Manualshelf

Users Guide

ManualsBrandsDell ManualsActive System ManagerChassis Management Controller Version 2.10 For Dell PowerEdge FX2
111112113114115116117118119120
NOTE: If you are using Active Directory on Microsoft Windows 2003, make sure that you have the latest service packs and
patched installed on the client system. If you are using Active Directory on Microsoft Windows 2008, make sure that you have
installed SP1 along with the following hot xes:
Windows6.0-KB951191-x86.msu for the KTPASS utility. Without this patch the utility generates bad keytab les.
Windows6.0-KB957072-x86.msu for using GSS_API and SSL transactions during an LDAP bind.
Kerberos Key Distribution Center (packaged with the Active Directory Server software).
DHCP server (recommended).
The DNS server reverse zone must have an entry for the Active Directory server and CMC.
Client Systems
For only Smart Card login, the client system must have the Microsoft Visual C++ 2005 redistributable. For more information see
www.microsoft.com/downloads/details.aspx?FamilyID= 32BC1BEEA3F9-4C13-9C99-220B62A191EE&displaylang=en
For Single Sign-On or smart card login, the client system must be a part of the Active Directory domain and Kerberos Realm.
CMC
Each CMC must have an Active Directory account.
CMC must be a part of the Active Directory domain and Kerberos Realm.
Prerequisites for Single Sign-On or Smart Card login
The pre-requisites to congure SSO or Smart Card logins are:
Setup the Kerberos realm and Key Distribution Center (KDC) for Active Directory (ksetup).
A robust NTP and DNS infrastructure to avoid issues with clock drift and reverse lookup.
Congure CMC with Active Directory standard schema role group with authorized members.
For smart card, create Active Directory users for each CMC, congured to use Kerberos DES encryption but not pre-authentication.
Congure the browser for SSO or smart card login.
Register the CMC users to the Key Distribution Center with Ktpass (this also outputs a key to upload to CMC).
Generating Kerberos keytab le
To support the SSO and smart card login authentication, CMC supports Windows Kerberos network. The ktpass tool is used to create the
Service Principal Name (SPN) bindings to a user account and export the trust information into a MIT-style Kerberos keytab le. For more
information about the ktpass utility, see the Microsoft website.
Before generating a keytab le, create an Active Directory user account for use with the -mapuser option of the ktpass command. Use
the same name as the CMC DNS name to which you upload the generated keytab le.
To generate a keytab le using the ktpass tool:
1 Run the ktpass utility on the domain controller (Active Directory server), where you want to map CMC to a user account in Active
Directory.
2 Use the following ktpass command to create the Kerberos keytab le:
C:\>ktpass -princ HTTP/cmcname.domain_name.com@REALM_NAME.COM - mapuser dracname -mapOp set -
crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -pass * -out c:\krbkeytab
Conguring
CMC for Single Sign-On or Smart Card login 119