Directory Authentication Using Smart Card Configure the DRAC 5 for Active Directory login. For more information, see Using Active Directory to Log Into the DRAC 5. Register the DRAC 5 as a computer in the Active Directory root domain. aNavigate to Remote Access→ Configuration tab→ Network subtab→ Network Settings. bProvide a valid Preferred/Static DNS Server IP address. This value is the IP address of the DNS that is part of the root domain, which authenticates the Active Directory accounts of the users. cSelect Register DRAC on DNS. dProvide a valid DNS Domain Name. See the DRAC 5 Online Help for more information.
150Enabling Kerberos Authentication Since the DRAC 5 is a device with a non-Windows operating system, run the ktpass utility—part of Microsoft® Windows®—on the Domain Controller (Active Directory server) where you want to map the DRAC 5 to a user account in Active Directory. For example, C:\>ktpass -princ HOST/dracname.domain- name [email protected] -mapuser dracname -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -pass * -out c:\krbkeytab NOTE: The cryptography type that DRAC 5 supports for Kerberos authentication is DES-CBC-MD5 . This procedure will produce a keytab file that you should upload to the DRAC 5. NOTE: The keytab contains an encryption key and should be kept secure. For more information on the ktpass utility, see the Microsoft website at: http://technet2.microsoft.com/windowsserver/en/library/64042138-9a5a- 4981-84e9-d576a8db0d051033.mspx?mfr=true The DRAC 5 time should be synchronized with the Active Directory domain controller. Configuring the DRAC 5 for Single Sign-On and Active Directory Authentication Using Smart Card Upload the keytab obtained from the Active Directory root domain, to the DRAC 5: 1 Navigate to Remote Access→ Configuration tab→ Active Directory subtab. 2Select Upload Kerberos Keytab and click Next. 3On the Kerberos Keytab Upload page, navigate to the folder where you saved the keytab and click Upload.