Highlighted
astee
6 Indium

Drac5 and iDrac6 SSO (AD authentication and login test OK)

Hi all,

I've got our Drac's to authenticate with AD which is great, and can login using our standard AD accounts, but I'm having some issues with getting single sign on working.

I'll summerise what I've done so far...

1. Enabled SSO on the Drac

2. Registered DNS entry - idrac-xxxxxxx to 192.168.xxx.xxx.

3. Created a user account in AD called idrac-xxxxxxx and changed the account settings to use "Do not require Kerberos pre-authentication" and "Use DES encryption types for this account". Use xxxxxx as password.

4. Created keytab using the following...

ktpass -princ HOST/idrac-xxxxxxx.mydomain.local@MYDOMAIN.LOCAL -mapuser idrac-xxxxxxx -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -pass xxxxxx -out c:\krbkeytab

5. Uploaded keytab to Drac.

6. Added the FQDN address into trusted sites in IE.

7. goto https://idrac-xxxxxxx. Credentials failed.

Any ideas where I'm going wrong. I think the ktpass is correct, but not 100%.

All feedback welcome.

Cheers,
Alex

 

0 Kudos
16 Replies

Re: Drac5 and iDrac6 SSO (AD authentication and login test OK)

Can you let me whether step mentioned above tried on DRAC5 or iDRAC6. If iDRAC6, let me know whether it is a modular or monolithic server. We also like to know which Operating System is running for Domain Controller and Client Operating system and browser used for launching iDRAC. Also need info on firmware version on iDRAC  

Thanks-


Shine

0 Kudos
astee
6 Indium

Re: Drac5 and iDrac6 SSO (AD authentication and login test OK)

Hi Shine,

The above was on a Drac5, but I have also done similar on the iDrac6. They are on a PE2900  and an R610 respectively.

Both are running Server 2012 x64. The domain functional level is 2008R2 and client OS is Win7 Ent SP1 with IE9.

Drac5 1.65

iDrac6 1.92

Cheers,

Alex

0 Kudos

Re: Drac5 and iDrac6 SSO (AD authentication and login test OK)

Let's try iDRAC6 first. There are additional configuration you have to perform on client and domain controller as you are having Windows 2008 R2 and Windows 7.

Refer "Frequently Asked Questions About SSO" section under iDRAC6 User Guide for more details.

ftp://ftp.dell.com/Manuals/all-products/esuprt_electronics/esuprt_software/esuprt_remote_ent_sys_mgm...

Which Schema are you using for AD Authentication Standard or Extended? After configuring SSO can you perform a test setting and let me know the result.

You also need to make sure iDRAC6 time is exactly matching with Domain Controller time. As BIOS/iDRAC doesn’t have the capability of deciding tome zone from system, time shown in iDRAC will be assumed as GMT time. If it is not GMT time you need to set time zone offset in minutes using following command

racadm config -g cfgRactunin -o cfgRacTuneTimezoneOffset <Offset value>

To determine whether iDRAC and Domain Controller time is in sync, Run "racadm getractime" command and check whether date and time shown is same as GMT time of Domain Controller (You can check this by changing Domain controller time zone to UTC and check new time and date). If it is not same then we need to set timezoneoffset object. E.g. If iDRAC time is 5 hours and 30 minutes behind server time then set offset value as "-330" (5 X 60 + 30)

Other things to check is

1: Make sure iDRAC IP have an entry in reverse look up zone also

2: Make sure there is no duplicate entry in DNS for iDRAC. E.g. there should not be two entries in DNS where there are two names for same iDRAC IP

Thanks-


Shine

0 Kudos
astee
6 Indium

Re: Drac5 and iDrac6 SSO (AD authentication and login test OK)

Thanks for that. I'll go through the details outlined and ping a response back.

Also, could you re-up the PDF link as it has been truncated and I can't access the link.

Thanks,

Alex

0 Kudos
astee
6 Indium

Re: Drac5 and iDrac6 SSO (AD authentication and login test OK)

I forgot to mention that I'm using the standard schema. We are in a GMT location (UK) and the times contained within the logs (login for example) are correct and match our client/server times. Having said that, where do I run the racadm getractime command from?

Another question. As I have multiple DRAC and iDRAC, do I need to create a new AD (user) object for each RAC to link to the keytab file? And if that is the case, do I need to upload a custom keytab to each RAC?

This is the output from the test...

Test Results

Attribute  Value  

Keytab file exists  Passed  
Keytab file is valid  Passed  
Getting TGT from server  Failed  
Ping Directory Server  Passed  
Directory Server DNS Name  Passed  
DNS Directory Lookup  Passed  
DNS Global Catalog Lookup  Passed  
Connect to Directory Server 1 (Unencrypted)  Passed  
Connect to Directory Server 2 (Unencrypted)  Passed  
Connect to Directory Server 3 (Unencrypted)  Passed  
Connect to Directory Server 4 (Unencrypted)  Passed  
Connect to Directory Server 1 (SSL)  Passed  
Connect to Directory Server 2 (SSL)  Passed  
Connect to Directory Server 3 (SSL)  Passed  
Connect to Directory Server 4 (SSL)  Passed  
Connect to Global Catalog 1 (Unencrypted)  Passed  
Connect to Global Catalog 2 (Unencrypted)  Passed  
Connect to Global Catalog 3 (Unencrypted)  Passed  
Connect to Global Catalog 4 (Unencrypted)  Passed  
Connect to Global Catalog 1 (SSL)  Passed  
Connect to Global Catalog 2 (SSL)  Passed  
Connect to Global Catalog 3 (SSL)  Passed  
Connect to Global Catalog 4 (SSL)  Passed  
Certificate Validation  Passed  
User Authentication  Passed  
User Authorization  Passed  
iDRAC Device Object Exists  Not Applicable

Thanks,

Alex

0 Kudos

Re: Drac5 and iDrac6 SSO (AD authentication and login test OK)

Generally Getting TGT fail when there is a difference in time. You can run racadm getractime from iDRAC FW Racadm. Do SSH to iDRAC IP with iDRAC username and password.

Also run below racadm commands and let me know the result.

racadm getconfig -g cfgRactuning

Just to confirm make sure Domain Controller is in UTC (GMT) time.

Check the steps I mentioned on Windows 2008R2 and Windows 7.

Link to user Guide

www.dell.com/.../integrated-dell-remote-access-cntrllr-6-for-monolithic-srvr-v1.95

Open "Integrated Dell Remote Access Controller 6 (iDRAC6) Version 1.95 User’s Guide" in above link and refer "Frequently Asked Questions About SSO" section

Thanks-


Shine

0 Kudos
astee
6 Indium

Re: Drac5 and iDrac6 SSO (AD authentication and login test OK)

Hi Shine,

This is the output... Could it be a certificate error?...

Security Alert: Certificate is invalid - Certificate is not signed by Trusted Third Party Continuing execution. Use -S option for racadm to stop execution on certificate-related errors.

cfgRacTuneRemoteRacadmEnable=1
cfgRacTuneWebserverEnable=1
cfgRacTuneHttpPort=80
cfgRacTuneHttpsPort=443
cfgRacTuneTelnetPort=23
cfgRacTuneSshPort=22
cfgRacTuneConRedirEnable=1
cfgRacTuneConRedirPort=5900
cfgRacTuneConRedirEncryptEnable=1
cfgRacTuneLocalServerVideo=1
cfgRacTuneIpRangeEnable=0
cfgRacTuneIpRangeAddr=192.168.1.1 (this is reporting incorrect IP range)
cfgRacTuneIpRangeMask=255.255.255.0 (this is reporting incorrect subnet mask)
cfgRacTuneIpBlkEnable=0
cfgRacTuneIpBlkFailCount=5
cfgRacTuneIpBlkFailWindow=60
cfgRacTuneIpBlkPenaltyTime=300
cfgRacTuneTimezoneOffset=0
cfgRacTuneDaylightOffset=0
cfgRacTuneAsrEnable=1
cfgRacTunePlugintype=1
cfgRacTuneCtrlEConfigDisable=0
cfgRacTuneLocalConfigDisable=0
cfgRacTuneVirtualConsoleAuthorizeMultipleSessions=0

Thanks for the help so far,
Alex

 

0 Kudos

Re: Drac5 and iDrac6 SSO (AD authentication and login test OK)

Can you check the settings I mentioned for Windows 2008 R2 and Windows 7. I corrected the link issue on the first post

ftp://ftp.dell.com/Manuals/all-products/esuprt_electronics/esuprt_software/esuprt_remote_ent_sys_mgm...

Thanks-


Shine

0 Kudos
LANCOFCU
1 Nickel

RE: Drac5 and iDrac6 SSO (AD authentication and login test OK)

I'm having the exact same issue.  I'm getting the following when I test AD:

Keytab file exists
Passed
Keytab file is valid
Passed
Getting TGT from server
Failed
Ping Directory Server
Passed
Directory Server DNS Name
Passed
DNS Directory Lookup
Passed
DNS Global Catalog Lookup
Passed
Connect to Directory Server 1 (Unencrypted)
Passed
Connect to Directory Server 2 (Unencrypted)
Passed
Connect to Directory Server 3 (Unencrypted)
Passed
Connect to Directory Server 4 (Unencrypted)
Passed
Connect to Directory Server 1 (SSL)
Passed
Connect to Directory Server 2 (SSL)
Passed
Connect to Directory Server 3 (SSL)
Passed
Connect to Directory Server 4 (SSL)
Passed
Connect to Global Catalog 1 (Unencrypted)
Passed
Connect to Global Catalog 2 (Unencrypted)
Passed
Connect to Global Catalog 3 (Unencrypted)
Passed
Connect to Global Catalog 4 (Unencrypted)
Passed
Connect to Global Catalog 1 (SSL)
Passed
Connect to Global Catalog 2 (SSL)
Passed
Connect to Global Catalog 3 (SSL)
Passed
Connect to Global Catalog 4 (SSL)
Passed
Certificate Validation
Disabled
User Authentication
Passed
User Authorization
Passed
iDRAC Device Object Exists
Not Applicable

10:43:33 Initiating Directory Services Settings Diagnostics:
10:43:33 principal name from keytab: HOST/ws-idrac.DOMAIN.com@DOMAIN.com
10:43:33 getting TGT failed: check date/time and time zone offset.
10:43:33 DNS SRV look up with _ldap._tcp.corporate.lanco.com

AD is working on the DRAC as I can log in, but SSO isn't. I'm not sure if the time zone would have anything to do with it as I'm still able to log in.

I also ran though the FAQ section and setup the Network Security: configure encryption types allowed for kerberos to all options.

I'm not sure where to start troubleshooting.

0 Kudos