Dell Power Edge M1000e Chassis Management Controller Version 4.5 - Single Sign-On and Kerberos Model This technical brief highlights the working of Single Sign- On and Kerberos Authentication Model in CMC 4.
Revisions Date Description January 2014 Initial Release THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND. © 2014 Dell Inc. All rights reserved. Reproduction of this material in any manner whatsoever without the express written permission of Dell Inc. is strictly forbidden. For more information, contact Dell.
trademarks of Citrix Systems, Inc. in the United States and/or other countries. VMware®, Virtual SMP®, vMotion®, vCenter® and vSphere® are registered trademarks or trademarks of VMware, Inc. in the United States or other countries. IBM® is a registered trademark of International Business Machines Corporation. Broadcom® and NetXtreme® are registered trademarks of Broadcom Corporation. Qlogic is a registered trademark of QLogic Corporation.
Table of contents Revisions ..................................................................................................................................................................................................2 Executive summary ...............................................................................................................................................................................5 Background ..................................................................................
Executive summary This document explains the following: • • • Working of Single Sign- On(SSO) using Kerberos, a network authentication protocol Kerberos security mechanism Configuring the Dell Chassis Management Controller for SSO. The Dell Chassis Management Controller uses Kerberos to support single- sign on and Active directory account credentials to log in.
1. Kerberos Model Operating systems such as Windows (2000 and above), Windows server (2003 and above) use Kerberos as an authentication protocol, allowing users who signed into the domain to access Chassis Management Controller (CMC) auomatically. This means, users can access CMC without entering user name and password in a secure way.
2. Kerberos Workflow The following section describes how Kerberos functions. 1. Creating the Aunthenticator • • 7 The Client creates an authenticator (red lock), and a portion of which is not encrypted, for example the Username. This enables the domain controller to find out who is trying to authenticate. The other portion of the aunthenticator is encrypted using User’s password (red key). KDC first searches for the user in its database.
2. Generating the Ticket Granting Ticket KDC generates an encrypted Ticket granting ticket (TGT). This TGT can be decrypted by KDC only. KDC sends the TGT to the Client where it is saved in the Kerberos tray (special area of memory in the Client that is not persistent). 3. Accessing File from Server 8 Dell Power Edge M1000e Chassis Management Controller Version 4.
To access a file from file server, the Client needs a ticket for a file server. The Client sends the TGT, which is present in the Kerberos tray to KDC requesting a ticket for a file server. 4. Decrypting Ticket Granting Ticket on KDC • • 9 After KDC receives the TGT from the client, it does not validate the user this time. KDC uses its key to decrypt the TGT. The key expires after 8 hours. KDC generates a ticket for file server.
5. Decrypting Ticket Granting Ticket on the File Server Client sends a copy of the TGT to the file Server to gain access to the files. The Server holds a key to decrypt the ticket. Note: For each access request, the Client must send a fresh copy of the TGT to get access to the files. The Server does not maintain any TGT for the client in its memory. 3.
CMC Pre- requisites • • • The CMC must have firmware version 2.10 or later Each CMC user must have an Active Directory account The CMC must be a part of the Active Directory domain and Kerberos Realm 4. Configuring CMC for SSO Configure CMC for the following SSO settings: 1. Date & Time Settings (system clock) Set the same Date and Time for the AD Server and CMC. The permissible limit for variation is +1 or -1 minute. 2.
Dell Power Edge M1000e Chassis Management Controller Version 4.
3. To select the schema a. b. c. d. 13 Click Chassis Overview User Authentication Directory Services. The Directory Services page is displayed. Select Microsoft Active Directory (Standard Schema) for the type of Directory service. In the Common Setting section, select Enable Active Directory, Enable Single Sign-on and Certificate Validation Enabled options. In the Root Domain Name field, provide the Domain name registered in AD and IP of the Domain controller.
4. Standard Schema Settings To set the standard schema settings: a. b. In the Standard Schema Settings section, create a group under the same Domain, for example pgcmc.com. Click the numbered buttons under Role Groups, for example button 1. A new page, Configure Role Group 1 is displayed. c. d. 14 Provide the Group Name and Group Domain. Under Role Group Privileges, select the required privilege. Dell Power Edge M1000e Chassis Management Controller Version 4.
Dell Power Edge M1000e Chassis Management Controller Version 4.
5. Upload Kerberos keytab a. Create a Kerberos keytab using ktpass: For example, ktpass –princ HTTP/cmc-sso.pgcmc.com@PGCMC.COM -mapuser cmckerb crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -pass XXXX –out c:\cmcssokerb In this command cmc-sso : DNS CMC Name (refer : Network - > Network - > General Settings) pgcmc.
b. Under Kerberos Keytab section, click Choose File to select the file and click Upload. 5. References For browser settings related information on Dell Chassis Management Controller version 4.5, see Dell Chassis Management Controller Version 4.5 User’s Guide on Dell.com. For additional info on CMC, see Chassis Management Controllers on Dell.com.
