iDRAC6 supports the two factor authentication (TFA) feature by enabling Smart Card Logon.
The traditional authentication schemes use user name and password to authenticate users. This provides minimal security.
TFA, on the other hand, provides a higher-level of security by making the users provide two factors of authentication - what you have and what you know–what you have is the Smart Card, a physical device, and what you know–a secret code like a password or PIN.
The two-factor authentication requires users to verify their identities by providing both factors.
Configuring Smart Card Login in iDRAC6
To enable iDRAC6 Smart Card login feature from the Web interface:
Open a supported Web browser window.
Log in to iDRAC6 Web interface.
Go to the Step 1 of 4Active Directory Configuration and Management
screen.
To validate the SSL certificate of your Active Directory servers, select the
Certificate Validation Enabled check box under Certificate Settings. If
you do not want to validate the SSL certificate of your Active Directory
servers, skip to step 6.
Under Upload Active Directory CA Certificate, enter the file path of the
certificate or browse to find the certificate file, and then click Upload. You
must enter the absolute file path, which includes the full path and the
complete file name and file extension. The certificate information for the
Active Directory CA certificate that you uploaded appears in the Current
Active Directory CA Certificate section.
Click Next. The Step 2 of 4 Active Directory Configuration and
Management screen appears.
Select the Active Directory Enabled check box.
Select Enable Smart–Card Login to enable Smart Card login. You are
prompted for a Smart Card logon during any subsequent logon attempts
using the GUI.
Add User Domain Name, and enter the IP address of the Domain
Controller Server Address. Select Next.
Select Standard Schema Settings on Step 3 of 4 Active Directory
Configuration and Management page. Select Next.
On Step 4a of 4 Active Directory page, enter the IP Address of the Global
Catalog Server. Add the Role Group information that your valid Active
Directory user is a member of, by selecting one of the Role Groups (Step
4B of 4 Configure Role Group page). Enter the Group Name, the Group
Domain, and the Role Group Privileges. Select OK and then Finish.
After selecting Done, scroll back to the bottom of the Active Directory
summary page and select Kerberos Keytab Upload.
Upload a valid Kerberos Keytab file. Ensure that the Active Directory
Server and iDRAC6 times are synchronized. Verify that both time and
time zones are correct before uploading the keytab file. For more
information on creating a keytab file, see "Enabling Kerberos
Authentication".
Clear the Enable Smart–Card Login option to disable the TFA Smart Card logon feature. The next time you login to iDRAC6 GUI, you are prompted for a Microsoft® Active Directory® or local logon username and password, which occurs as the default login prompt from the Web interface.
Logging Into iDRAC6 Using Active Directory
Smart Card Authentication
NOTE: Depending on your browser settings, you may be prompted to download and install the Smart Card reader ActiveX plug-in when using this feature for the first time.
Log into iDRAC6 using https.
https://<IP address>
If the default HTTPS port number (port 443) has been changed, type:
https://<IP address>:<port number>
where IP address is the IP address for iDRAC6 and port number is the HTTPS port number.
iDRAC6 Login page is displayed prompting you to insert the Smart Card.
Insert the Smart Card.
Enter the PIN and click Log in.
You are logged into iDRAC6 with your credentials as set in Active Directory.
NOTE: You need not keep your Smart Card in the reader to stay logged in.
Troubleshooting the Smart Card Logon in iDRAC6
Use the following tips to help you debug an inaccessible Smart Card:
It takes nearly 4 minutes to log into iDRAC6 using Active Directory Smart Card login.
The normal Active Directory Smart Card login usually takes less than 10 seconds but it may take nearly 4 minutes to log into iDRAC6 using Active Directory Smart Card login if you have specified the Preferred DNS Server and the Alternate DNS Server in iDRAC6 Network page, and the preferred DNS server has failed. DNS timeouts are expected when a DNS server is down. iDRAC6 logs you in using the alternate DNS server.
ActiveX plug-in unable to detect the Smart Card reader
Ensure that the Smart Card is supported on the Microsoft Windows® operating system. Windows supports a limited number of Smart Card cryptographic service providers (CSPs).
Tip: As a general check to see if the Smart Card CSPs are present on a particular client, insert the Smart Card in the reader at the Windows logon (Ctrl-Alt-Del) screen and check to see if Windows detects the Smart Card and displays the PIN dialog-box.
Incorrect Smart Card PIN
Check to see if the Smart Card has been locked out due to too many attempts with an incorrect PIN. In such cases, the issuer of the Smart Card in the organization will be able to help you get a new Smart Card.
Unable to Log into iDRAC6 as an Active Directory User
If you cannot log into iDRAC6 as an Active Directory user, try to log into iDRAC6 without enabling the Smart Card logon. You can disable the Smart Card logon through RACADM using the following command:
For 64–bit Windows platforms, iDRAC6 authentication plug–in is not installed properly if a 64–bit version of "Microsoft Visual C++ 2005 Redistributable Package" is deployed. You need to deploy the 32–bit version of "Microsoft Visual C++ 2005 Redistributable Package" for the plug–in to install and run properly.
If you receive the following error message "Not able to load the Smart Card Plug–in. Please check your IE settings or you may have insufficient privileges to use the Smart Card Plug–in", then install the "Microsoft Visual C++ 2005 Redistributable Package". This file is available on the Microsoft Website at www.microsoft.com. Two distributed versions of the C++ Redistributable Package have been tested and they allow the Dell Smart Card plug–in to load:
Table 7-1. Distributed Versions of the C++ Redistributable Package
Redistributable Package File Name
Version
Release Date
Size
Description
vcredist_x86.exe
6.0.2900.2180
March 21, 2006
2.56 MB
MS Redistributable 2005
vcredist_x86.exe
9.0.21022.8
November 7, 2007
1.73 MB
MS Redistributable 2008
Ensure that iDRAC6 time and the domain controller time at the domain controller server are within 5 minutes of each other for Kerberos authentication to work. See iDRAC6 time on the System® Remote Access® iDRAC6® Properties® Remote Access Information page, and the domain controller time by right clicking on the time in the bottom right hand corner of the screen. The timezone offset is displayed in the pop up display. For US Central Standard Time (CST), this is –6 ). Use the following RACADM timezone offset command to synchronize iDRAC6 time (through Remote or Telnet/SSH RACADM): racadm config -g cfgRacTuning –o cfgRacTuneTimeZoneOffset <offset value in minutes>. For example, if the system time is GMT -6 (US CST) and time is 2PM, set iDRAC6 time to GMT time of 18:00 which would require you to enter "360" in the above command for the offset. You can also use cfgRacTuneDaylightoffset to allow for daylight savings variation. This saves you from having to change the time on those two occasions every year when the daylight savings adjustments are made, or just allow for it in the above offset using "300" in the above example.
