Users Guide

ManualsBrandsDell ManualsAlienwareOEMR R240

341

342

343

344

345

346

347

348

349

350

To diagnose the problem, on the Active Directory Configuration and Management page, click Test Settings. Review the

test results and fix the problem. Change the configuration and run the test until the test user passes the authorization step.

In general, check the following:

● While logging in, make sure that you use the correct user domain name and not the NetBIOS name. If you have a local iDRAC

user account, log into iDRAC using the local credentials. After logging in, make sure that:

○ The Active Directory Enabled option is selected on the Active Directory Configuration and Management page.

○ The DNS setting is correct on the iDRAC Networking configuration page.

○ The correct Active Directory root CA certificate is uploaded to iDRAC if certificate validation was enabled.

○ The iDRAC name and iDRAC Domain name matches the Active Directory environment configuration if you are using

extended schema.

○

The Group Name and Group Domain Name matches the Active Directory configuration if you are using standard schema.

○ If the user and the iDRAC object is in different domain, then do not select the User Domain from Login option. Instead

select Specify a Domain option and enter the domain name where the iDRAC object resides.

● Check the domain controller SSL certificates to make sure that the iDRAC time is within the valid period of the certificate.

Active Directory login fails even if certificate validation is enabled. The test results display the following error

message. Why does this occur and how to resolve this?

ERROR: Can't contact LDAP server, error:14090086:SSL

routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed: Please check the correct

Certificate Authority (CA) certificate has been uploaded to iDRAC. Please also check if

the iDRAC date is within the valid period of the certificates and if the Domain

Controller Address configured in iDRAC matches the subject of the Directory Server

Certificate.

If certificate validation is enabled, when iDRAC establishes the SSL connection with the directory server, iDRAC uses the

uploaded CA certificate to verify the directory server certificate. The most common reasons for failing certification validation

are:

● iDRAC date is not within the validity period of the server certificate or CA certificate. Check the iDRAC time and the validity

period of your certificate.

● The domain controller addresses configured in iDRAC does not match the Subject or Subject Alternative Name of the

directory server certificate. If you are using an IP address, read the next question. If you are using FQDN, make sure you are

using the FQDN of the domain controller and not the domain. For example, servername.example.com instead of

example.com.

Certificate validation fails even if IP address is used as the domain controller address. How to resolve this?

Check the Subject or Subject Alternative Name field of your domain controller certificate. Normally, Active Directory uses the

host name and not the IP address of the domain controller in the Subject or Subject Alternative Name field of the domain

controller certificate. To resolve this, do any of the following:

● Configure the host name (FQDN) of the domain controller as the domain controller address(es) on iDRAC to match the

Subject or Subject Alternative Name of the server certificate.

● Reissue the server certificate to use an IP address in the Subject or Subject Alternative Name field, so that it matches the IP

address configured in iDRAC.

● Disable certificate validation if you choose to trust this domain controller without certificate validation during the SSL

handshake.

How to configure the domain controller address(es) when using extended schema in a multiple domain

environment?

This must be the host name (FQDN) or the IP address of the domain controller(s) that serves the domain in which the iDRAC

object resides.

When to configure Global Catalog Address(es)?

If you are using standard schema and the users and role groups are from different domains, Global Catalog Address(es) are

required. In this case, you can use only Universal Group.

If you are using standard schema and all the users and role groups are in the same domain, Global Catalog Address(es) are not

required.

If you are using extended schema, the Global Catalog Address is not used.

How does standard schema query work?

iDRAC connects to the configured domain controller address(es) first. If the user and role groups are in that domain, the

privileges are saved.

344

Frequently asked questions