Kerberos -Based Active Directory Authentication to Support Smart Card and Single Sign-On Login to DRAC5



Similar documents
Configuring Single Sign-On for Application Launch in OpenManage Essentials

DELL Remote Access Configuration Tool

ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software

Configuring IBM Cognos Controller 8 to use Single Sign- On

Integrating idrac7 With Microsoft Active Directory

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

Configuring idrac6 for Directory Services

Integrating idrac 7 with Microsoft Active Directory

Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

Table 1 shows the LDAP server configuration required for configuring the federated repositories in the Tivoli Integrated Portal server.

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

Role-Based Security and its Implementation

Deploying Dell OpenManage Server Administrator on VMware ESXi Using Dell Online Depot and VMware Update Manager

DIGIPASS CertiID. Getting Started 3.1.0

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

Foglight Experience Monitor and Foglight Experience Viewer

Agent-free Monitoring of Dell PowerEdge 12G Servers in Nagios Core and Nagios XI

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

Entrust Managed Services PKI

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Guide to SASL, GSSAPI & Kerberos v.6.0

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

Remote Installation of VMware ESX Server Software Using Dell Remote Access Controller

Check Point FDE integration with Digipass Key devices

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

Dell Compellent Storage Center

Single Sign-On for Kerberized Linux and UNIX Applications

Integration Guide. Microsoft Active Directory Rights Management Services (AD RMS) Microsoft Windows Server 2008

How to Setup and Configure ESXi 5.0 and ESXi 5.1 for OpenManage Essentials

Kerberos authentication between multiple domains may fail on LiveCycle Rights Management ES 8.2.1

Kerberos and Windows SSO Guide Jahia EE v6.1

Kerberos Constrained Delegation. Kerberos Constrained Delegation. Feature Description

User Source and Authentication Reference

Patching the Windows 2000 Server Operating System on S8100 Media Servers, IP600 Communications Servers, & DEFNITY ONE Communications Systems

How-to: Single Sign-On

Managing Web Server Certificates on idrac

Security Provider Integration Kerberos Authentication

Configuring Avaya Aura Communication Manager and Avaya Call Management System Release 16.3 with Avaya Contact Center Control Manager Issue 1.

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008

Aspera Connect Linux 32/64-bit. Document Version: 1

Integrating OID with Active Directory and WNA

Smart Policy - Web Collector. Version 1.1

BlackShield ID Agent for Remote Web Workplace

Enhancements to idrac7 Alert Notification

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Kerberos: Single Sign On for BS2000

Universal Management Service 2015

Perforce Helix Threat Detection OVA Deployment Guide

Single Sign-on (SSO) technologies for the Domino Web Server

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Dell idrac7 with Lifecycle Controller

Configuration Guide. SafeNet Authentication Service AD FS Agent

Secure File Transfer Protocol Updated Procedures. June 20, 2011

KERBEROS ENVIRONMENT SETUP FOR EMC DOCUMENTUM CENTERSTAGE

IceWarp Server - SSO (Single Sign-On)

CA Performance Center

Clientless SSL VPN Users

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Content Filtering Client Policy & Reporting Administrator s Guide

Configuring Single Sign-on for SAP HANA

CA Nimsoft Service Desk

Contents. Introduction. Prerequisites. Requirements. Components Used

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

Identity as a Service Powered by NetIQ IdentityAccess Service Configuration and Administration Guide

Two-Factor Authentication

Security Provider Integration Kerberos Server

Active Directory 2008 Implementation Guide Version 6.3

Single Sign-On Using SPNEGO

Entrust Managed Services PKI Administrator Guide

HP Device Manager 4.6

Citrix Access Gateway Plug-in for Windows User Guide

IIS, FTP Server and Windows

Installing and Configuring DB2 10, WebSphere Application Server v8 & Maximo Asset Management

Smart Card Two Factor Authentication

IBM Connections Plug-In for Microsoft Outlook Installation Help

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

HOTPin Integration Guide: DirectAccess

Defender Token Deployment System Quick Start Guide

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Strong Authentication for Microsoft SharePoint

Pulse Policy Secure. UAC Solution Guide for SRX Series Services Gateways. Product Release 5.1. Document Revision 1.0 Published:

IBM Aspera Add-in for Microsoft Outlook 1.3.2

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Integrated Dell Remote Access Controller 6 (idrac6) Version User s Guide

Dell Remote Access Controller 5 Firmware Version 1.60 User s Guide

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

Preface. Microsoft Office Sharepoint Server 2007 Integration Guide SafeNet, Inc. All rights reserved. Part Number: (Rev A, 06/2009)

Application Note. ShoreTel 9: Active Directory Integration. Integration checklist. AN June 2009

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

Montefiore Portal Quick Reference Guide

Using Internet or Windows Explorer to Upload Your Site

Intel Active Management Technology with System Defense Feature Quick Start Guide

Transcription:

Kerberos -Based Active Directory Authentication to Support Smart Card and Single Sign-On Login to DRAC5 A Dell Technical White Paper Dell OpenManage Systems Management By Austin Cherian Dell Product Group April 2009

THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND. 2009 Dell Inc. All rights reserved. Reproduction in any manner whatsoever without the express written permission of Dell, Inc. is strictly forbidden. For more information, contact Dell. Dell, the DELL logo, and OpenManage are trademarks of Dell Inc. Active Directory, Microsoft, Windows, ActiveX, and Visual C++ are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Kerberos is a trademark of the Massachusetts Institute of Technology (MIT). Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell Inc. disclaims any proprietary interest in trademarks and trade names other than its own. 2

TABLE OF CONTENTS INTRODUCTION... 4 DRAC 5 KERBEROS CONFIGURATION... 5 CONFIGURING DRAC 5 ACTIVE DIRECTORY USERS FOR SINGLE SIGN-ON LOGON... 6 LOGGING INTO THE DRAC 5 USING SINGLE SIGN-ON... 7 CONFIGURING AD USERS FOR SMART CARD LOGON... 8 LOGGING INTO DRAC 5 USING A SMART CARD... 9 ADVANCED ENTERPRISE CLASS SECURITY STANDARDS... 9 3

Introduction Given the industry trend of using directory services for central management of user access to enterprise resources, Dell Remote Access Controller (DRAC) 5 supports Microsoft Active Directory (AD) user name and password credentials to enable a DRAC session. To enable stronger authentication standards, DRAC 5 now supports Kerberos-based AD authentication to support AD smart card and single sign-on logins. Kerberos is a network authentication protocol that allows systems to communicate securely over a non-secure network by allowing the systems to prove their authenticity. Starting with DRAC 5 version 1.40, DRAC 5 supports two types of Kerberos authentication mechanisms: AD single sign-on AD smart card login. To enable single-sign-on, DRAC 5 uses the Kerberos-specific credentials cached in the operating system after the user has logged in using a valid AD account. To enable smart card login, DRAC 5 uses smart card-based two factor authentication (TFA) as credentials to enable an AD login. This is a follow-on feature to the local smart card authentication released in DRAC 5 version 1.33. 4

DRAC 5 Kerberos Configuration To support the two new authentication mechanisms, DRAC 5 can be configured as a Kerberosbased service on a Windows Kerberos network. The DRAC 5 Kerberos configuration uses the same steps as configuring a non-windows Kerberos service as a security principal in the server AD. The Microsoft tool ktpass, supplied as part of the server installation CD, is used to create Service Principal Name (SPN) bindings to a user account and to export the trust information into a Kerberos "keytab" file. This file enables a trust relationship between an external user or system and the Key Distribution Centre (KDC). The keytab file contains a cryptographic key that is used to encrypt the information between the server and the KDC. The ktpass tool allows the UNIXbased services that support Kerberos authentication to use the interoperability features provided by a Windows server Kerberos KDC service. The keytab file obtained from the ktpass utility is sent to DRAC 5 as a file upload, and enables DRAC 5 to be configured as a Kerberos service on the network. The following steps outline how to create a keytab file and upload it to DRAC 5. 1. Create a user account in AD that will be used to map a DRAC 5 to an AD service principal. For the user name, either use a name that is convenient or use the registered DNS domain name of the DRAC 5. For example, if the DRAC 5 to be configured has a DNS entry of drac1950.domain.com, create a new user in AD called drac1950. 2. On the user account properties, enable the following settings: Do not require Kerberos pre-authentication Use DES encryption types for this account 3. Use the ktpass command to create the Kerberos keytab file (krbkeytab). For example, use the following ktpass command to create the Kerberos keytab file: C:\>ktpass -princ HOST/dracdnsname.domainname.com@DOMAINNAME.COM - mapuser <username> crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL - pass * -out c:\krbkeytab <username> is the user name of the user account created in step 1. The encryption type that DRAC 5 uses for Kerberos authentication is DES-CBC-MD5. The principal type is KRB5_NT_PRINCIPAL. The ktpass command will result in the mapping of the DRAC SPN, HOST/dracdnsname.domainname.com, to the user account created in step 1, and will also generate the keytab file that contains the encryption key. 4. Upload the keytab to DRAC 5 using the GUI or RACADM commands. To upload using the GUI, use the following steps: a. Login to DRAC 5. 5

b. Navigate to the Kerberos Keytab upload page: Remote Access-> Configuration -> Active Directory -> Kerberos Keytab Upload c. Click the Browse button and browse to the location of the Keytab file to select it, or type the path of the Keytab file directly into the text box. d. Click Upload. Figure 1: Kerberos Keytab Upload Windows To upload the file using a RACADM commands, enter the following command: racadm krbkeytabupload f <filename> Where <filename> is the name of the Keytab file. This RACADM command is supported by both local and remote RACADM. Configuring DRAC 5 Active Directory Users for Single Sign-On Logon Before configuring the AD single sign-on feature, ensure that you have configured the DRAC 5 for AD logins. The domain user account you will use to login into the system must be enabled for DRAC 5 AD login as well. Make sure to enable the AD logon setting; see "Using the DRAC 5 With Microsoft Active Directory" in the DRAC 5 User s Guide for more information on how to set up AD users. You must also enable the DRAC 5 as a Kerberos service by uploading a valid keytab file, obtained after running the ktpass command, to the DRAC 5 as described in the previous section of this document. Use the following steps to enable AD single sign-on using the DRAC 5 GUI: 6

1. Login to DRAC 5. 2. Navigate to the Active Directory Configuration and Management page: Remote Access - > Configuration -> Active Directory -> Configure Active Directory 3. On the Active Directory Configuration page, select the Enable Single Sign-On option. Single sign-on logins are now enabled. Figure 2: Active Directory Configuration and Management Window. To enable single sign-on logins using the command line, enter the following command: racadm g cfgactivedirectory o cfgadssoenable 1 Logging Into the DRAC 5 Using Single Sign-On Client single sign-on authentication involves downloading a plug-in from the DRAC web login page and installing it on the client. To ensure proper installation of the plug-in, you must have the latest Visual C++ 2005 runtime components. For more information, see the Microsoft Web site. This feature is currently supported on 32-bit Windows operating systems. Use the following steps to log into DRAC 5 using single-sign on: 1. Login to your system using a valid AD account. 2. Enter the Web address of the DRAC 5 in the address bar of your browser. Depending on browser settings, you may be prompted to download and install the Single Sign-On ActiveX plug-in when using this feature for the first time. You are logged into DRAC 5 with the appropriate privileges if: a. You are an AD user. b. You are configured in DRAC 5 for AD login. c. DRAC 5 is enabled for Kerberos AD authentication. 7

Configuring AD Users for Smart Card Logon AD smart card login to DRAC 5 is a follow-on feature to the supported local smart card login. For more information on the local smart card feature, see Configuring Smart Card Authentication in the DRAC 5 User s Guide. Before using the AD smart card login feature, make sure that you have configured the DRAC 5 for AD login and that the user account issued the smart card has been enabled for DRAC 5 AD login. Also ensure that you have enabled the AD login setting. See "Using the DRAC 5 With Microsoft Active Directory" in the DRAC 5 User s Guide for more information on how to set up AD users. You must also configure DRAC 5 as a Kerberos service by uploading a valid keytab file, obtained after running the ktpass command, to DRAC 5 as described in the section DRAC 5 Kerberos Configuration in this document. Use the following steps to enable smart card login using the DRAC 5 GUI: 1. Login into the DRAC GUI. 2. Expand the System tree and click Remote Access. 3. Click the Configuration tab and then click Smart Card. 4. Configure the smart card logon settings. Figure 3: Configure Smart Card Window If the Configure Smart Card Logon attribute is set to Enable or to Enable with Remote Racadm, the DRAC 5 GUI login will prompt the user to insert the smart card and enter in the smart card PIN. The Enable option disables CLI out-of-band interfaces that support only single-factor authentication such as Telnet, Secure Shell (SSH), serial consoles, remote RACADM, and Intelligent Platform Management Interface (IPMI) Over LAN. The Enable with 8

Remote Racadm option disables the same set of interfaces, but leaves remote RACADM enabled. 5. Click Apply Changes. Logging Into DRAC 5 Using a Smart Card Verify that the smart card is supported by the Microsoft Windows operating system. Windows supports a limited number of smart card cryptographic service providers (CSPs) out of the box; unsupported smart cards require administrators to install the appropriate CSPs provided by the smart card vendor. The AD smart card client authentication involves downloading a plug-in from the browser and installing it on the client. For proper installation of the plug-in, ensure that you have the latest Microsoft Visual C++ 2005 runtime components. For more information, see the Microsoft Web site. This feature is only supported on 32-bit Windows operating systems. Use the following steps to log into DRAC 5 using a smart card: 1. Access the DRAC 5 Web page..the DRAC 5 login page appears prompting you to insert the smart card. You may be prompted to download and install the Smart Card ActiveX plug-in when using this feature for the first time. 2. Insert the smart card into the reader and enter the smart card PIN. 3. Click Login. You are logged into DRAC 5 with appropriate privileges if: a. You are a Microsoft AD user b. You are configured in DRAC 5 for AD login c. DRAC 5 is enabled for Kerberos AD authentication Advanced Enterprise class security standards The security features outlined in this paper provide the flexibility to deploy DRAC 5 into an existing enterprise s security architecture in a seamless fashion. It provides existing users with the option of authenticating with the remote access solution in a similar manner as they would authenticate with any other access restricted enterprise resources using advanced authentication standards, such as two-factor authentication and single sign on. DRAC 5 is now more in line with industry standard authentication solutions with the introduction of these features. 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information