Users Guide

ManualsBrandsDell ManualsActive System ManageriDRAC7 with Lifecycle Controller Version 2.40.40.40

291

292

293

294

295

296

297

298

299

300

The Active Directory is congured for a domain present in Windows Server 2008 Active Directory. A child or sub domain is

present for the domain, the user and group is present in the same child domain, and the user is a member of that group. When

trying to log in to iDRAC using the user present in the child domain, Active Directory Single Sign-On login fails.

This may be because of the an incorrect group type. There are two kinds of Group types in the Active Directory server:

• Security — Security groups allow you to manage user and computer access to shared resources and to lter group policy

settings.

• Distribution — Distribution groups are intended to be used only as email distribution lists.

Always make sure that the group type is Security. You cannot use distribution groups to assign permission on any object, however

use them to lter group policy settings.

Single Sign-On

SSO login fails on Windows Server 2008 R2 x64. What are the settings required to resolve this?

1. Run the technet.microsoft.com/en-us/library/dd560670(WS.10).aspx for the domain controller and domain policy.

2. Congure the computers to use the DES-CBC-MD5 cipher suite.

These settings may aect compatibility with client computers or services and applications in your environment. The Congure

encryption types allowed for Kerberos policy setting is located at Computer Conguration → Security Settings → Local

Policies → Security Options.

3. Make sure that the domain clients have the updated GPO.

4. At the command line, type gpupdate /force and delete the old key tab with klist purge command.

5. After the GPO is updated, create the new keytab.

6. Upload the keytab to iDRAC.

You can now log in to iDRAC using SSO.

Why does SSO login fail with Active Directory users on Windows 7 and Windows Server 2008 R2?

You must enable the encryption types for Windows 7 and Windows Server 2008 R2. To enable the encryption types:

1. Log in as administrator or as a user with administrative privilege.

2. Go to Start and run gpedit.msc. The Local Group Policy Editor window is displayed.

3. Go to Local Computer Settings → Windows Settings → Security Settings → Local Policies → Security Options.

4. Right-click Network Security: Congure encryption types allowed for kerberos and select Properties.

5. Enable all the options.

6. Click OK. You can now log in to iDRAC using SSO.

Perform the following additional settings for Extended Schema:

1. In the Local Group Policy Editor window, navigate to Local Computer Settings → Windows Settings → Security Settings →

Local Policies → Security Options .

2. Right-click Network Security: Restrict NTLM: Outgoing NTLM trac to remote server and select Properties.

3. Select Allow all, click OK, and close the Local Group Policy Editor window.

4. Go to Start and run cmd. The command prompt window is displayed.

5. Run the command gpupdate /force. The group policies are updated. Close the command prompt window.

6. Go to Start and run regedit. The Registry Editor window is displayed.

7. Navigate to HKEY_LOCAL_MACHINE → System → CurrentControlSet → Control → LSA .

8. In the right-pane, right-click and select New → DWORD (32-bit) Value.

9. Name the new key as SuppressExtendedProtection.

10. Right-click SuppressExtendedProtection and click Modify.

292