Users Guide

ManualsBrandsDell ManualsActive System ManagerChassis Management Controller Version 2.0 for Dell PowerEdge FX2

101

102

103

104

105

106

107

108

109

110

Prerequisites for Single Sign-On or Smart Card login

The pre-requisites to congure SSO or Smart Card logins are:

• Setup the Kerberos realm and Key Distribution Center (KDC) for Active Directory (ksetup).

• A robust NTP and DNS infrastructure to avoid issues with clock drift and reverse lookup.

• Congure CMC with Active Directory standard schema role group with authorized members.

• For smart card, create Active Directory users for each CMC, congured to use Kerberos DES encryption but not pre-

authentication.

• Congure the browser for SSO or smart card login.

• Register the CMC users to the Key Distribution Center with Ktpass (this also outputs a key to upload to CMC).

Generating Kerberos keytab le

To support the SSO and smart card login authentication, CMC supports Windows Kerberos network. The ktpass tool is used to

create the Service Principal Name (SPN) bindings to a user account and export the trust information into a MIT-style Kerberos

keytab le. For more information about the ktpass utility, see the Microsoft website.

Before generating a keytab le, create an Active Directory user account for use with the -mapuser option of the ktpass command.

Use the same name as the CMC DNS name to which you upload the generated keytab le.

To generate a keytab le using the ktpass tool:

1. Run the ktpass utility on the domain controller (Active Directory server), where you want to map CMC to a user account in

Active Directory.

2. Use the following ktpass command to create the Kerberos keytab le:

C:\>ktpass -princ HTTP/cmcname.domain_name.com@REALM_NAME.COM - mapuser dracname -mapOp

set -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -pass * -out c:\krbkeytab

NOTE: The cmcname.domainname.com must be in lowercase as required by RFC and the @REALM_NAME must be

in uppercase. In addition, CMC supports the DES-CBC-MD5 and AES256-SHA1 types of cryptography for Kerberos

authentication.

A keytab le is generated that must be uploaded to CMC.

NOTE: The keytab contains an encryption key and must be kept secure. For more information about the

ktpass

utility, see the Microsoft website.

Conguring CMC for Active Directory schema

For information about conguring CMC for Active Directory standard schema, see Conguring Standard Schema Active Directory.

For information about conguring CMC for Extended Schema Active Directory, see Extended Schema Active Directory Overview.

Conguring browser for SSO login

Single Sign-On (SSO) is supported on Internet Explorer versions 6.0 and later, and Firefox versions 3.0 and later.

NOTE: The following instructions are applicable only if CMC uses Single Sign-On with Kerberos authentication.

Internet Explorer

To edit the exception list in Internet Explorer:

1. Start Internet Explorer.

2. Click Tools → Internet Options → Connections.

3. In the Local Area Network (LAN) settings section, click LAN Settings.

106