Users Guide

Conguring iDRAC for Single Sign-On or smart

card login

This section provides information to congure iDRAC for Smart Card login (for local users and Active Directory users), and Single

Sign-On (SSO) login (for Active Directory users.) SSO and smart card login are licensed features.

iDRAC supports Kerberos based Active Directory authentication to support Smart Card and SSO logins. For information on Kerberos,

see the Microsoft website.

Related links

Conguring iDRAC SSO login for Active Directory users

Conguring iDRAC smart card login for local users

Conguring iDRAC smart card login for Active Directory users

Prerequisites for Active Directory Single Sign-On or smart card login

The prerequisites to Active Directory based SSO or Smart Card logins are:

• Synchronize iDRAC time with the Active Directory domain controller time. If not, kerberos authentication on iDRAC fails. You can

use the Time zone and NTP feature to synchronize the time. To do this, see Conguring time zone and ntp.

• Register iDRAC as a computer in the Active Directory root domain.

• Generate a keytab le using the ktpass tool.

• To enable Single Sign-On for Extended schema, make sure that the Trust this user for delegation to any service (Kerberos

only) option is selected on the Delegation tab for the keytab user. This tab is available only after creating the keytab le using

ktpass utility.

• Congure the browser to enable SSO login.

• Create the Active Directory objects and provide the required privileges.

• For SSO, congure the reverse lookup zone on the DNS servers for the subnet where iDRAC resides.

NOTE: If the host name does not match the reverse DNS lookup, Kerberos authentication fails.

• Congure the browser to support SSO login. For more information, see Conguring supported web browsers.

NOTE: Google Chrome and Safari do not support Active Directory for SSO login.