Drac5 and iDrac6 SSO (AD authentication and login test OK)

Hi Shine,

The above was on a Drac5, but I have also done similar on the iDrac6. They are on a PE2900  and an R610 respectively.

Both are running Server 2012 x64. The domain functional level is 2008R2 and client OS is Win7 Ent SP1 with IE9.

Drac5 1.65

iDrac6 1.92

Cheers,

Alex

Let's try iDRAC6 first. There are additional configuration you have to perform on client and domain controller as you are having Windows 2008 R2 and Windows 7.

Refer "Frequently Asked Questions About SSO" section under iDRAC6 User Guide for more details.

ftp://ftp.dell.com/Manuals/all-products/esuprt_electronics/esuprt_software/esuprt_remote_ent_sys_mgmt/integrated-dell-remote-access-cntrllr-6-for-monolithic-srvr-v1.9_User%27s%20Guide_en-us.pdf

Which Schema are you using for AD Authentication Standard or Extended? After configuring SSO can you perform a test setting and let me know the result.

You also need to make sure iDRAC6 time is exactly matching with Domain Controller time. As BIOS/iDRAC doesn’t have the capability of deciding tome zone from system, time shown in iDRAC will be assumed as GMT time. If it is not GMT time you need to set time zone offset in minutes using following command

racadm config -g cfgRactunin -o cfgRacTuneTimezoneOffset

To determine whether iDRAC and Domain Controller time is in sync, Run "racadm getractime" command and check whether date and time shown is same as GMT time of Domain Controller (You can check this by changing Domain controller time zone to UTC and check new time and date). If it is not same then we need to set timezoneoffset object. E.g. If iDRAC time is 5 hours and 30 minutes behind server time then set offset value as "-330" (5 X 60 + 30)

Other things to check is

1: Make sure iDRAC IP have an entry in reverse look up zone also

2: Make sure there is no duplicate entry in DNS for iDRAC. E.g. there should not be two entries in DNS where there are two names for same iDRAC IP

Thanks for that. I'll go through the details outlined and ping a response back.

Also, could you re-up the PDF link as it has been truncated and I can't access the link.

Thanks,

Alex

I forgot to mention that I'm using the standard schema. We are in a GMT location (UK) and the times contained within the logs (login for example) are correct and match our client/server times. Having said that, where do I run the racadm getractime command from?

Another question. As I have multiple DRAC and iDRAC, do I need to create a new AD (user) object for each RAC to link to the keytab file? And if that is the case, do I need to upload a custom keytab to each RAC?

This is the output from the test...

Test Results

Attribute  Value  

Keytab file exists  Passed  
Keytab file is valid  Passed  
Getting TGT from server  Failed  
Ping Directory Server  Passed  
Directory Server DNS Name  Passed  
DNS Directory Lookup  Passed  
DNS Global Catalog Lookup  Passed  
Connect to Directory Server 1 (Unencrypted)  Passed  
Connect to Directory Server 2 (Unencrypted)  Passed  
Connect to Directory Server 3 (Unencrypted)  Passed  
Connect to Directory Server 4 (Unencrypted)  Passed  
Connect to Directory Server 1 (SSL)  Passed  
Connect to Directory Server 2 (SSL)  Passed  
Connect to Directory Server 3 (SSL)  Passed  
Connect to Directory Server 4 (SSL)  Passed  
Connect to Global Catalog 1 (Unencrypted)  Passed  
Connect to Global Catalog 2 (Unencrypted)  Passed  
Connect to Global Catalog 3 (Unencrypted)  Passed  
Connect to Global Catalog 4 (Unencrypted)  Passed  
Connect to Global Catalog 1 (SSL)  Passed  
Connect to Global Catalog 2 (SSL)  Passed  
Connect to Global Catalog 3 (SSL)  Passed  
Connect to Global Catalog 4 (SSL)  Passed  
Certificate Validation  Passed  
User Authentication  Passed  
User Authorization  Passed  
iDRAC Device Object Exists  Not Applicable

Thanks,

Alex

Hi Shine,

This is the output... Could it be a certificate error?...

Security Alert: Certificate is invalid - Certificate is not signed by Trusted Third Party Continuing execution. Use -S option for racadm to stop execution on certificate-related errors.

cfgRacTuneRemoteRacadmEnable=1
cfgRacTuneWebserverEnable=1
cfgRacTuneHttpPort=80
cfgRacTuneHttpsPort=443
cfgRacTuneTelnetPort=23
cfgRacTuneSshPort=22
cfgRacTuneConRedirEnable=1
cfgRacTuneConRedirPort=5900
cfgRacTuneConRedirEncryptEnable=1
cfgRacTuneLocalServerVideo=1
cfgRacTuneIpRangeEnable=0
cfgRacTuneIpRangeAddr=192.168.1.1 (this is reporting incorrect IP range)
cfgRacTuneIpRangeMask=255.255.255.0 (this is reporting incorrect subnet mask)
cfgRacTuneIpBlkEnable=0
cfgRacTuneIpBlkFailCount=5
cfgRacTuneIpBlkFailWindow=60
cfgRacTuneIpBlkPenaltyTime=300
cfgRacTuneTimezoneOffset=0
cfgRacTuneDaylightOffset=0
cfgRacTuneAsrEnable=1
cfgRacTunePlugintype=1
cfgRacTuneCtrlEConfigDisable=0
cfgRacTuneLocalConfigDisable=0
cfgRacTuneVirtualConsoleAuthorizeMultipleSessions=0

Thanks for the help so far,
Alex

Generally Getting TGT fail when there is a difference in time. You can run racadm getractime from iDRAC FW Racadm. Do SSH to iDRAC IP with iDRAC username and password.

Also run below racadm commands and let me know the result.

racadm getconfig -g cfgRactuning

Just to confirm make sure Domain Controller is in UTC (GMT) time.

Check the steps I mentioned on Windows 2008R2 and Windows 7.

Link to user Guide

www.dell.com/.../integrated-dell-remote-access-cntrllr-6-for-monolithic-srvr-v1.95

Open "Integrated Dell Remote Access Controller 6 (iDRAC6) Version 1.95 User’s Guide" in above link and refer "Frequently Asked Questions About SSO" section

Can you check the settings I mentioned for Windows 2008 R2 and Windows 7. I corrected the link issue on the first post

ftp://ftp.dell.com/Manuals/all-products/esuprt_electronics/esuprt_software/esuprt_remote_ent_sys_mgmt/integrated-dell-remote-access-cntrllr-6-for-monolithic-srvr-v1.9_User%27s%20Guide_en-us.pdf

I'm having the exact same issue.  I'm getting the following when I test AD:

10:43:33 Initiating Directory Services Settings Diagnostics:
10:43:33 principal name from keytab: HOST/ws-idrac.DOMAIN.com@DOMAIN.com
10:43:33 getting TGT failed: check date/time and time zone offset.
10:43:33 DNS SRV look up with _ldap._tcp.corporate.lanco.com

AD is working on the DRAC as I can log in, but SSO isn't. I'm not sure if the time zone would have anything to do with it as I'm still able to log in.

I also ran though the FAQ section and setup the Network Security: configure encryption types allowed for kerberos to all options.

I'm not sure where to start troubleshooting.

Can you provide below information?

1. Server model
2. DRAC5 and iDRAC6 FW version
3. OS installed on server
4. Time zone configured on OS in server
5. AD Domain controller OS
6. ktpass command run to create keytab file

Sure,

1. Dell R210ii
2. iDRAC6 FW 1.97
3. 2008 R2 (currently a domain controller)
4. Eastern Standard Time
5. 2008 R2 (all DCs are 2008 R2)
6. I took it straight out of the User Guide:

ktpass -princ HOST/ws-idrac.domainname.com@DOMAINNAME.COM -mapuser ws-idrac -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -pass PASSWORD -out c:\krbkeytab

I was under the assumption that you have to have an AD User object (ws-idrac) with DES Encryption for the account, which I've done. I've also registered the drac name (ws-idrac) in DNS. It seemed to like the command and the iDRAC didn't bark when I did the import.

I tried that before per your recommendations above and I couldn't get it to work. Is it supposed to show an offset when you run racadm getractim because mine did not. Here is my output of when I SSH'd into the iDRAC:

/admin1-> racadm getractime
Mon Apr 7 14:36:41 2014
/admin1-> racadm config -g cfgRacTuning -o cfgRacTuneTimeZoneOffset -300
Object value modified successfully
/admin1-> racadm getractime
Mon Apr 7 14:36:58 2014
/admin1->

And here is the racadm getconfig -g cfgRactuning results:

cfgRacTuneRemoteRacadmEnable=1
cfgRacTuneWebserverEnable=1
cfgRacTuneHttpPort=80
cfgRacTuneHttpsPort=443
cfgRacTuneTelnetPort=23
cfgRacTuneSshPort=22
cfgRacTuneConRedirEnable=1
cfgRacTuneConRedirPort=5900
cfgRacTuneConRedirEncryptEnable=1
cfgRacTuneLocalServerVideo=1
cfgRacTuneIpRangeEnable=0
cfgRacTuneIpRangeAddr=192.168.1.1
cfgRacTuneIpRangeMask=255.255.255.0
cfgRacTuneIpBlkEnable=0
cfgRacTuneIpBlkFailCount=5
cfgRacTuneIpBlkFailWindow=60
cfgRacTuneIpBlkPenaltyTime=300
cfgRacTuneTimezoneOffset=-300
cfgRacTuneDaylightOffset=0
cfgRacTuneAsrEnable=1
cfgRacTunePlugintype=0
cfgRacTuneCtrlEConfigDisable=0
cfgRacTuneLocalConfigDisable=0
cfgRacTuneVirtualConsoleAuthorizeMultipleSessions=0

I tried SSO and I still get:

Is your server OS time is in sync with Domain controller time. If yes run the below command to configure timezone on iDRAC. After that check Single Sign On and share the result.

racadm config -g cfgRacTuning -o cfgRacTuneTimeZoneOffset -300

Any other suggestions?

Can you make below changes on domain controller

Run the technet.microsoft.com/en-us/library/dd560670(WS.10).aspx for the domain controller and domain policy.

Configure the computers to use the DES-CBC-MD5 cipher suite.

These settings may affect compatibility with client computers or services and applications in your environment. The Configure encryption types allowed for Kerberos policy setting is located at Computer Configuration

→ Security Settings → Local Policies → Security Options.

Make sure that the domain clients have the updated GPO.

At the command line, type gpupdate /force and delete the old key tab with klist purge command.

After the GPO is updated, create the new keytab.

Upload the keytab to iDRAC

Also if DST is on you need configure "cfgRacTuneDaylightOffset" object as well

racadm config -g cfgRacTuning -o cfgRacTuneDaylightOffset 60

If SSO login still fails after above changes, Can you share the output of racadm gettracelog command and Domain controller time when SSO failed.