Configuring Single Sign-On for Application Launch in OpenManage Essentials

Transcription

1 Configuring Single Sign-On for Application Launch in OpenManage Essentials This Dell Technical White paper provides information required to configure Single Sign-On (SSO)for launching the idrac console in OpenManage Essentials OME Engineering team

2 This document is for informational purposes only and may contain typographical errors and technical inaccuracies. The content is provided as is, without express or implied warranties of any kind Dell Inc. All rights reserved. Dell and its affiliates cannot be responsible for errors or omissions in typography or photography. Dell, the Dell logo, and PowerEdge are trademarks of Dell Inc. Intel and Xeon are registered trademarks of Intel Corporation in the U.S. and other countries. Microsoft, Windows, and Windows Server are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims proprietary interest in the marks and names of others. July 2013 Version 1.0 2

3 Contents Executive Summary... 4 Introduction... 4 Configuring idrac for Single Sign-On... 4 Prerequisites for Active Directory Single Sign-On in idrac... 4 Registering idrac as a Computer in the Active Directory domain... 4 Configuring Standard Schema Active Directory... 5 Configuring idrac SSO Login for Active Directory Users using Web Interface... 7 Configuring the Management station for idrac SSO Login Launching the SSO-Integrated idrac Console From the Management Station Conclusion References Figures Figure 1. idrac DNS Registration Settings... 5 Figure 2. Active Directory User and Group creation for Standard Schema...6 Figure 3. Active Directory User creation for SSO...7 Figure 4. Enabling Active Directory Service in idrac...8 Figure 5. Enabling Ceritificate Validation in idrac...8 Figure 6 Uploading the Directory Service CA Certificate in idrac... 9 Figure 7. Uploading the Kerberos Keytab File in idrac Figure 8. Schema Selection in idrac...11 Figure 9. Standard Schema and Role Group Settings...11 Figure 10. Test Settings Page in idrac...12 Figure 11. Test Active Directory Settings in idrac...12 Figure 12. DNS Settings in Management Station...13 Figure 13. Changing the Domain in the Management Station Figure 14. Adding the Active Directory User to the Administrator...15 Figure 15. Adding the Domain in Internet Explorer...16 Figure 16. Adding the Domain in Firefox

4 Executive Summary OpenManage Essentials supports launching the idrac console using single sign-on (SSO). When SSO is enabled, you can login to idrac without providing the domain user authentication credentials, such as the username and password. When an SSO-integrated idrac device is discovered in OpenManage Essentials, you can launch the idrac console from OpenManage Essentials without providing the idrac login credentials. Introduction The goal of this white paper is to describethe setting up of OpenManage Essentials and idrac for SSO integration. The white paper also describes how idrac console can be launched from OpenManage Essentials using SSO. Configuring idrac for Single Sign-On Before configuring idrac for Active Directory SSO login, all prerequisites should be completed. This section provides information required to configure idrac for SSO login. Prerequisites for Active Directory Single Sign-On in idrac The following are the prerequisites for Active Directory based SSO login: 1. Synchronize the idrac time with the Active Directory domain controller time. 2. Register idrac as a computer in the Active Directory root domain. 3. Generate a keytab file using the ktpass tool. 4. Configure the browser to enable SSO login. 5. Create the Active Directory objects and provide the required privileges. 6. In Active Directory, configure the forward lookup and reverse lookup zone for the idrac entries in DNS Manager. Registering idrac as a Computer in the Active Directory Root Domain To register idrac in the Active Directory root domain perform the following as shown in Figure In the idrac console, Click Overview ->idrac Settings ->Network/Security->Network. The Network page is displayed. 2. Provide a valid Preferred/Alternate DNS Server IP address. The IP address must be a valid DNS Server IP address that is part of the root domain. 3. Select Register DRAC on DNS. 4. Provide a valid DNS Domain Name. 5. Verify that the network DNS configuration matches with the Active Directory DNS information. 4

5 Figure 1. idrac DNS Registration Settings Configuring Standard Schema Active Directory This section provides information required to create Active Directory objects for standard schema in Active Directory Single Sign-On login. To configure idrac for an Active Directory login access: 1. On the Active Directory Server (domain controller), open the Active Directory Users and Computers snap-in. 2. Create a User group or select an existing group. Add the Active Directory user as a member of the Active Directory group to access idrac. Perform the following steps to create Users and Groups for standard schema as shown in Figure 2. i. In Active Directory, under Organization Unit select Validation. ii. To create a new user right-click the Organization Unit in the tree on the left side, and then select New >User. 5

6 iii. iv. To create a new group right-click the Organization Unit in the tree on the left side, and then select New >Group. Right click a Groupand selectproperties to add the User created in previous step. v. Right click the newly created Userclick User -> Properties Account Select Use Kerberos DES Encryption types for this account as shown in Figure 3. vi. Generate a Kerberos Keytab file using the following command in the AD server. Edit the idrac DNS name, Kerberos username and password in the following command as applicable. For idrac monolithic: ktpass -princ HOST/idracname.domainname.com@DOMAINNAME.COM -mapuser keytabuser - crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -pass * -out c:\krbkeytab For idrac Modular: ktpass -princ HTTP/idracname.domainname.com@DOMAINNAME.COM -mapuser DOMAINNAME\keytabuser /crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -pass * -out c:\krbkeytab Figure 2. Active Directory User and Group creation for Standard Schema 6

7 Figure 3. Active Directory User creation for SSO 3. Configure the group name, domain name and the role privileges of idrac using the idrac console. Configuring idrac SSO Login for Active Directory Users 1. In the idrac console, selectmicrosoft Active Directoryand then click Applyas shown in Figure 4. 7

8 Figure 4. Enabling Active Directory Service in idrac 2. In the Active Directory Configuration and Management page, click Configure Active Directory. 3. Under Certificate Settings, select Enable Certificate Validationas shown in Figure 5. 8

9 Figure 5. Enabling Certificate Validation in idrac 4. Under Upload Directory Service CA Certificate, click Browse and select the Root CA certificate downloaded from the Active Directory and upload as shown in Figure 6. For information on creating the Root CA certificate and uploading the certificate in the idrac Web interface, see the idrac 7 User s Guide. Figure 6. Uploading the Directory Service CA Certificate in idrac 9

10 5. Under Upload Kerberos Keytab, click Browse, select and upload the keytab file generated earlier as shown in Figure 7 and click Next. Figure 7. Uploading the Kerberos Keytab file in idrac 6. UnderCommon Settings, selectenable Active Directory and Single Sign-On and provide the User Domain Name. Select and specify either Look-Up Domain Controller with DNS or Domain Controller Address. 7. Select either Look Up Domain Controller With DNS or Specify Domain Controller Addresses, and provide the details as appropriate. Click Next. 8. UnderSchema Selection page, select Standard Schema as shown in Figure 8. Click Next. 9. Under Standard Schema Settings, select either Look Up Global Catalog Servers with DNS or Specify Global Catalog Server Addresses, and provide the details as appropriate. 10. Under Standard Schema Role Groups, select a role group and provide the Group Name, Domain Name, and Group Privilege as shown in Figure 9and Click Finish. 10

11 Figure 8. Schema Selection in idrac Figure 9. Standard Schema and Role Groups Settings 11. In the Active Directory Configuration and Management page, clicktest Settings button and provide thetest User Name and Test User Password, and then click Test as shown in Figure 10 and Figure 11. If idrac is configured correctly, all the test settings are successful. 11

12 Figure 10. Test Settings Page in idrac Figure 11. Test Active Directory Settings in idrac 12

13 Configuring the Management station for idrac SSO Login This section provides the information about the configurations that must be performed in the management station for SSO login. 1. In the management station, open the network connection properties select either Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol Version 4 (TCP/IPv4) and click Properties. Select Use the following DNS server addresses, provide the Preferred DNS server IP address, and click OK as shown in Figure 12. Figure 12. DNS settings in Management Station 2. Change the membership of the system to the Active Directory domain. Right-click Computer- >Properties. In the Computer name, domain names, and workgroup settings section, clickchange settings. In the Computer Name/Domain Changes dialog box, provide the Active Directory domain name, and click OK as shown in Figure

14 Figure 13. Changing the Domain in the Management System 3. Add the Active Directory user to Administrators group as shown in Figure 14. i. Right-click Computer ->Manage - >Local Users and Groups -> Groups -> Administrators. ii. Right-click Administrators -> Properties and add the Active Directory user. 14

15 Figure 14. Adding the Active Directory User to the Administrator 4. Log off the system and login as the Active Directory user. 5. If you are using Internet Explorer, clicktools Internet Option Local Internet Sites. Navigate toautomatically detect intranet network, and select Include all local (intranet) sites not listed in other zones, Include all sites that bypass the proxy server, and Include all network paths (UNCs).Click Advanced and add *.<domainname>.com as shown in Figure

16 Figure 15. Adding the domain in Internet Explorer 6. If you are using Firefox, in the address bar type about: config. In the Filter field, type negotiate and press <Enter>. In the results that are displayed, click network.negotiateauth.delegation-uris, and provide the domain name and click OK as shown in Figure

17 Figure 16. Adding the domain in Firefox 7. Close and reopen Firefox and launch the idrac console using the idrac host name (for example, 8. If the management station is running Windows 7, Windows Vista, or Windows Server 2008, modify the registry settings as follows for standard schema SSO login: i. Click Start->Run. Type gpedit.msc and click ii. iii. iv. Navigate to Local Computer Settings\Windows Settings\Security Settings\Local Policies\Security Options. Right-click Network Security: Configure encryption types allowed for Kerberos and click Properties. In the dialog box that is displayed, enable all the available encryption types and click OK. 17

18 Launching the SSO-Integrated idrac Console From the Management Station To launch the SSO-integrated idrac console from OpenManage Essentials: 1. Make sure that the SSO-integrated idrac is discovered in the management station. 2. Navigate to Manage ->All Devices and right-click the SSO-integrated idrac device->application Launch->RAC Console. 3. The idrac console is displayed without prompting for the domain user credentials. Conclusion OpenManage Essentials version 1.2 allows you to launch the SSO-integrated idrac console. After the SSO-integrated idrac device is discovered, you can launch the idrac console without providing the domain user credentials. References 1. idrac User's Guide at dell.com/support/manuals. 18