iDRAC AD integration certificate issues

Question

Hi,

I look after several Dell servers that all have iDRACs in them. (iDRAC 6 and 7 Enterprise)

I've gone through and configured some of them for AD integration, using the standard schema method.

When I run the "Test Active Directory Settings" on a DRAC, all tests are passed until the certificate validation test is run.

All of the DRACs seem to fail on this test, as well as the user authentication test.

Certificate wise, the root CA's certificate has been uploaded to each DRAC, but I have not changed the default self signed SSL certificate for each DRAC.

The exact error I get is:

ERROR: Can't contact LDAP server, error:0D0C50C7:asn1 encoding routines:ASN1_item_verify:unknown signature algorithm:
   Please check the following things:
   - the correct Certificate Authority (CA) certificate has been uploaded to iDRAC
   - the iDRAC date is within the valid period of the directory server and CA certificates
   - the LDAP server address configured in iDRAC matches the subject of the directory server certificate
user=username@domain, host="domaincontroller.domain"

Has anyone seen this error before, or have any suggestions as to how to troubleshoot it?

Thanks!

DRAGONKZ · Answer

Hi Shine,

The firmware versions are 1.95

The Domain Controllers are running Windows 2012.

Signature algorithm on the Root CA Cert is "RSASSA-PSS". The Root CA is also Windows 2012.

I have tried both manually specifying, and using DNS. Both appear to work fine, but both fail on the Certificate validation/user authentication.

In terms of our CA structure, we have 1 Root CA, and 1 Subordinate Issuing CA below that.

Both Domain controllers being used have been assigned a "Domain Controller Authentication" certificate from our internal Issuing CA. The signature algorithm for this is "sha1RSA".

A quick overview on the settings I've configured:

* Enable Certificate Validation = Yes

* Upload DS CA Certificate = Uploaded Root CA

* Upload Kerberos Keytab = Not configured

* Enable AD = Yes

* Enable Single Sign On = No

* User Domain Name = It is input as "domain.net", obviously with our internal domain name

* Timeout = 120 Seconds

* Look Up Domain Controllers with DNS = User Domain from Login

* Standard Schema

* Look Up GC Servers with DNS = Root Domain Name manually entered. This is the same domain name that was input for the "User Domain Name" field.

* Groups have been configured to map to an AD group that has been created.

Results of a test:

Test Results

Attribute Value

Keytab file exists

Failed

Keytab file is valid

Not run

Getting TGT from server

Not run

Ping Directory Server

Passed

Directory Server DNS Name

Passed

DNS Directory Lookup

Passed

DNS Global Catalog Lookup

Passed

Connect to Directory Server 1 (Unencrypted)

Passed

Connect to Directory Server 2 (Unencrypted)

Passed

Connect to Directory Server 3 (Unencrypted)

Not Run

Connect to Directory Server 4 (Unencrypted)

Not Run

Connect to Directory Server 1 (SSL)

Passed

Connect to Directory Server 2 (SSL)

Passed

Connect to Directory Server 3 (SSL)

Not Run

Connect to Directory Server 4 (SSL)

Not Run

Connect to Global Catalog 1 (Unencrypted)

Passed

Connect to Global Catalog 2 (Unencrypted)

Passed

Connect to Global Catalog 3 (Unencrypted)

Not Run

Connect to Global Catalog 4 (Unencrypted)

Not Run

Connect to Global Catalog 1 (SSL)

Passed

Connect to Global Catalog 2 (SSL)

Passed

Connect to Global Catalog 3 (SSL)

Not Run

Connect to Global Catalog 4 (SSL)

Not Run

Certificate Validation

Failed

User Authentication

Failed

User Authorization

Not Run

iDRAC Device Object Exists

Not Applicable

Test Log

NB = I've replaced the name of our domain with "domain.net" and also replaced the names of our DCs with dc1 and dc2.

14:16:57 Initiating Directory Services Settings Diagnostics:

14:16:57 DNS SRV look up with _ldap._tcp.domain.net

14:16:57 The following servers are returned:

dc1.domain.net

dc2.domain.net

14:16:57 DNS SRV look up with _gc._tcp.domain.net

14:16:57 the following servers are returned:

dc1.domain.net

dc2.domain.net

14:16:57 trying DC server dc1.domain.net:389

14:16:57 Server Address dc1.domain.net resolved to 10.49.2.101

14:16:57 connect to 10.49.2.101:389 passed

14:16:57 trying DC server dc1.domain.net:636

14:16:57 Server Address dc1.domain.net resolved to 10.49.2.101

14:16:57 connect to 10.49.2.101:636 passed

14:16:57 trying DC server dc2.domain.net:389

14:16:57 Server Address dc2.domain.net resolved to 10.49.2.102

14:16:58 connect to 10.49.2.102:389 passed

14:16:58 trying DC server dc2.domain.net:636

14:16:58 Server Address dc2.domain.net resolved to 10.49.2.102

14:16:58 connect to 10.49.2.102:636 passed

14:16:58 trying GC server dc2.domain.net:3268

14:16:58 Server Address dc2.domain.net resolved to 10.49.2.102

14:16:58 connect to 10.49.2.102:3268 passed

14:16:58 trying GC server dc2.domain.net:3269

14:16:58 Server Address dc12domain.net resolved to 10.49.2.102

14:16:58 connect to 10.49.2.102:3269 passed

14:16:58 trying GC server dc1.domain.net:3268

14:16:58 Server Address dc1.domain.net resolved to 10.49.2.101

14:16:58 connect to 10.49.2.101:3268 passed

14:16:58 trying GC server dc1.domain.net:3269

14:16:58 Server Address dc1.domain.net resolved to 10.49.2.101

14:16:58 connect to 10.49.2.101:3269 passed

14:16:58 Connecting to ldaps://[dc1.domain.net]:636...

14:16:58 ERROR: Can't contact LDAP server, error:0D0C50C7:asn1 encoding routines:ASN1_item_verify:unknown signature algorithm:

Please check the following things:

- the correct Certificate Authority (CA) certificate has been uploaded to iDRAC

- the iDRAC date is within the valid period of the directory server and CA certificates

- the LDAP server address configured in iDRAC matches the subject of the directory server certificate

user=username@domain.net, host=dc1.domain.net

14:16:58 Connecting to ldaps://[dc2.domain.net]:636...

14:16:58 ERROR: Can't contact LDAP server, error:0D0C50C7:asn1 encoding routines:ASN1_item_verify:unknown signature algorithm:

Please check the following things:

- the correct Certificate Authority (CA) certificate has been uploaded to iDRAC

- the iDRAC date is within the valid period of the directory server and CA certificates

- the LDAP server address configured in iDRAC matches the subject of the directory server certificate

user=username@domain.net, host=dc2.domain.net

14:16:58 Connecting to ldaps://[dc2.domain.net]:3269...

14:16:58 ERROR: Can't contact LDAP server, error:0D0C50C7:asn1 encoding routines:ASN1_item_verify:unknown signature algorithm:

Please check the following things:

- the correct Certificate Authority (CA) certificate has been uploaded to iDRAC

- the iDRAC date is within the valid period of the directory server and CA certificates

- the LDAP server address configured in iDRAC matches the subject of the directory server certificate

user=username@domain.net, host=dc2.domain.net

14:16:58 Connecting to ldaps://[dc2.domain.net]:3269...

14:16:58 ERROR: Can't contact LDAP server, error:0D0C50C7:asn1 encoding routines:ASN1_item_verify:unknown signature algorithm:

Please check the following things:

- the correct Certificate Authority (CA) certificate has been uploaded to iDRAC

- the iDRAC date is within the valid period of the directory server and CA certificates

- the LDAP server address configured in iDRAC matches the subject of the directory server certificate

user=username@domain.net, host=dc1.domain.net

Thanks,

Stephen

DELL-Shine K · Answer

Can you provide below details

iDRAC6 and iDRAC7 Firmware version used

Operating System on Active Directory

Signature Algorithm on Root CA Certificate

While Configuring AD which option you selected for Domain Controller and Global Catalog? Is it Lookup or Specify?

Tim-UMD · Answer

Did you ever find a solution to your issue?  I've been able to get iDRAC6 working in our AD environment, but not iDRAC7 using essentially the same process.  I started at 1.92 FW on iDRAC6, and currently am at something later but it still works.  My iDRAC7s are at 1.46.45.  BTW, don't upgrade to 1.51.51 or you may break the Web GUI altogether.  I had to rollback to 1.46.45 using RACADM to regain use of the GUI.

Tim-UMD · Answer

No luck.  I'm going to ping our AD people and see if they have any update on this.  I seem to recall they had to make a change to the AD certs to 'fix' this problem and I doubt that has been done yet.  Sorry I couldn't help here.

Tim-UMD · Answer

I just upgraded to 1.57.57 and haven't tried since my original post.  I will try again and see if anything is 'fixed'.  It may be an issue particular to our environment, but I found it odd that it works on iDRAC6 but not iDRAC7.  I have one iDRAC7 in a different AD Forest that did work so go figure.

s.r.thomas · Answer

Hi both, I'm attempting the same with drac 7 1.57.57 which is currently the latest.  I'm having same error. Server 2012 as AD and RootCA Anyone find a resolution?  Steve

s.r.thomas · Answer

Hi,

Thanks for coming back to me.

I'd appreciate any pointers they come back with. For the two systems you have where one works and the other doesn't, what algorithm is in use on the AD cert on the Dc?

DRAGONKZ · Answer

I can confirm that I did get it working with iDRAC versions 5, 6, and 7. Not that it helps much, but I ended up completely re-building our internal PKI after another guy had modified it in a way that I didn't like. The PKI wasn't in production yet so I had the opportunity to do this. After it was rebuilt I had no problems getting it working. My Root CA and 2 Issuing CAs are all Windows 2012 R2. If you want more exact settings of the key lengths/types used let me know and I can verify what was used.

s.r.thomas · Answer

Hi, Again thanks for coming back to me, I have server 2012 CA and 2012 intermediate Authority. Could you verify the key lengths and algorithms used please - would be very helpful. Thanks, Steve

s.r.thomas · Answer

Hi, Were you able to verify what you are using for the key size and algorithms? Thanks

marekjs · Answer

Hi,

I can say, this thread is maybe obsolete, but I try to tie-in my two servers to AD.

This time iDrac 8 (firmware 2.40.40.40) and W2012R2 with no luck:

Test Log
14:26:55 Initiating Directory Services Settings Diagnostics:
14:26:55 trying DC server server1:389
14:26:55 Server Address server1 resolved to server1
14:26:55 connect to server1:389 passed
14:26:55 trying DC server server1:636
14:26:55 Server Address server1 resolved to server1
14:26:55 connect to server1:636 passed
14:26:55 trying DC server server2:389
14:26:55 Server Address server2 resolved to server2
14:26:55 connect to server2:389 passed
14:26:55 trying DC server server2:636
14:26:55 Server Address server2 resolved to server2
14:26:55 connect to server2:636 passed
14:26:55 Connecting to ldaps://[server1]:636...
14:26:55 ERROR: Can't contact LDAP server, TLS: unable to get CN from peer certificate:
Please check the following things:
- the correct Certificate Authority (CA) certificate has been uploaded to iDRAC
- the iDRAC date is within the valid period of the directory server and CA certificates
- the LDAP server address configured in iDRAC matches the subject of the directory server certificate
user=user@mydomain, host=server1

Any suggestions very welcome.

Cheers,

Marek

ortegaale · Answer

I had the same issue today.. and after a while this line made me suspect: "-the LDAP server address configured in iDRAC matches the subject of the directory server certificate
user=user@mydomain, host=server1"

Then I changed the IP addresses and names for the domain name

"Look Up Domain Controllers with DNS ... domain.com"

"Look Up Global Catalog Servers with DNS ... domain.com"

Hope this Works for you!

PowerEdge Hardware General

iDRAC AD integration certificate issues

Was this post helpful?