Users Guide
198 Enabling Kerberos Authentication
Prerequisites for single sign-on and Active
Directory Authentication Using Smart Card
• Configure the iDRAC6 for Active Directory login. For more information,
see "Using Microsoft Active Directory to Log In to the iDRAC6."
• Register the iDRAC6 as a computer in the Active Directory root domain.
a
Click
Remote Access
→
Network/Security
tab
→
Network
subtab.
b
Provide a valid
Preferred/Alternate DNS Server
IP address. This value
is the IP address of the DNS that is part of the root domain,
which authenticates the Active Directory accounts of the users.
c
Select
Register iDRAC on DNS
.
d
Provide a valid
DNS Domain Name
.
See the
iDRAC6 Online Help
for more information.
To support the two new types of authentication mechanisms, iDRAC6
supports the configuration to enable itself as a kerberized service on a
Windows Kerberos network. The Kerberos configuration on iDRAC6
entails the same steps as configuring a non–Windows Server Kerberos
service as a security principal in Windows Server Active Directory.
The Microsoft tool
ktpass
(supplied by Microsoft as part of the server
installation CD/DVD) is used to create the Service Principal Name (SPN)
bindings to a user account and export the trust information into a
MIT–style Kerberos
keytab
file, which enables a trust relation between an
external user or system and the Key Distribution Centre (KDC). The
keytab file contains a cryptographic key, which is used to encrypt the
information between the server and the KDC. The ktpass tool allows
UNIX–based services that support Kerberos authentication to use the
interoperability features provided by a Windows Server Kerberos KDC
service.
The keytab obtained from the ktpass utility is made available to the
iDRAC6 as a file upload and is enabled to be a kerberized service on the
network.