HP Integrated Lights-Out Security, 7th edition

with Microsoft Internet Explorer (iLO 2 v1.80 only)

iLO 2 v1.80 provides an authentication scheme supporting only Microsoft® Internet Explorer. This

authentication scheme involves using two factors of authentication:

• Something the user knows—a password or PIN.

• Something the user possesses—the private key for his digital certificate.

Users can store their digital certificates and private keys wherever they choose, such as on smart

cards and USB keys.

When two-factor authentication is required, access to the OS on a remote server will use smart card

device support within Windows Remote Desktop Connection. iLO uses Terminal Services pass-thru to

access Remote Desktop Connection.

Support for smart cards in Remote Desktop Connection requires

that the remote server run Microsoft® Windows® Server 2003 or later.

The authentication layer will continue to be a middle layer between HTTP and LDAP or local accounts.

The layer will provide certificate validation for local users, and perform the necessary LDAP calls to

authenticate with the directory.

With two-factor authentication enabled for web browser access, access to the following ports is

automatically disabled:

• SSH

• Port 22

• Telnet, Port 23

• SSL, Port 443 (XML traffic only; no other traffic is affected)

If necessary, server administrators can selectively re-enable the SSH and/or telnet ports manually. It is

important to know that you cannot enable the XML port (CPQLOCFG access) while two-factor

authentication is enabled. Performing group administration activities while you have two-factor

authentication enabled requires using the HPONCFG utility.

Figure 8 shows the messages exchanged in two-factor mode to establish secure communication

channels and authentication between the client and iLO, and between iLO and the directory.

The Microsoft Internet Explorer browser uses the Microsoft Cryptographic API for communication

between the browser and the certificate contained in the smart card.