Users Guide
Generating Kerberos keytab file
To support the SSO and smart card login authentication, iDRAC supports the configuration to enable itself as a kerberized service on a
Windows Kerberos network. The Kerberos configuration on iDRAC involves the same steps as configuring a non–Windows Server
Kerberos service as a security principal in Windows Server Active Directory.
The ktpass tool (available from Microsoft as part of the server installation CD/DVD) is used to create the Service Principal Name (SPN)
bindings to a user account and export the trust information into a MIT–style Kerberos keytab file, which enables a trust relation between
an external user or system and the Key Distribution Centre (KDC). The keytab file contains a cryptographic key, which is used to encrypt
the information between the server and the KDC. The ktpass tool allows UNIX–based services that support Kerberos authentication to
use the interoperability features provided by a Windows Server Kerberos KDC service. For more information on the ktpass utility, see the
Microsoft website at: technet.microsoft.com/en-us/library/cc779157(WS.10).aspx
Before generating a keytab file, you must create an Active Directory user account for use with the -mapuser option of the ktpass
command. Also, you must have the same name as iDRAC DNS name to which you upload the generated keytab file.
To generate a keytab file using the ktpass tool:
1. Run the ktpass utility on the domain controller (Active Directory server) where you want to map iDRAC to a user account in Active
Directory.
2. Use the following ktpass command to create the Kerberos keytab file:
C:\> ktpass.exe -princ HTTP/idrac7name.domainname.com@DOMAINNAME.COM -mapuser DOMAINNAME
\username -mapOp set -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass [password] -out
c:\krbkeytab
The encryption type is AES256-SHA1. The principal type is KRB5_NT_PRINCIPAL. The properties of the user account to which the
Service Principal Name is mapped to must have Use AES 256 encryption types for this account property enabled.
NOTE:
Use lowercase letters for the iDRACname and Service Principal Name. Use uppercase letters for the domain
name as shown in the example.
3. Run the following command:
C:\>setspn -a HTTP/iDRACname.domainname.com username
A keytab file is generated.
NOTE:
If you find any issues with iDRAC user for which the keytab file is created, create a new user and a new
keytab file. If the same keytab file which was initially created is again executed, it does not configure correctly.
Configuring iDRAC SSO login for Active Directory users
using web interface
To configure iDRAC for Active Directory SSO login:
NOTE: For information about the options, see the
iDRAC Online Help
.
1. Verify whether the iDRAC DNS name matches the iDRAC Fully Qualified Domain Name. To do this, in iDRAC Web interface, go to
iDRAC Settings > Network > Common Settings and refer to DNS iDRAC Name property.
2. While configuring Active Directory to setup a user account based on standard schema or extended schema, perform the following two
additional steps to configure SSO:
• Upload the keytab file on the Active Directory Configuration and Management Step 1 of 4 page.
• Select Enable Single Sign-On option on the Active Directory Configuration and Management Step 2 of 4 page.
Configuring iDRAC SSO login for Active Directory users
using RACADM
To enable SSO, complete the steps to configure Active Directory, and run the following command:
racadm set iDRAC.ActiveDirectory.SSOEnable 1
Configuring iDRAC for Single Sign-On or smart card login
149