Users Guide

ManualsBrandsDell ManualsActive System ManagerChassis Management Controller Version 3.20 For Dell PowerEdge VRTX

141

142

143

144

145

146

147

148

149

150

Client Systems

• For only Smart Card login, the client system must have the Microsoft Visual C++ 2005 redistributable. For more information see

www.microsoft.com/downloads/details.aspx?FamilyID= 32BC1BEEA3F9-4C13-9C99-220B62A191EE&displaylang=en

• For Single Sign-On or smart card login, the client system must be a part of the Active Directory domain and Kerberos Realm.

CMC

• Each CMC must have an Active Directory account.

• CMC must be a part of the Active Directory domain and Kerberos Realm.

Prerequisites For Single Sign-On Or Smart Card Login

The pre-requisites to congure SSO or Smart Card logins are:

• Set up the kerberos realm and Key Distribution Center (KDC) for Active Directory (ksetup).

• A robust NTP and DNS infrastructure to avoid issues with clock drift and reverse lookup.

• Congure CMC with Active Directory standard schema role group with authorized members.

• For smart card, create Active Directory users for each CMC, congured to use Kerberos DES encryption but not pre-authentication.

• Congure the browser for SSO or smart card login.

• Register the CMC users to the Key Distribution Center with Ktpass (this also outputs a key to upload to CMC).

Generating Kerberos Keytab File

To support the SSO and smart card login authentication, CMC supports Windows Kerberos network. The ktpass tool (available from

Microsoft as part of the server installation CD/DVD) is used to create the Service Principal Name (SPN) bindings to a user account and

export the trust information into a MIT-style Kerberos keytab le. For more information about the ktpass utility, see the Microsoft Website.

Before generating a keytab le, you must create an Active Directory user account for use with the -mapuser option of the ktpass

command. You must use the same name as the CMC DNS name to which you upload the generated keytab le.

To generate a keytab le using the ktpass tool:

1 Run the ktpass utility on the domain controller (Active Directory server), where you want to map CMC to a user account in Active

Directory.

2 Use the following ktpass command to create the Kerberos keytab le:

ktpass -princ HTTP/cmcname.domainname.com@DOMAINNAME.COM -mapuser keytabuser -crypto DES-CBC-

MD5 -ptype KRB5_NT_PRINCIPAL -pass * -out c:\krbkeytab

NOTE

: The cmcname.domainname.com must be in lower case as required by RFC and the @REALM_NAME must be in

uppercase. In addition, CMC supports the DES-CBC-MD5 and AES256–SHA1 types of cryptography for Kerberos

authentication.

A keytab le is generated that must be uploaded to CMC.

NOTE

: The keytab contains an encryption key and must be kept secure. For more information about the

ktpass

utility, see

the Microsoft Website.

Conguring CMC For Active Directory Schema

For information about conguring CMC for Active Directory standard schema, see Conguring Standard Schema Active Directory.

150

Conguring CMC For Single Sign-On Or Smart Card Login