Users Guide
2. Configure the computers to use the DES-CBC-MD5 cipher suite.
These settings may affect compatibility with client computers or services and applications in your environment. The Configure
encryption types allowed for Kerberos policy setting is located at Computer Configuration → Security Settings → Local
Policies
→ Security Options.
3. Make sure that the domain clients have the updated GPO.
4. At the command line, type gpupdate /force and delete the old key tab with klist purge command.
5. After the GPO is updated, create the new keytab.
6. Upload the keytab to iDRAC.
You can now log in to iDRAC using SSO.
Why does SSO login fail with Active Directory users on Windows 7 and Windows Server 2008 R2?
You must enable the encryption types for Windows 7 and Windows Server 2008 R2. To enable the encryption types:
1. Log in as administrator or as a user with administrative privilege.
2. Go to Start and run gpedit.msc. The Local Group Policy Editor window is displayed.
3. Go to Local Computer Settings → Windows Settings → Security Settings → Local Policies → Security Options.
4. Right-click Network Security: Configure encryption types allowed for kerberos and select Properties.
5. Enable all the options.
6. Click OK. You can now log in to iDRAC using SSO.
Perform the following additional settings for Extended Schema:
1. In the Local Group Policy Editor window, navigate to Local Computer Settings → Windows Settings → Security Settings
→ Local Policies → Security Options .
2. Right-click Network Security: Restrict NTLM: Outgoing NTLM traffic to remote server and select Properties.
3. Select Allow all, click OK, and close the Local Group Policy Editor window.
4. Go to Start and run cmd. The command prompt window is displayed.
5. Run the command gpupdate /force. The group policies are updated. Close the command prompt window.
6. Go to Start and run regedit. The Registry Editor window is displayed.
7. Navigate to HKEY_LOCAL_MACHINE → System → CurrentControlSet → Control → LSA .
8. In the right-pane, right-click and select New → DWORD (32-bit) Value.
9. Name the new key as SuppressExtendedProtection.
10. Right-click SuppressExtendedProtection and click Modify.
11. In the Value data field, type 1 and click OK.
12. Close the Registry Editor window. You can now log in to iDRAC using SSO.
If you have enabled SSO for iDRAC and you are using Internet Explorer to log in to iDRAC, SSO fails and you are prompted to
enter your user name and password. How to resolve this?
Make sure that the iDRAC IP address is listed in the Tools → Internet Options → Security → Trusted sites. If it is not listed, SSO
fails and you are prompted to enter your user name and password. Click Cancel and proceed.
Smart card login
It takes up to four minutes to log into iDRAC using Active Directory Smart Card login.
The normal Active Directory Smart Card login normally takes less than 10 seconds, however it may take up to four minutes if you
have specified the preferred DNS server and the alternate DNS server in the Network page, and the preferred DNS server has
failed. DNS time-outs are expected when a DNS server is down. iDRAC logs you in using the alternate DNS server.
ActiveX plug-in unable to detect the Smart Card reader.
Make sure that the smart card is supported on the Microsoft Windows operating system. Windows supports a limited number of
smart card Cryptographic Service Providers (CSPs).
In general, check if the smart card CSPs are present on a particular client, insert the smart card in the reader at the Windows logon
(Ctrl-Alt-Del) screen and check if Windows detects the smart card and displays the PIN dialog-box.
280