Users Guide
– The Active Directory Enabled option is selected on the Active Directory Configuration and
Management page.
– The DNS setting is correct on the iDRAC Networking configuration page.
– The correct Active Directory root CA certificate is uploaded to iDRAC if certificate validation was
enabled.
– The iDRAC name and iDRAC Domain name matches the Active Directory environment
configuration if you are using extended schema.
– The Group Name and Group Domain Name matches the Active Directory configuration if you are
using standard schema.
– If the user and the iDRAC object is in different domain, then do not select the User Domain from
Login option. Instead select Specify a Domain option and enter the domain name where the
iDRAC object resides.
• Check the domain controller SSL certificates to make sure that the iDRAC time is within the valid
period of the certificate.
Active Directory login fails even if certificate validation is enabled. The test results display the
following error message. Why does this occur and how to resolve this?
ERROR: Can't contact LDAP server, error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed: Please check
the correct Certificate Authority (CA) certificate has been uploaded to iDRAC.
Please also check if the iDRAC date is within the valid period of the
certificates and if the Domain Controller Address configured in iDRAC matches
the subject of the Directory Server Certificate.
If certificate validation is enabled, when iDRAC establishes the SSL connection with the directory server,
iDRAC uses the uploaded CA certificate to verify the directory server certificate. The most common
reasons for failing certification validation are:
• iDRAC date is not within the validity period of the server certificate or CA certificate. Check the iDRAC
time and the validity period of your certificate.
• The domain controller addresses configured in iDRAC does not match the Subject or Subject
Alternative Name of the directory server certificate. If you are using an IP address, read the next
question. If you are using FQDN, make sure you are using the FQDN of the domain controller and not
the domain. For example, servername.example.com instead of example.com.
Certificate validation fails even if IP address is used as the domain controller address. How to resolve
this?
Check the Subject or Subject Alternative Name field of your domain controller certificate. Normally,
Active Directory uses the host name and not the IP address of the domain controller in the Subject or
Subject Alternative Name field of the domain controller certificate. To resolve this, do any of the
following:
• Configure the host name (FQDN) of the domain controller as the domain controller address(es) on
iDRAC to match the Subject or Subject Alternative Name of the server certificate.
• Reissue the server certificate to use an IP address in the Subject or Subject Alternative Name field, so
that it matches the IP address configured in iDRAC.
• Disable certificate validation if you choose to trust this domain controller without certificate validation
during the SSL handshake.
How to configure the domain controller address(es) when using extended schema in a multiple
domain environment?
348