Users Guide
168 Enabling Kerberos Authentication
Prerequisites for single sign-on and Active
Directory Authentication Using Smart Card
• Configure iDRAC6 for Active Directory login.
• Register iDRAC6 as a computer in the Active Directory root domain.
a
Click
System
→
Remote Access
→
iDRAC6
→
Network/Security
→
Network
subtab.
b
Provide a valid
Preferred/Alternate DNS Server
IP address. This value
is the IP address of the DNS that is part of the root domain,
which authenticates the Active Directory accounts of the users.
c
Select
Register iDRAC6 on DNS
.
d
Provide a valid
DNS Domain Name
.
e
Verify that network DNS configuration matches with the Active
Directory DNS information.
See
iDRAC6 Online Help
for more information.
To support the two new types of authentication mechanisms, iDRAC6
supports the configuration to enable itself as a kerberized service on a
Windows Kerberos network. The Kerberos configuration on iDRAC6
entails the same steps as configuring a non–Windows Server Kerberos
service as a security principal in Windows Server Active Directory.
The Microsoft tool
ktpass
(supplied by Microsoft as part of the server
installation CD/DVD) is used to create the Service Principal Name (SPN)
bindings to a user account and export the trust information into a
MIT–style Kerberos
keytab
file, which enables a trust relation between an
external user or system and the Key Distribution Centre (KDC). The
keytab file contains a cryptographic key, which is used to encrypt the
information between the server and the KDC. The ktpass tool allows
UNIX–based services that support Kerberos authentication to use the
interoperability features provided by a Windows Server Kerberos KDC
service.
The keytab obtained from the ktpass utility is made available to iDRAC6
as a file upload and is enabled to be a kerberized service on the network.
Since iDRAC6 is a device with a non-Windows operating system, run the
ktpass
utility—part of Microsoft Windows—on the Domain Controller