Unsolved
This post is more than 5 years old
14 Posts
0
196782
Drac5 and iDrac6 SSO (AD authentication and login test OK)
Hi all,
I've got our Drac's to authenticate with AD which is great, and can login using our standard AD accounts, but I'm having some issues with getting single sign on working.
I'll summerise what I've done so far...
1. Enabled SSO on the Drac
2. Registered DNS entry - idrac-xxxxxxx to 192.168.xxx.xxx.
3. Created a user account in AD called idrac-xxxxxxx and changed the account settings to use "Do not require Kerberos pre-authentication" and "Use DES encryption types for this account". Use xxxxxx as password.
4. Created keytab using the following...
ktpass -princ HOST/idrac-xxxxxxx.mydomain.local@MYDOMAIN.LOCAL -mapuser idrac-xxxxxxx -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -pass xxxxxx -out c:\krbkeytab
5. Uploaded keytab to Drac.
6. Added the FQDN address into trusted sites in IE.
7. goto https://idrac-xxxxxxx. Credentials failed.
Any ideas where I'm going wrong. I think the ktpass is correct, but not 100%.
All feedback welcome.
Cheers,
Alex
DELL-Shine K
4 Operator
4 Operator
•
3K Posts
0
May 17th, 2013 09:00
Can you let me whether step mentioned above tried on DRAC5 or iDRAC6. If iDRAC6, let me know whether it is a modular or monolithic server. We also like to know which Operating System is running for Domain Controller and Client Operating system and browser used for launching iDRAC. Also need info on firmware version on iDRAC
astee
14 Posts
0
May 17th, 2013 10:00
Hi Shine,
The above was on a Drac5, but I have also done similar on the iDrac6. They are on a PE2900 and an R610 respectively.
Both are running Server 2012 x64. The domain functional level is 2008R2 and client OS is Win7 Ent SP1 with IE9.
Drac5 1.65
iDrac6 1.92
Cheers,
Alex
DELL-Shine K
4 Operator
4 Operator
•
3K Posts
0
May 18th, 2013 08:00
Let's try iDRAC6 first. There are additional configuration you have to perform on client and domain controller as you are having Windows 2008 R2 and Windows 7.
Refer "Frequently Asked Questions About SSO" section under iDRAC6 User Guide for more details.
ftp://ftp.dell.com/Manuals/all-products/esuprt_electronics/esuprt_software/esuprt_remote_ent_sys_mgmt/integrated-dell-remote-access-cntrllr-6-for-monolithic-srvr-v1.9_User%27s%20Guide_en-us.pdf
Which Schema are you using for AD Authentication Standard or Extended? After configuring SSO can you perform a test setting and let me know the result.
You also need to make sure iDRAC6 time is exactly matching with Domain Controller time. As BIOS/iDRAC doesn’t have the capability of deciding tome zone from system, time shown in iDRAC will be assumed as GMT time. If it is not GMT time you need to set time zone offset in minutes using following command
racadm config -g cfgRactunin -o cfgRacTuneTimezoneOffset
To determine whether iDRAC and Domain Controller time is in sync, Run "racadm getractime" command and check whether date and time shown is same as GMT time of Domain Controller (You can check this by changing Domain controller time zone to UTC and check new time and date). If it is not same then we need to set timezoneoffset object. E.g. If iDRAC time is 5 hours and 30 minutes behind server time then set offset value as "-330" (5 X 60 + 30)
Other things to check is
1: Make sure iDRAC IP have an entry in reverse look up zone also
2: Make sure there is no duplicate entry in DNS for iDRAC. E.g. there should not be two entries in DNS where there are two names for same iDRAC IP
astee
14 Posts
0
May 20th, 2013 02:00
Thanks for that. I'll go through the details outlined and ping a response back.
Also, could you re-up the PDF link as it has been truncated and I can't access the link.
Thanks,
Alex
astee
14 Posts
0
May 20th, 2013 07:00
I forgot to mention that I'm using the standard schema. We are in a GMT location (UK) and the times contained within the logs (login for example) are correct and match our client/server times. Having said that, where do I run the racadm getractime command from?
Another question. As I have multiple DRAC and iDRAC, do I need to create a new AD (user) object for each RAC to link to the keytab file? And if that is the case, do I need to upload a custom keytab to each RAC?
This is the output from the test...
Test Results
Attribute Value
Keytab file exists Passed
Keytab file is valid Passed
Getting TGT from server Failed
Ping Directory Server Passed
Directory Server DNS Name Passed
DNS Directory Lookup Passed
DNS Global Catalog Lookup Passed
Connect to Directory Server 1 (Unencrypted) Passed
Connect to Directory Server 2 (Unencrypted) Passed
Connect to Directory Server 3 (Unencrypted) Passed
Connect to Directory Server 4 (Unencrypted) Passed
Connect to Directory Server 1 (SSL) Passed
Connect to Directory Server 2 (SSL) Passed
Connect to Directory Server 3 (SSL) Passed
Connect to Directory Server 4 (SSL) Passed
Connect to Global Catalog 1 (Unencrypted) Passed
Connect to Global Catalog 2 (Unencrypted) Passed
Connect to Global Catalog 3 (Unencrypted) Passed
Connect to Global Catalog 4 (Unencrypted) Passed
Connect to Global Catalog 1 (SSL) Passed
Connect to Global Catalog 2 (SSL) Passed
Connect to Global Catalog 3 (SSL) Passed
Connect to Global Catalog 4 (SSL) Passed
Certificate Validation Passed
User Authentication Passed
User Authorization Passed
iDRAC Device Object Exists Not Applicable
Thanks,
Alex
astee
14 Posts
0
May 20th, 2013 09:00
Hi Shine,
This is the output... Could it be a certificate error?...
Security Alert: Certificate is invalid - Certificate is not signed by Trusted Third Party Continuing execution. Use -S option for racadm to stop execution on certificate-related errors.
cfgRacTuneRemoteRacadmEnable=1
cfgRacTuneWebserverEnable=1
cfgRacTuneHttpPort=80
cfgRacTuneHttpsPort=443
cfgRacTuneTelnetPort=23
cfgRacTuneSshPort=22
cfgRacTuneConRedirEnable=1
cfgRacTuneConRedirPort=5900
cfgRacTuneConRedirEncryptEnable=1
cfgRacTuneLocalServerVideo=1
cfgRacTuneIpRangeEnable=0
cfgRacTuneIpRangeAddr=192.168.1.1 (this is reporting incorrect IP range)
cfgRacTuneIpRangeMask=255.255.255.0 (this is reporting incorrect subnet mask)
cfgRacTuneIpBlkEnable=0
cfgRacTuneIpBlkFailCount=5
cfgRacTuneIpBlkFailWindow=60
cfgRacTuneIpBlkPenaltyTime=300
cfgRacTuneTimezoneOffset=0
cfgRacTuneDaylightOffset=0
cfgRacTuneAsrEnable=1
cfgRacTunePlugintype=1
cfgRacTuneCtrlEConfigDisable=0
cfgRacTuneLocalConfigDisable=0
cfgRacTuneVirtualConsoleAuthorizeMultipleSessions=0
Thanks for the help so far,
Alex
DELL-Shine K
4 Operator
4 Operator
•
3K Posts
0
May 20th, 2013 09:00
Generally Getting TGT fail when there is a difference in time. You can run racadm getractime from iDRAC FW Racadm. Do SSH to iDRAC IP with iDRAC username and password.
Also run below racadm commands and let me know the result.
racadm getconfig -g cfgRactuning
Just to confirm make sure Domain Controller is in UTC (GMT) time.
Check the steps I mentioned on Windows 2008R2 and Windows 7.
Link to user Guide
www.dell.com/.../integrated-dell-remote-access-cntrllr-6-for-monolithic-srvr-v1.95
Open "Integrated Dell Remote Access Controller 6 (iDRAC6) Version 1.95 User’s Guide" in above link and refer "Frequently Asked Questions About SSO" section
DELL-Shine K
4 Operator
4 Operator
•
3K Posts
0
May 21st, 2013 10:00
Can you check the settings I mentioned for Windows 2008 R2 and Windows 7. I corrected the link issue on the first post
ftp://ftp.dell.com/Manuals/all-products/esuprt_electronics/esuprt_software/esuprt_remote_ent_sys_mgmt/integrated-dell-remote-access-cntrllr-6-for-monolithic-srvr-v1.9_User%27s%20Guide_en-us.pdf
LANCOFCU
5 Posts
0
April 7th, 2014 08:00
I'm having the exact same issue. I'm getting the following when I test AD:
10:43:33 Initiating Directory Services Settings Diagnostics:
10:43:33 principal name from keytab: HOST/ws-idrac.DOMAIN.com@DOMAIN.com
10:43:33 getting TGT failed: check date/time and time zone offset.
10:43:33 DNS SRV look up with _ldap._tcp.corporate.lanco.com
AD is working on the DRAC as I can log in, but SSO isn't. I'm not sure if the time zone would have anything to do with it as I'm still able to log in.
I also ran though the FAQ section and setup the Network Security: configure encryption types allowed for kerberos to all options.
I'm not sure where to start troubleshooting.
DELL-Shine K
4 Operator
4 Operator
•
3K Posts
0
April 7th, 2014 10:00
Can you provide below information?
LANCOFCU
5 Posts
0
April 7th, 2014 11:00
Sure,
1. Dell R210ii
2. iDRAC6 FW 1.97
3. 2008 R2 (currently a domain controller)
4. Eastern Standard Time
5. 2008 R2 (all DCs are 2008 R2)
6. I took it straight out of the User Guide:
ktpass -princ HOST/ws-idrac.domainname.com@DOMAINNAME.COM -mapuser ws-idrac -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -pass PASSWORD -out c:\krbkeytab
I was under the assumption that you have to have an AD User object (ws-idrac) with DES Encryption for the account, which I've done. I've also registered the drac name (ws-idrac) in DNS. It seemed to like the command and the iDRAC didn't bark when I did the import.
LANCOFCU
5 Posts
0
April 7th, 2014 12:00
I tried that before per your recommendations above and I couldn't get it to work. Is it supposed to show an offset when you run racadm getractim because mine did not. Here is my output of when I SSH'd into the iDRAC:
/admin1-> racadm getractime
Mon Apr 7 14:36:41 2014
/admin1-> racadm config -g cfgRacTuning -o cfgRacTuneTimeZoneOffset -300
Object value modified successfully
/admin1-> racadm getractime
Mon Apr 7 14:36:58 2014
/admin1->
And here is the racadm getconfig -g cfgRactuning results:
cfgRacTuneRemoteRacadmEnable=1
cfgRacTuneWebserverEnable=1
cfgRacTuneHttpPort=80
cfgRacTuneHttpsPort=443
cfgRacTuneTelnetPort=23
cfgRacTuneSshPort=22
cfgRacTuneConRedirEnable=1
cfgRacTuneConRedirPort=5900
cfgRacTuneConRedirEncryptEnable=1
cfgRacTuneLocalServerVideo=1
cfgRacTuneIpRangeEnable=0
cfgRacTuneIpRangeAddr=192.168.1.1
cfgRacTuneIpRangeMask=255.255.255.0
cfgRacTuneIpBlkEnable=0
cfgRacTuneIpBlkFailCount=5
cfgRacTuneIpBlkFailWindow=60
cfgRacTuneIpBlkPenaltyTime=300
cfgRacTuneTimezoneOffset=-300
cfgRacTuneDaylightOffset=0
cfgRacTuneAsrEnable=1
cfgRacTunePlugintype=0
cfgRacTuneCtrlEConfigDisable=0
cfgRacTuneLocalConfigDisable=0
cfgRacTuneVirtualConsoleAuthorizeMultipleSessions=0
I tried SSO and I still get:
DELL-Shine K
4 Operator
4 Operator
•
3K Posts
0
April 7th, 2014 12:00
Is your server OS time is in sync with Domain controller time. If yes run the below command to configure timezone on iDRAC. After that check Single Sign On and share the result.
racadm config -g cfgRacTuning -o cfgRacTuneTimeZoneOffset -300
LANCOFCU
5 Posts
0
April 8th, 2014 12:00
Any other suggestions?
DELL-Shine K
4 Operator
4 Operator
•
3K Posts
0
April 8th, 2014 21:00
Can you make below changes on domain controller
Run the technet.microsoft.com/en-us/library/dd560670(WS.10).aspx for the domain controller and domain policy.
Configure the computers to use the DES-CBC-MD5 cipher suite.
These settings may affect compatibility with client computers or services and applications in your environment. The Configure encryption types allowed for Kerberos policy setting is located at Computer Configuration
→ Security Settings → Local Policies → Security Options.
Make sure that the domain clients have the updated GPO.
At the command line, type gpupdate /force and delete the old key tab with klist purge command.
After the GPO is updated, create the new keytab.
Upload the keytab to iDRAC
Also if DST is on you need configure "cfgRacTuneDaylightOffset" object as well
racadm config -g cfgRacTuning -o cfgRacTuneDaylightOffset 60
If SSO login still fails after above changes, Can you share the output of racadm gettracelog command and Domain controller time when SSO failed.