topic Re: iLO Client side cert (2-factor) auth failing in Server Management - Remote Server Management

iLO Client side cert (2-factor) auth failing

Steve Forrester_1 — Wed, 20 Sep 2006 11:59:52 GMT

Connecting to iLO (V1.82 firmware) using 2-factor authentication fails on 2nd and subsequent attempts. Strangely enough it works on the 1st attempt. Has anyone else observed this curious behaviour?

I've repeated this several times by switching in and out of 2-factor auth. Following the re-boot- that occurs after re-enabling 2-factor auth I can get in on 1st attempt but not again. This suggests that there is nothing particularly wrong with the certificate side of this. Any known bugs?

Thanks.

Re: iLO Client side cert (2-factor) auth failing

ramesh_naik_ — Thu, 21 Sep 2006 05:52:29 GMT

Hi Steve,

You might have enabled the 2-factor on this iLO.
If so, you may have problems with your certificate or your client does not have a cert that iLO is looking for. Find out that your client have the correct cert in your smartcard device.

If your client cert is good, than you will need to disable 2-factor and recheck your 2-Factor certificates in iLO.

To disable 2-factor, press F8 at boot to get into the iLO RBSU setup, or run hponcfg with the Mod_2Factor.xml script from the OS(Windows or Linux).

Sample script is at http://h18000.www1.hp.com/support/files/Server/us/download/23218.html

hponcfg is at
http://h18007.www1.hp.com/support/files/server/us/download/23045.html

Hope this works!!!!!

Regards,
rmn

Re: iLO Client side cert (2-factor) auth failing

Steve Forrester_1 — Thu, 21 Sep 2006 06:49:40 GMT

Ramesh,

Thanks for responding to this one but I can't see a problem with any of the certificates, as the first 2-factor authentication ALWAYS works. Furthermore I've now tried with three different CAs and each gives the same problem. I've also tried with two different servers (both DL380s with iLO V1.82), again with the same results.

Given the consistency of the problem, this has to be a configuration issue of some sort but I can't see what this can possibly be. Any idea what certificate attributes are checked as part of the SSL handshake (e.g. is the CN checked against the username)?

Cheers,

Steve.

Re: iLO Client side cert (2-factor) auth failing

acartes — Thu, 21 Sep 2006 11:25:33 GMT

No silver bullets here, but...

First, try the latest iLO firmware. There is a bug fix related to certificate expiration. While that is probably not related to this issue, it is a 2-factor change.

Also, the 2-factor support for iLO user accounts tests that:
1: the client certificate (stored in the token) was stored by the imported root CA,
and
2: The client certificate thumbprint matches the one stored for the user account.

Re: iLO Client side cert (2-factor) auth failing

barnett chan — Thu, 21 Sep 2006 15:06:32 GMT

I had seen this. After you enabled 2 Factor, iLO will reset. You do not have to reboot the server. If you do reboot the server, wait for the OS to comeup and your 2 factor login should work.

Re: iLO Client side cert (2-factor) auth failing

Steve Forrester_1 — Fri, 22 Sep 2006 09:24:57 GMT

Folks, I seem to have stumbled on the solution. If I point my browser to http:/// rather than https:///, the server forces a re-direct to https:/// and I can get in. This is highly consistent in that if I go to https: it fails everytime and http: re-directs with success! I guess that when the initial 2-factor authentication is enabled, the automatic re-start performs the same correct re-direct as using http: does.

I have to conclude form this that there's a small bug in the iLO server web front-end. Hopefully HP will fix this at some point but in the meantime I have a working solution. Thanks to all that replied.

Steve.