Kerberos is a network authentication protocol that allows systems to communicate securely over a non-secure network. It achieves this by allowing the systems to prove their authenticity.
Microsoft® Windows® 2000, Windows XP, Windows Server® 2003, Windows Vista®, and Windows Server 2008 use Kerberos as their default authentication method.
Starting with DRAC 5 version 1.40, the DRAC 5 uses Kerberos to support two types of authentication mechanisms—single sign-on and Active Directory Smart Card login.
For the single-sign on, the DRAC 5 uses the user credentials cached in the operating system after the user has logged in using a valid Active Directory account.
Starting with DRAC 5 version 1.40, Active Directory authentication will use the Smart Card-based two factor authentication (TFA) in addition to the username-password combination, as valid credentials.
Prerequisites for Single Sign-On and Active Directory Authentication Using Smart Card
Register the DRAC 5 as a computer in the Active Directory root domain.
Navigate to Remote Access→ Configuration tab→ Network subtab→
Network Settings.
Provide a valid Preferred/Static DNS Server IP address. This value is
the IP address of the DNS that is part of the root domain, which
authenticates the Active Directory accounts of the users.
Select Register DRAC on DNS.
Provide a valid DNS Domain Name.
See the DRAC 5 Online Help for more information.
Since the DRAC 5 is a device with a non-Windows operating system, run the ktpass utility—part of Microsoft® Windows®—on the Domain Controller (Active Directory server) where you want to map the DRAC 5 to a user account in Active Directory. For example,
NOTE: The cryptography type that DRAC 5 supports for Kerberos
authentication is DES-CBC-MD5.
This procedure will produce a keytab file that you should upload to the DRAC 5.
NOTE: The keytab contains an encryption key and should be kept secure.
For more information on the ktpass utility, see the Microsoft website at: http://technet2.microsoft.com/windowsserver/en/library/64042138-9a5a-4981-84e9-d576a8db0d051033.mspx?mfr=true
The DRAC 5 time should be synchronized with the Active Directory domain controller.
Configuring the DRAC 5 for Single Sign-On and Active Directory Authentication Using Smart Card
Upload the keytab obtained from the Active Directory root domain, to the DRAC 5:
Navigate to Remote Access→ Configuration tab→ Active Directory subtab.
Select Upload Kerberos Keytab and click Next.
On the Kerberos Keytab Upload page, navigate to the folder where you
saved the keytab and click Upload.
Logging Into the DRAC 5 Using Single Sign-On
NOTE: To log into the DRAC 5, ensure that you have the latest runtime
components of Microsoft Visual C++ 2005 Libraries. For more information, see
the Microsoft website.
Log into your system using a valid Active Directory account.
Type the web address of the DRAC 5 in the address bar of your browser.
NOTE: Depending on your browser settings, you may be prompted to
download and install the Single Sign-On ActiveX plug-in when using this
feature for the first time.
