User guide
13
Single Sign On (SSO)
iDRAC6 allows a user configured in the Active Directory with Standard Schema to log in directly to the
iDRAC6 GUI without explicitly providing login credentials. This feature is referred to as Single Sign-On
(SSO) and it uses AD authentication along with Kerberos Network Authentication Protocol. Kerberos is a
network authentication protocol that provides protection against eavesdropping and replay attacks (see
further reading).
To be able to use SSO, the management station must belong to the same domain as configured in the
Active Directory of the iDRAC6. The user logging into the management station must have login privileges
to the domain and must be configured in the Active Directory. The iDRAC6 time must be within a plus or
minus 5 minute range of the Domain Controller’s time and in the same time zone. Upon opening the
iDRAC6 GUI in a web browser, the user gets automatically logged into the iDRAC6 GUI using Kerberos
Authentication.
Kerberos Authentication makes use of a Kerberos Client that gets downloaded to the management
station as an Active X Plug-in. The client communicates with the Key Distribution Center (Active
Directory Server) using Kerberos Protocol to validate the user. The KDC communicates with the iDRAC6
using AD queries to get user permissions. The KDC returns a Service Ticket to the client which is sent to
the iDRAC6. The iDRAC6 validates the service ticket and if found to be valid binds to the AD server using
a keytab file. If the user has sufficient privileges, the user is logged into the iDRAC6.
Figure 5
demonstrates the Kerberos Authentication that takes place for SSO.