Manualshelf

Troubleshooting

ManualsBrandsDell ManualsSoftwareDell Chassis Management Controller Version 4.31
123456789
Microsoft® Active Directory® Theory and Operation with the Dell™ Chassis Management Controller
8
Only SSO:
Both browsers, FireFox 3.0+ and Internet Explorer 7.0+ must be configured to
implement SSO. Changes of each browser are outlined below.
Only the Internet Explorer browser IE7 and later are supported for SSO.
Both TFA and SSO:
Microsoft Active Directory Domain controller with forest setup.
Cryptographic service running on a Windows domain controller > Certificate Services.
Dynamic Domain Name Service (DDNS). Set up both DNS forward and reverse zones.
This allows your Dell Chassis Management Controller to be automatically added to the
DNS zones. Alternatively, you can manually add the Dell Chassis Management Controller
to both zones in DNS.
User Workstations need to be part of the domain.
Make sure the Active Directory user login works on the workstation.
Make sure you have all the latest security patches and service packs installed on your
version of Windows server.
Install the latest version of KTPASS available from Microsoft Web site.
Set Internet Explorer Security settings as follows:
o Allow your DNS domain name that will be used with your device.
o Allow your device IP address if you are not using the name for setup. After
which, only use the DNS name of the device.
o Allow Active X controls, plug-ins, and downloads. During the TFA login process
you are presented with an Active X plug-in that needs to download and install
in the IE browser.
o Disable popup blocker. If you add the domain to the allow list in the IE browser
options, then you can leave it turned on.
All domain controllers and computers in the forest must trust the root Certification
Authority (CA) of the smart card certificate's certificate chain.
All domain controllers must have a Domain Controller or Domain Controller
Authentication certificate installed. Smart card authentication requires mutual
authentication of the user and the domain controller involved in the Kerberos
authentication.
The smart card certificate must contain the Smart Card Logon, (1.3.6.1.4.1.
311.20.2.2) and Client Authentication (1.3.6.1.5.5.7.3.2) object identifier (OID) in the
Enhanced Key Usage (EKU) extension or in the Application Policies extension. The
Smart Card Logon and Client Authentication OIDs must be valid in the entire certificate
chain. This is part of the cryptography install process from Microsoft.
Include the CA that issues the smart card certificate in the Active Directory NT
Authority (NTAuth) store. When a CA certificate is added to the NTAuth object in
Active Directory (CN=NTAuthCertificates, CN=Public Key Services, CN=Services,