Users Guide

ManualsBrandsDell ManualsActive System ManageriDRAC7/8 with Lifecycle Controller Version 2.50.50.50

151

152

153

154

155

156

157

158

159

160

Related link

Registering iDRAC as a computer in Active Directory root domain

Generating Kerberos keytab le

Creating Active Directory objects and providing privileges

Registering iDRAC as a computer in Active Directory root

domain

To register iDRAC in Active Directory root domain:

1 Click Overview > iDRAC Settings > Network > Network.

The Network page is displayed.

2 Provide a valid Preferred/Alternate DNS Server IP address. This value is a valid DNS server IP address that is part of the root

domain.

3 Select Register iDRAC on DNS.

4 Provide a valid DNS Domain Name.

5 Verify that network DNS conguration matches with the Active Directory DNS information.

For more information about the options, see the iDRAC Online Help.

Generating Kerberos keytab le

To support the SSO and smart card login authentication, iDRAC supports the conguration to enable itself as a kerberized service on a

Windows Kerberos network. The Kerberos conguration on iDRAC involves the same steps as conguring a non–Windows Server Kerberos

service as a security principal in Windows Server Active Directory.

The ktpass tool (available from Microsoft as part of the server installation CD/DVD) is used to create the Service Principal Name (SPN)

bindings to a user account and export the trust information into a MIT–style Kerberos keytab le, which enables a trust relation between an

external user or system and the Key Distribution Centre (KDC). The keytab le contains a cryptographic key, which is used to encrypt the

information between the server and the KDC. The ktpass tool allows UNIX–based services that support Kerberos authentication to use the

interoperability features provided by a Windows Server Kerberos KDC service. For more information on the ktpass utility, see the Microsoft

website at: technet.microsoft.com/en-us/library/cc779157(WS.10).aspx

Before generating a keytab le, you must create an Active Directory user account for use with the -mapuser option of the ktpass

command. Also, you must have the same name as iDRAC DNS name to which you upload the generated keytab le.

To generate a keytab le using the ktpass tool:

1 Run the ktpass utility on the domain controller (Active Directory server) where you want to map iDRAC to a user account in Active

Directory.

2 Use the following ktpass command to create the Kerberos keytab le:

C:\> ktpass.exe -princ HTTP/idrac7name.domainname.com@DOMAINNAME.COM -mapuser DOMAINNAME

\username -mapOp set -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass [password] -out c:

\krbkeytab

The encryption type is AES256-SHA1. The principal type is KRB5_NT_PRINCIPAL. The properties of the user account to which the

Service Principal Name is mapped to must have Use AES 256 encryption types for this account property enabled.

NOTE

: Use lowercase letters for the iDRACname and Service Principal Name. Use uppercase letters for the domain

name as shown in the example.

3 Run the following command:

C:\>setspn -a HTTP/iDRACname.domainname.com username

A keytab le is generated.

158

Conguring iDRAC for Single Sign-On or smart card login