Highlighted
bjosafa
1 Copper

Configure Active Directory Authentication on a PowerEdge M1000e CMC Version 4.20

Jump to solution

Hello,

I need to configure the Active Directory Authentication but  unsuccessfully... I am using a PowerEdge M1000e CMC Version 4.20. My domain controllers are  Windows 2003.

What I've done is, on Directory Services settings I configured:

  • Type of directory:
    • Microsoft Active Directory (Standard Schema) checked.
  • Common Settings:
    • Enable Active Directory: checked.
    • Certificate Validation Enabled: checked.
    • Root Domain Name: sub.domain.local
    • AD Timeout: 120 seconds
    • Specify AD Server to search (Optional): checked.
    • Domain Controller: dc01.sub.domain.local
    • Global Catalog: dc01.sub.domain.local
  • Standard Schema Settings:
    • Group Name: CMC_Remote_Control
    • Group domain: sub.domain.local
    • Group Privilege: Administrator
  • Manage Certificates:
    • Was upload the dc01.sub.domain.local computer certificate issued by the Domain CA without the private key.
  • Kerberos Keytab:
    • Left blank.

Follow the output of the testfeature -f adkrb command:

$ testfeature -f adkrb -u user@sub.domain.local
[check]: (syntax) Verify command syntax: PASSED
[check]: (system) Verify needed system resources: PASSED
[check]: (setup) Validate AD configuration: FAILED
ERROR - (setup) Smart Card or SSO is NOT enabled
[check]: (setup) Verify SSL certificate files exist: PASSED
[check]: (rip) Reverse IP lookup for CMC, AD and GC FQDN: PASSED
[check]: (keytab) Verify Keytab principal: FAILED
ERROR - (keytab): Keytab file missing
Test Failed

Follow the logs got via gettracelog:

Sep 26 10:40:46 GWGDDBC01 webcgi[15809]: ActiveDirectoryAuthenticate: user: user, domain: sub.domain.local, AD type: 2
Sep 26 10:40:46 GWGDDBC01 webcgi[15809]: userDomain: sub.domain.local
Sep 26 10:40:46 GWGDDBC01 webcgi[15809]: Found AD servers to search: dc01.sub.domain.local
Sep 26 10:40:46 GWGDDBC01 webcgi[15809]: AD server: dc01.sub.domain.local
Sep 26 10:40:46 GWGDDBC01 webcgi[15809]: ldap_ssl_init( dc01.sub.domain.local, 636 )
Sep 26 10:40:46 GWGDDBC01 webcgi[15809]: LDAP client: Simple Bind Failure - Can't contact LDAP server: (-1)
Sep 26 10:40:46 GWGDDBC01 webcgi[15809]: ldap_client_api.c,468: Bind SSL Failed!
Sep 26 10:40:46 GWGDDBC01 webcgi[15809]: openldap_err2adquery: Can't contact LDAP server: -1
Sep 26 10:40:46 GWGDDBC01 webcgi[15809]: SD: dc01.sub.domain.local, port: 636, prv: 0, rt: 24582
Sep 26 10:40:46 GWGDDBC01 webcgi[15809]: Found GC servers for search: dc01.sub.domain.local
Sep 26 10:40:46 GWGDDBC01 webcgi[15809]: GC server: dc01.sub.domain.local
Sep 26 10:40:46 GWGDDBC01 webcgi[15809]: SSAD GC Query.
Sep 26 10:40:46 GWGDDBC01 webcgi[15809]: ldap_ssl_init( dc01.sub.domain.local, 3269 )
Sep 26 10:40:46 GWGDDBC01 webcgi[15809]: LDAP client: Simple Bind Failure - Can't contact LDAP server: (-1)
Sep 26 10:40:46 GWGDDBC01 webcgi[15809]: ldap_client_api.c,468: Bind SSL Failed!
Sep 26 10:40:46 GWGDDBC01 webcgi[15809]: openldap_err2adquery: Can't contact LDAP server: -1
Sep 26 10:40:46 GWGDDBC01 : Domain user authen. fails, err: 24582
Sep 26 10:40:47 GWGDDBC01 : Login failed (username=sub.domain.local\user, ip=172.22.1.15, error=0x00006006, type=GUI)
Sep 26 10:40:47 GWGDDBC01 webcgi[15799]: session close SID succeeds: sid=40743, User: sub.domain.local\user, IP: 172.22.1.15
Sep 26 10:40:47 GWGDDBC01 : session close succeeds: sid=40743

But if I disabled the option Certificate Validation Enabled: checked on Directory Services settings, I can login. Follow the logs:

Sep 26 10:43:51 GWGDDBC01 webcgi[22125]: ActiveDirectoryAuthenticate: user: user, domain: sub.domain.local, AD type: 2
Sep 26 10:43:51 GWGDDBC01 webcgi[22125]: userDomain: sub.domain.local
Sep 26 10:43:51 GWGDDBC01 webcgi[22125]: Found AD servers to search: dc01.sub.domain.local
Sep 26 10:43:51 GWGDDBC01 webcgi[22125]: AD server: dc01.sub.domain.local
Sep 26 10:43:51 GWGDDBC01 webcgi[22125]: ldap_ssl_init( dc01.sub.domain.local, 636 )
Sep 26 10:43:51 GWGDDBC01 webcgi[22125]: Warning: SSL certificate verification is disabled
Sep 26 10:43:51 GWGDDBC01 webcgi[22125]: LDAP client: Simple Bind Successful
Sep 26 10:43:51 GWGDDBC01 webcgi[22125]: SD: dc01.sub.domain.local, port: 636, prv: 0, rt: 0
Sep 26 10:43:51 GWGDDBC01 webcgi[22125]: Found GC servers for search: dc01.sub.domain.local
Sep 26 10:43:51 GWGDDBC01 webcgi[22125]: GC server: dc01.sub.domain.local
Sep 26 10:43:51 GWGDDBC01 webcgi[22125]: SSAD GC Query.
Sep 26 10:43:51 GWGDDBC01 webcgi[22125]: ldap_ssl_init( dc01.sub.domain.local, 3269 )
Sep 26 10:43:51 GWGDDBC01 webcgi[22125]: Warning: SSL certificate verification is disabled
Sep 26 10:43:51 GWGDDBC01 webcgi[22125]: LDAP client: Simple Bind Successful
Sep 26 10:43:52 GWGDDBC01 webcgi[22125]: GC server: dc01.sub.domain.local
Sep 26 10:43:52 GWGDDBC01 webcgi[22125]: legacy privileges    = 0x80000fff
Sep 26 10:43:52 GWGDDBC01 webcgi[22125]: extended privileges  = 0x00000000
Sep 26 10:43:53 GWGDDBC01 : Login success from 172.22.1.15 (username=sub.domain.local\user, type=GUI, sid=61684)

Could you please guys help me? I found another topic with a similar error but it was not answered:

 http://en.community.dell.com/support-forums/servers/f/946/t/19272940.aspx

0 Kudos
1 Solution

Accepted Solutions
Moderator
Moderator

RE: Configure Active Directory Authentication on a PowerEdge M1000e CMC Version 4.20

Jump to solution

Bjosafa,

It appears you are using a sub CA Certificate. You need to be using the Enterprise Root CA certificate, you will need to export that certificate from the Enterprise Root CA server and import it into the iDRAC.

Let me know how it goes.

Chris Hawk

Dell | Social Outreach Services - Enterprise
Get Support on Twitter @DellCaresPro 
Download the Dell Quick Resource Locator app today to access PowerEdge support content on your mobile device! (iOS, Android, Windows)

0 Kudos
1 Reply
Moderator
Moderator

RE: Configure Active Directory Authentication on a PowerEdge M1000e CMC Version 4.20

Jump to solution

Bjosafa,

It appears you are using a sub CA Certificate. You need to be using the Enterprise Root CA certificate, you will need to export that certificate from the Enterprise Root CA server and import it into the iDRAC.

Let me know how it goes.

Chris Hawk

Dell | Social Outreach Services - Enterprise
Get Support on Twitter @DellCaresPro 
Download the Dell Quick Resource Locator app today to access PowerEdge support content on your mobile device! (iOS, Android, Windows)

0 Kudos