Users Guide
Enabling Kerberos Authentication 179
Enabling Kerberos Authentication
Kerberos is a network authentication protocol that allows systems to
communicate securely over a non-secure network. It achieves this by allowing
the systems to prove their authenticity. To keep with the higher
authentication enforcement standards, iDRAC6 now supports Kerberos based
Active Directory
®
authentication to support Active Directory Smart Card
and single sign-on logins.
Microsoft
®
Windows
®
2000, Windows XP, Windows Server
®
2003,
Windows Vista
®
, and Windows Server 2008 use Kerberos as their default
authentication method.
The iDRAC6 uses Kerberos to support two types of authentication
mechanisms—Active Directory single sign-on and Active Directory Smart
Card logins. For single-sign on login, iDRAC6 uses the user credentials
cached in the operating system after the user has logged in using a valid
Active Directory account.
For Active Directory smart card login, iDRAC6 uses smart card-based two
factor authentication (TFA) as credentials to enable an Active Directory
login. This is the follow on feature to the local Smart Card authentication.
Kerberos authentication on iDRAC6 fails if the iDRAC6 time differs from the
Domain Controller time. A maximum offset of 5 minutes is allowed.
To enable successful authentication, synchronize the server time with the
Domain Controller time and then reset the iDRAC6.
You can also use the following RACADM time zone offset command to
synchronize the time:
racadm config -g cfgRacTuning -o
cfgRacTuneTimeZoneOffset <offset value>