Whitepaper Configure iDRAC to use Active Directory Authentication Abstract This Dell technical white paper explains how to configure and test iDRAC with Microsoft’s Active Directory authentication and Single Sign-On Logon.
Configure iDRAC to use Active Directory Authentication Revisions Date Description July 2021 Initial release The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any software described in this publication requires an applicable software license.
Configure iDRAC to use Active Directory Authentication Contents 1 2 Introduction ................................................................................................................................................................... 4 1.1 Standard and Extended Schemas ...................................................................................................................... 4 1.2 Supported Active Directory Configurations ..........................................................
Configure iDRAC to use Active Directory Authentication 1 Introduction Using Microsoft Active Directory allows an administrator to manage Dell’s Integrated Dell Remote Access Controller (iDRAC) user accounts and privileges from a central location and provides better access control through the security group management. Integrating a client with Microsoft’s Active Directory for authentication can be complex.
Configure iDRAC to use Active Directory Authentication If all the login users and role groups, or any of the nested groups, are from multiple domains, then Global Catalog server addresses must be configured on iDRAC. In this multiple domain scenario, all the role groups and nested groups, if any, must be a Universal Group type. 1.3 Active Directory Login Syntax There are three login formats that are allowed for authenticating as an active directory user. 1. @ 2. \ 3.
Configure iDRAC to use Active Directory Authentication 2 Integrate iDRAC with Microsoft’s Active Directory 2.1 iDRAC Network Settings Before configuring Active Directory settings on iDRAC, verify that network settings are configured properly. Configuring the network DNS setting is required so that iDRAC can communicate with the domain controller using its Fully Qualified Domain Name (FQDN). Set the DNS DRAC Name, if not already defined, and set the Static DNS Domain Name as shown below.
Configure iDRAC to use Active Directory Authentication Figure 2: Enable Microsoft Active Directory Now to edit Microsoft Active Directory settings click Edit button. Figure 3: Edit Microsoft Active Directory Settings 2.3 Configure the Digital Certificate Enable digital certificate validation to be used during initiation of SSL connections when communicating with the Active Directory server. By enabling certificate validation, a certificate from the Certificate Authority CA must be uploaded to iDRAC.
Configure iDRAC to use Active Directory Authentication Figure 4: Certificate Validation After the certificate the uploaded, it is displayed in the current Directory Service CA Certificate section of Details page. Figure 5: CA Certificate 2.4 Configure Active Directory Domain Information Configure the location information about Active Directory servers and user accounts. Default settings remain unchanged where appropriate.
Configure iDRAC to use Active Directory Authentication Note: The FQDN or IP address that is specified for Domain Controller Server Address field must match the Subject or Subject Alternative Name field of your domain controller certificate if you have enabled certificate validation. Figure 6: Domain Common Settings 2.5 Configure Standard Schema Mode 2.5.
Configure iDRAC to use Active Directory Authentication Figure 7: Standard Schema Selection The standard schema settings configure the location of the Active Directory Global Catalog server. There are 2 options for selecting a Global Catalog Server: • • Look Up Global Catalog Servers with DNS: Use DNS lookup to obtain the Active Directory Global Catalog Server. DNS lookup uses the Root Domain Name specified.
Configure iDRAC to use Active Directory Authentication Figure 9: Standard Schema Role Groups 2.5.3 Testing Standard Schema Use the test feature in iDRAC to validate the Active Directory configuration. Go to iDRAC Settings > Users > Directory Services, click Test Settings. Enter username of user in iDRACAdministrator group along with password. Figure 10: Test Admin User All tests must pass (including certificate validation) or be marked Not Applicable/Not Configured.
Configure iDRAC to use Active Directory Authentication Figure 11: Test Log Repeat the test using other users created, notice privileges on operator and guest users. 2.6 Configure Extended Schema Mode The extended schema uses Dell association objects to join iDRAC and permission. This allows you to use iDRAC based on the overall permissions granted. The default Access Control List (ACL) of Dell Association objects allows Self and Domain Administrators to manage the permissions and scope of iDRAC objects.
Configure iDRAC to use Active Directory Authentication Figure 12: Predefined Association and Privilege Objects An iDRAC object is required to represent each physical iDRAC device. Now create a device and associate the device to a set of predefined privileges. Select the Dell Container. Right-click, go to New > Dell Remote Management Object Advanced. Enter the iDRAC device name.
Configure iDRAC to use Active Directory Authentication Figure 13: User Association Object Next add the iDRAC device to the predefined Admin association object. Click the Dell container under fwad.local. • • 14 Select Dell iDRAC Admin User Association > Properties. Click on Products tab; Add > type iDRAC Name > Check Names (it should be found).
Configure iDRAC to use Active Directory Authentication Figure 14: User Association Properties - Products Repeat the steps above to add iDRAC device to Dell iDRAC Power User Association and Dell iDRAC Guest User Association. Finally, add the users to the Association objects. Click the Dell container under fwad.local. • • • 15 Select Dell iDRAC Admin User Association > Properties. Click on Users tab. Click Add; then type admin > Check Names (it should be found).
Configure iDRAC to use Active Directory Authentication Figure 15: User Association Properties - Users Repeat the above steps to add user operator to Dell Power User Association object and the read-only to theiDRAC Guest User Association. 2.6.2 Extended Schema Settings Now that the schema has been extended and association objects that are defined on the Active Directory server,configure the schema selection on iDRAC. Select the Extended Schema mode.
Configure iDRAC to use Active Directory Authentication l Figure 16: Extended Schema Selection Enter the iDRAC Name that uniquely identifies iDRAC in Active Directory. Second, enter the Domain name where the iDRAC object is defined in Active Directory. Figure 17: Extended Schema Settings 2.6.3 Testing Extended Schema Use the test feature in iDRAC to validate the Active Directory configuration. Go to iDRAC Settings > Users > Directory Services, click Test Settings.
Configure iDRAC to use Active Directory Authentication Figure 19: Test Log 18
Configure iDRAC to use Active Directory Authentication 3 Configure iDRAC Single Sign-On iDRAC supports Kerberos authentication by Single Sign-On (SSO) through the web interface. When Single Sign-On is enabled, users can log in to iDRAC using credentials that were cached in the operation system when user logged in using valid Active Directory account. This section provides steps to configure iDRAC to use Single Sign-On. This section assumes iDRAC is configured and tested with Active Directory.
Configure iDRAC to use Active Directory Authentication Figure 20: Create User for Device keytab Generate a Kerberos keytab file, which can be uploaded to the iDRAC server. Each iDRAC will have its own unique keytab file. On the Active Directory server, the ktpass.exe utility is used to create the file. The command syntax is: ktpass -princ HTTP/idrac-7c4000z.fwad.local@FWAD.LOCAL -mapuser FWAD\idrac7c4000z-key -mapop set –pass ******** -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -out c:\temp\idrac-7c4000z.
Configure iDRAC to use Active Directory Authentication Using the Fully Qualified Domain Name (FQDN) for the principal name and the iDRAC user account created earlier, generate a Kerberos keytab file. NOTE: The keytab contains an encryption key and should be secured. Figure 21: Generate a Kerberos Keytab File Now that the keytab file has been created, the iDRAC user account must be configured for delegation. Rightclick on iDRAC user and select Properties.
Configure iDRAC to use Active Directory Authentication Figure 22: Trust User for Delegation 3.1.2 Upload Kerberos Keytab file in iDRAC Know the keytab file must be uploaded in to iDRAC. Go to iDRAC Settings > Users > Directory Services, click Edit. On the Active Directory Configuration and Management page under Upload Kerberos Keytab, click Browse and select the Kerberos keytab file.
Configure iDRAC to use Active Directory Authentication Figure 23: Upload Kerberos Keytab File. 3.2 Configure iDRAC for Single Sign-On Now enable Single Sign-On in Common Settings Figure 24: Enable Single Sign-On 3.3 Configure and Test Single Sign-On on Management Station 3.3.1 Windows IE Browser 23 For the management station to use Single Sign-On (SSO) to authenticate to iDRAC, the web browser(s) must be configured to support SSO.
Configure iDRAC to use Active Directory Authentication Figure 25: Configure IE for Single Sign-On To configure the automatic authentication in the browser, from the Security tab, click Custom level…. Scroll to the bottom. Under User Authentication > Logon, verify that Automatic logon only in Intranet zone is selected. SSO only works on intranet sites. Now restart the browser.
Configure iDRAC to use Active Directory Authentication Figure 26: Security Setting – Local Intranet Zone To test SSO authentication on the client, log in to Active Directory domain from the management station. Launch the IE browser window, use iDRAC’s Fully Qualified Domain Name (FQDN) to connect with iDRAC. (Example: idrac-ddhdjtc.fwad.local). If the browser is configured correctly, the browser does not prompt for credentials. 3.3.
Configure iDRAC to use Active Directory Authentication Figure 27: Configure Firefox for Delegation and Trust To test SSO authentication on the management station, log onto Active Directory domain from the management station. Launch the Firefox browser window, use iDRAC’s Fully Qualified Domain Name (FQDN) to connect with iDRAC. (Example: idrac-ddhdjtc.fwad.local). If the browser is configured correctly, the browser does not prompt for credentials.
Configure iDRAC to use Active Directory Authentication A Configure Active Directory using RACADM A.1 Configure Digital Certificate racadm>> set iDRAC.ActiveDirectory.CertValidationEnable 1 C:\racadm -r -u -p sslcertupload -t 0x2 -f fwad-rootca.cer A.2 Configure Active Directory Domain Information racadm>> set iDRAC.ActiveDirectory.Enable 1 racadm>> set iDRAC.ActiveDirectory.DomainController1 WIN-4RFKEQCK5CK.fwad.local racadm>> set iDRAC.ActiveDirectory.