Unsolved
This post is more than 5 years old
10 Posts
0
45509
Unable to log in to a DRAC5 with an AD domain name
Hi all
Is anyone able to help with logging on to the DRAC 5 using a domain username and password?
I have followed the instructions at
<ADMIN NOTE: Broken link has been removed from this post by Dell>
http://en.community.dell.com/forums/p/18603839/18726825.aspx#18726825,
<ADMIN NOTE: Broken link has been removed from this post by Dell>
and as well as every other source I have looked at over the last three days.
In a test lab I have a DC called dc2.test.lab with a domain user called xyz. The DRAC is on the same subnet for testing purposes. I have installed Certificates services on dc2 so that it is a standalone CA, and uploaded the root certificate from it to the DRAC. I have added the xyz user to an AD group called testing and created the role group in the DRAC called testing with login permissions. I have generated a CSR in the DRAC and saved it to the DC. On the DC I have used the CSR to issue a certificate which I have saved locally and then uploaded to the DRAC.
Within the Active Directory on the DRAC I have downloaded the 'DRAC Server certificate' as a .txt file. This certificate imports successfully in to the CA on the DC but then is not visible in any of the CA folders even though I have specified that it be saved to the Trusted Root Certification Authority. As an alternative I have added the certificate saved in the previous step to the Trusted Root Certification Authority instead.
I have upgraded the DRAC firmware from 1.33 to 1.45. I've also rebooted the DC to clear the SSL cache as per one users experience.
gettracelog reports the following:
Record: 224
Date/Time: Jul 21 03:33:23
Source: webcgi[1222]
Description: AD login start 172.20.0.100 'xyz@test.lab' ssn 7fffffc1
-------------------------------------------------------------------------------
Record: 225
Date/Time: Jul 21 03:33:23
Source: webcgi[1223]
Description: SC AD is not enabled
-------------------------------------------------------------------------------
Record: 226
Date/Time: Jul 21 03:33:24
Source: webcgi[1223]
Description: ActiveDirectoryAuthenticate: user: xyz, domain: test.lab
-------------------------------------------------------------------------------
Record: 227
Date/Time: Jul 21 03:33:24
Source: webcgi[1223]
Description: 0.0.0.0
-------------------------------------------------------------------------------
Record: 228
Date/Time: Jul 21 03:33:24
Source: webcgi[1223]
Description: userDomain: test.lab
-------------------------------------------------------------------------------
Record: 229
Date/Time: Jul 21 03:33:24
Source: webcgi[1223]
Description: SRV.0 has hostname=dc2.test.lab, ipaddr.0=20014ac, port=389
-------------------------------------------------------------------------------
Record: 230
Date/Time: Jul 21 03:33:24
Source: webcgi[1223]
Description: AD server: dc2.test.lab, IP: 20014ac
-------------------------------------------------------------------------------
Record: 231
Date/Time: Jul 21 03:33:24
Source: webcgi[1223]
Description: ldap_ssl_init( dc2.test.lab, 636 )
-------------------------------------------------------------------------------
Record: 232
Date/Time: Jul 21 03:33:24
Source: webcgi[1223]
Description: LDAP server is on-line.
-------------------------------------------------------------------------------
Record: 233
Date/Time: Jul 21 03:33:24
Source: webcgi[1223]
Description: LDAP interfaces found : dc2.test.lab
-------------------------------------------------------------------------------
Record: 234
Date/Time: Jul 21 03:33:24
Source: webcgi[1223]
Description: ldap_ssl_init( dc2.test.lab , 636 )
-------------------------------------------------------------------------------
Record: 235
Date/Time: Jul 21 03:33:24
Source: webcgi[1223]
Description: ldap_int_tls_start failed
-------------------------------------------------------------------------------
Record: 236
Date/Time: Jul 21 03:33:24
Source: webcgi[1223]
Description: ldap_client_api.c,1265: Can't init LDAP!
-------------------------------------------------------------------------------
Record: 237
Date/Time: Jul 21 03:33:24
Source: webcgi[1223]
Description: SD: , IP: 0, port: 636, prv: 0, rt: 24582
-------------------------------------------------------------------------------
Record: 238
Date/Time: Jul 21 03:33:24
Source: webcgi[1223]
Description: No match found during AD search, now we will go through Global Catalog servers
-------------------------------------------------------------------------------
I think that SC AD is not enabled means that Smart Card Active Directory is not enabled so this line is not a showstopper. Record 227 has a 0.0.0.0 description which doesn't gel with gettracelogs already posted here in the forums so this may be the point of failure. On the other hand the DC is resolved at line 229 and is reported online at line 232. There is a definate failure at line 235. In previous posts this appears to be due to a problem with the root certificate and yet the root certificate seems fine. I have recreated the CA twice and exported the root certificate to the DRAC twice with no improvement.
If anyone could cast some light on this issue it would be appreciated.
Thanks
David0088
5 Posts
0
August 10th, 2010 07:00
I have been struggling with trying to set this up for a while now, but one thing you could try is to download the Dell remote access configuration tools (DRACT): http://support.us.dell.com/support/downloads/download.aspx?c=us&cs=04&l=en&s=k12&dateid=-1&fileid=370882&formatcnt=0&formatid=-1&libid=0&releaseid=R253298&source=-1&typeid=-1
Just go through the prompts and try it that way. It may or may not work, in my case it still did not and I am still looking for an answer.
Todd_Saettele
6 Posts
0
June 25th, 2013 12:00
Hate to necro but I am wondering if this has been addressed in ~4 years.
DELL-Jeff M
793 Posts
1
June 27th, 2013 18:00
The DRAC Configuration Tool is still a good plan, and it should work better with the latest firmware.
Todd_Saettele
6 Posts
0
June 28th, 2013 08:00
Thanks Jeff, I am fully patched but I appreciate the suggestion. I did end up getting this working, there seems to be a flaw in the iDRAC authentication logic within the Active Directory Configuration and Management which, once you know, makes it easy to workaround.
The UI states FQDN or IP will work but I had to change this to the FQDN in both “Specify Domain controller Addresses” and on “Specify Global Catalog Server addresses” in order to get this to work with certificate validation because the certificate uses the FQDN
Also under test settings there seems to be additional coding problems that greatly prolonged the troubleshooting, when I use domain\user format. The error suggests that it rebuilds this username with the backslash as the first character of the username:
“domain\user” becomes “\user@domain” and fails. The programming logic is here, just not correct.
the second problem in test settings is that this test does not take the certificate into account so I test my credentials, get successful results then try to use the same credentials to log in but it fails, a lot of head scratching here. My failure was due to having the IP instead of the FQDN as mentioned above but then in my mind the test should have failed too.
HTH someone,
Todd