Kerberos is a network authentication protocol that allows systems to communicate securely over a non-secure network. It achieves this by allowing the systems to prove their authenticity. To keep with the higher authentication enforcement standards, iDRAC6 now supports Kerberos based Active Directory® authentication to support Active Directory Smart Card and single sign-on (SSO) logins.
Microsoft® Windows® 2000, Windows XP, Windows Server® 2003, Windows Vista®, and Windows Server 2008 use Kerberos as their default authentication method.
iDRAC6 uses Kerberos to support two types of authentication mechanisms—Active Directory single sign-on and Active Directory Smart Card logins. For single-sign on login, iDRAC6 uses the user credentials cached in the operating system after the user has logged in using a valid Active Directory account.
For Active Directory smart card login, iDRAC6 uses smart card-based two factor authentication (TFA) as credentials to enable an Active Directory login.
Kerberos authentication on iDRAC6 fails if iDRAC6 time differs from the Domain Controller time. A maximum offset of 5 minutes is allowed. To enable successful authentication, synchronize the server time with the Domain Controller time and then reset iDRAC6.
You can also use the following RACADM time zone offset command to synchronize the time:
racadm config -g cfgRacTuning -o
cfgRacTuneTimeZoneOffset <offset value>
Prerequisites for single sign-on and Active
Directory Authentication Using Smart Card
Configure iDRAC6 for Active Directory login.
Register iDRAC6 as a computer in the Active Directory root domain.
Provide a valid Preferred/Alternate DNS Server IP address. This value
is the IP address of the DNS that is part of the root domain,
which authenticates the Active Directory accounts of the users.
Select Register iDRAC6 on DNS.
Provide a valid DNS Domain Name.
Verify that network DNS configuration matches with the Active
Directory DNS information.
See iDRAC6 Online Help for more information.
To support the two new types of authentication mechanisms, iDRAC6 supports the configuration to enable itself as a kerberized service on a Windows Kerberos network. The Kerberos configuration on iDRAC6 entails the same steps as configuring a non–Windows Server Kerberos service as a security principal in Windows Server Active Directory.
The Microsoft tool ktpass (supplied by Microsoft as part of the server installation CD/DVD) is used to create the Service Principal Name (SPN) bindings to a user account and export the trust information into a MIT–style Kerberos keytab file, which enables a trust relation between an external user or system and the Key Distribution Centre (KDC). The keytab file contains a cryptographic key, which is used to encrypt the information between the server and the KDC. The ktpass tool allows UNIX–based services that support Kerberos authentication to use the interoperability features provided by a Windows Server Kerberos KDC service.
The keytab obtained from the ktpass utility is made available to iDRAC6 as a file upload and is enabled to be a kerberized service on the network.
Since iDRAC6 is a device with a non-Windows operating system, run the ktpass utility—part of Microsoft Windows—on the Domain Controller (Active Directory server) where you want to map iDRAC6 to a user account in Active Directory.
For example, use the following ktpass command to create the Kerberos keytab file:
NOTE: If you find any issues with iDRAC6 user the keytab file is created for, create a new user and a new keytab file. If the same keytab file which was initially created is again executed, it will not configure correctly.
After the above command executes successfully, run the following command:
C:\>setspn -a HTTP/idracname.domainname.com username
The encryption type that iDRAC6 uses for Kerberos authentication is DES-CBC-MD5. The principal type is KRB5_NT_PRINCIPAL. The properties of the user account that the Service Principal Name is mapped to should have the following account property enabled:
Use DES encryption types for this account
NOTE: You must create an Active Directory user account for use with the -mapuser option of the ktpass command. Also, you should have the same name as iDRAC6 DNS name to which you will upload the generated keytab file.
NOTE: It is recommended that you use the latest ktpass utility to create the keytab file. Also, while generating the keytab file, use lowercase letters for the idracname and the Service Principal Name.
This procedure will produce a keytab file that you should upload to iDRAC6.
NOTE: The keytab contains an encryption key and should be kept secure.
For more information on the ktpass utility, see the Microsoft website at: http://technet.microsoft.com/en-us/library/cc779157(WS.10).aspx
iDRAC6 time should be synchronized with the Active Directory domain controller.
Configuring iDRAC6 for single sign-on and Active
Directory Authentication Using Smart Card
Upload the keytab obtained from the Active Directory root domain, to iDRAC6:
Click System® Remote Access® iDRAC6® Network/Security®Directory
Service® Microsoft Active Directory
At the bottom of the Active Directory summary page, click Kerberos
Keytab Upload.
On the Kerberos Keytab Upload page, select the keytab file to upload
and click Apply.
You can also upload the file to iDRAC6 by using CLI racadm commands. The following command uploads the keytab file to iDRAC6:
racadm krbkeytabupload -f <filename>
where <filename> is the name of the keytab file.
Configuring Active Directory Users for single
sign-on Logon
Before using the Active Directory single sign-on logon feature, ensure that you have already configured iDRAC6 for Active Directory login and the domain user account that you will use to login into the system has been enabled for iDRAC6 Active Directory login.
Also ensure that you have enabled the Active Directory logon setting. You must also enable iDRAC6 to be a kerberized service by uploading a valid keytab file obtained from the Active Directory root domain, to iDRAC6.
Logging Into iDRAC6 Using single sign-on for
Active Directory Users
NOTE: To log into iDRAC6, ensure that you have the latest runtime components of Microsoft Visual C++ 2005 Libraries. For more information, see the Microsoft website.
Log into your system using a valid Active Directory account.
Provide iDRAC6 name in the address bar of your browser in the following
format: https://idracname.domainname.com (for example,
https://idrac–test.domain.com).
NOTE: Depending on your browser settings, you may be prompted to download and install single sign-on plug-in when using this feature for the first time.
NOTE: For SSO, if you are using Internet Explorer, go to Tools® Internet Options® Security tab® Local Intranet®click Sites®click Advanced and then add an entry *.domain.com to the zone. If you are using Firefox, type about:config, and then add domain.com for the properties network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.
You are logged into iDRAC6 with appropriate Microsoft Active Directory privileges if:
You are a Microsoft Active Directory user
You are configured in iDRAC6 for Active Directory login
iDRAC6 is enabled for Kerberos Active Directory authentication
Configuring Active Directory Users for Smart
Card Logon
Before using the Active Directory Smart Card logon feature, ensure that you have already configured iDRAC6 for Active Directory login and the user account that has been issued the Smart Card has been enabled for iDRAC6 Active Directory login.
Also ensure that you have enabled the Active Directory logon setting. You must also enable iDRAC6 to be a kerberized service by uploading a valid keytab file obtained from the Active Directory root domain, to iDRAC6.
NOTE: The Smart Card based Two Factor Authentication (TFA) and the single sign-on (SSO) features are not supported if the Active directory is configured for Extended schema. Further, both the Smart Card based TFA and Single Sign–on are supported on Microsoft Windows operating systems with Internet Explorer®. Smart Card based TFA is not supported on Firefox browsers whereas Single Sign–on to iDRAC6 is supported on Firefox browsers.
CAUTION: To log into iDRAC6, ensure that you have the latest runtime components of Microsoft Visual C++ 2005 libraries installed (32-bit C++ library). Else, the Smart Card plug–in will not load and you will not be able to login to iDRAC6. For more information, see the Microsoft website at www.microsoft.com.
You are logged into iDRAC6 with appropriate Microsoft Active Directory privileges if:
You are a Microsoft Active Directory user
You are configured in iDRAC6 for Active Directory login
iDRAC6 is enabled for Kerberos Active Directory authentication
You have entered the correct PIN for the Smart Card associated with the Active Directory user attempting to log in
iDRAC6 Login Scenarios with TFA and SSO
When you login to iDRAC6 from CMC Web GUI, iDRAC6 displays the following login screens options for various TFA and SSO enablement combinations, with different versions of iDRAC/iDRAC6 and CMC:
CMC v2.1 or later with TFA enabled and iDRAC6 v2.1 or later with TFA enabled: iDRAC6 Login prompt with PIN entry.
CMC v2.1 or later with TFA enabled, and iDRAC6 v2.1 or later with TFA disabled and SSO disabled: iDRAC6 Login prompt with user name, domain, and password.
CMC v2.1 or later with TFA enabled, and iDRAC6 v2.1 or later with TFA disabled and with SSO enabled: iDRAC6 logins automatically with SSO.
CMC v2.1 or later with TFA enabled and with iDRAC6 v2.0: iDRAC6 Login prompt with user name, domain, and password.
CMC v2.1 or later with TFA enabled and iDRAC 1.x:iDRAC6 Login prompt with user name, domain, and password.
CMC v2.0 or earlier and iDRAC6 v2.1 or later with TFA enabled: iDRAC6 Login prompt with PIN entry.
CMC v2.1 or later with TFA disabled, and iDRAC6 v2.1 or later with TFA enabled and SSO disabled: iDRAC6 prompts for PIN entry.
CMC v2.1 or later with TFA disabled, and iDRAC6 v2.1 or later with TFA disabled and SSO enabled: iDRAC6 logins with SSO.
