topic Re: HPE ILO 5 Zero Sign In Failed in ProLiant Servers (ML,DL,SL)

HPE ILO 5 Zero Sign In Failed

vmuniverse1 — Tue, 04 Feb 2020 15:54:08 GMT

Hello, it's driving me nuts, but I can't get Zero Sign In to work on ILO. I have a HPE ProLiant G10. ILO version 2.10 I have followed the user guide for Kerberos Authentication. Under Security --> Directory I enabled Kerberos and fill in the appropiate settings Kerberos realm: MYDOMAIN.LAN (all Capitals) Kerberos KDC address, KDC port: all correct settings I've created a Kerberos keytab and it is successfully uploaded. The following command: Ktpass +rndPass -ptype KRB5_NT_SRV_HST -princ HTTP/iloserver.domain.lan@DOMAIN.LAN -mapuser iloserver$@domain.lan -out c:\temp\myilo.keytab -crypto AES256-SHA1 It creates a keytab file and asks if I want to get a new password: Y I've added the -crypto because the Encryption settings in ILO has been set to "High Security" I've created a SSL certificate from my own CA and replaced the self-signed ceriticate. When I test my settings under Security --> Directory it says that all is a Success LOM Object exists = Not Run. All others are Success! I'ver followed the user guide lines for browser settings. Every time I try to login with "Zero Sign In" it give me a credential popup windows. Connecting to iloserver.domain.lan Blank Username and Password field. Domain: MYDOMAIN What am I missing?

Re: HPE ILO 5 Zero Sign In Failed

vmuniverse1 — Wed, 05 Feb 2020 11:24:45 GMT

I have tried the "Directorioes Support for ProLiant Management Processors"tool.

This is the latest version that support WIndows 2019.

I followed the steps for Kerberos authentication. Everything looks good, no error messages within the tool.

At the end it configures and I see the configurations I've entered here back in the in ILO 5 webinterface of the server.

But as soon as I hit the Zero Sign In button, it gives me the popup message for credentials.

Re: HPE ILO 5 Zero Sign In Failed

KM26 — Wed, 05 Feb 2020 15:49:38 GMT

Hi vmuniverse1 ,

Please confirm if the iLO advanced license has been purchased for this server.

Please check page 396 of the following guide and see if single sign on is enabled on the browser.

https://support.hpe.com/hpesc/public/docDisplay?docId=a00064988en_us

Re: HPE ILO 5 Zero Sign In Failed

vmuniverse1 — Thu, 06 Feb 2020 07:34:02 GMT

Hello, yes ILO Advanced is installed (status OK)

I have also followed the settings for SSO for my browser. All the settings are as they should be.

I can login with myname@somedomain.lan, but as soons as I hit the Zero Sign In, it gives me this popup message.

Re: HPE ILO 5 Zero Sign In Failed

SandurMavericK — Sat, 09 May 2020 16:11:46 GMT

Try doing these things.

1. log out of the SUT..

2. Clear the DNS Cache at the Server & restart the DNS

3. Now at the SUT use Alt+ Crtl+ Delete & login..

Using Alt+Crtl+ Delete, it will basically create a new Ticket & it will fix the issue..

Make Sure at the iLO , below things must be set correctly.

Refere the link : https://www.youtube.com/watch?v=rGnm2Kc10J0

Please do check all Time of all Client , Server & ILO must be in sync.. i had this issue if any 1 is not in sync

Re: HPE ILO 5 Zero Sign In Failed

SandurMavericK — Fri, 12 Jun 2020 14:29:37 GMT

1. Setup Domain Controller DNS & AD

Create Both Forward Lookup Zone & Reverse Lookup Zone for the Subnets Used for iLO

2. Install the LDAP Role

3. Install the CA ( Root CA or Enterprise CA) - Import the CA Certificate to the windows Client Machine & Install the same.

Path : Open Certificate Authorithy --> Right Click --> your CA --> Properties--> View Certificate & Export

4. Set Group Policy at Domain Conntroller at Default Domain Policy

PATH : Policies -->Windows Settings-->Security Settings---> Local Policies-->

Uncheck All except "AES128_HMAC_SHA1" & AES256_HMAC_SHA1", Future Encryption Types at

"Network Security: Configure Encryption types allowed for Kerberos" ( Security Policy)

5. Now Follow these steps as per the below link :

https://www.youtube.com/watch?v=rGnm2Kc10J0

For High Security, FIPS & CSNA Generate with Supported Crypto
Ktpass +rndPass -ptype KRB5_NT_SRV_HST -princHTTP/myilo.somedomain.net@SOMEDOMAIN.NET -mapuser myilo$@somedomain.net-out myilo.keytab -crypto AES256-SHA1

Note : Date & Time Sync must be same for Domain Conrtoller + iLO + Client Machine.

Note : iLO must resolve with Hostname

Please configure the Browser as below
1. Enable authentication in Internet Explorer.
a. Select Tools > Internet options.
b. Click the Advanced tab.
c. Scroll to the Security section.
d. Verify that the Enable Integrated Windows Authentication option is selected.
e. Click OK.

2. Add the iLO domain to the Intranet zone.
a. Select Tools > Internet options.
b. Click the Security tab.
c. Click the Local intranet icon.
d. Click the Sites button.
e. Click the Advanced button.
f. Enter the site to add in the Add this website to the zone box
g. On a corporate network, *.example.net is sufficient.
h. Click Add.
i. Click Close.
j. To close the Local intranet dialog box, click OK.
k. To close the Internet Options dialog box, click OK.

3. Enable the Automatic login only in Intranet zone setting.
a. Select Tools > Internet options.
b. Click the Security tab.
c. Click the Local intranet icon.
d. Click Custom level.
e. Scroll to the User Authentication section.
f. Verify that the Automatic logon only in Intranet zone option is selected.
g. To close the Security Settings — Local Intranet Zone window, click OK.
h. To close the Internet Options dialog box, click OK.

4. If any options were changed in steps 1–3, close and restart Internet Explorer

Re: HPE ILO 5 Zero Sign In Failed

SandurMavericK — Wed, 22 Jun 2022 10:55:01 GMT

I Know its Baffling feeling when it doesnt work..

Set Group Policy at Domain Controller at Default Domain Policy

PATH : Policies -->Windows Settings-->Security Settings---> Local Policies-->

Uncheck All except "AES128_HMAC_SHA1" & AES256_HMAC_SHA1", Future Encryption Types at

"Network Security: Configure Encryption types allowed for Kerberos" ( Security Policy)

Please make sure Date & time sync for iLO , Domain Controller & windows Client Machine must be Same

Re: HPE ILO 5 Zero Sign In Failed

Adaptive — Sat, 05 Sep 2020 05:37:49 GMT

Maybe you have been "hit" by the firmware related issue fixed in 2.18 :

Zero Sign In login fails when Kerberos authentication is configured for a large number of groups.

best rgds

Brian