topic iLO2 no longer authenticating AD users in Server Management - Remote Server Management

iLO2 no longer authenticating AD users

ChristianWickham — Fri, 09 Apr 2010 03:15:17 GMT

We have upgraded to iLO firmware 1.81 recently, using firmware boot CD 7.9 in around 230 HP servers and blades.
Now we can no longer authenticate against AD and can only authenticate with either a local iLO user or the AD Display name of a user.
We used to be able to log in with;

DOMAIN\username
Username@domain.com
Username

And now it results in failure for each of these valid logins, and the only way we can authenticate is with;

Surname\, Firstname - Job role

which is the AD Name (not even the display name).
So, I know that LDAP authentication is working (because I can log in with the above name), but I cannot authenticate with any "usable" username.
We have an AD structure that organises accounts under location and type, so I have entered the following search contexts;

ou=Users,OU=Site1,OU=City1,OU=State1,OU=Country,DC=Domain,DC=com
ou=Users,OU=Site2,OU=City2,OU=State2,OU=Country,DC=Domain,DC=com
@domain.com
DOMAIN
CN=AdminGroup,OU=Groups,OU=Site1,OU=City1,OU=State1,OU=Country,DC=Domain,DC=com

And my account exists in four of these search contexts. I can authenticate OK, but not with a normal format to the same account - I get "User Object Cannot be Found" when I test the settings. I have checked capitalisation and spacing, and tried every combination I can think of, but the only one that works is the Name in AD (which is not the same as the Outlook/Exchange "Display Name").

I have tried this with IE6,7 and 8
AD is Windows 2003
This worked before...

Can anyone help?

Re: iLO2 no longer authenticating AD users

Chris Hasler — Fri, 09 Apr 2010 14:21:24 GMT

Christian,

First check your iLo2 networking configuration and ensure that they have at least one DNS server listed.

Login to iLO2, Administration tab, Network link, DHCP/DNS tab, Primary DNS Server.

CHris H.

Re: iLO2 no longer authenticating AD users

ChristianWickham — Fri, 09 Apr 2010 21:30:32 GMT

Yes, there are three fully functioning DNS servers configured in each of the iLO systems that we have been testing with (tried 4 iLO systems in 2 sites).
I have tested that other LDAP enabled systems work (we also have OA for Blades configured the same way, and it works perfectly), I have also verified that I get a certificate when I hit https://domain:636

As I said before, it works fine every time if I use the LDAP CN name, even if the account is buried deep in an OU structure, so the search contexts are correct and the access to the DC is correct - iLO is just not accepting login in the format we want to use of
DOMAIN\username
Username@domain.com
Username
We can't use the CN name of a user because of the way they are named - too easy to make a mistake.

I see from other postings that people have a similar problem, but no answers - is this a bug that has been accepted by HP as needing to be fixed?

Re: iLO2 no longer authenticating AD users

ChristianWickham — Tue, 18 May 2010 06:49:56 GMT

The change is in Internet Options, under the Internet zone, within “ActiveX Controls and Plug-ins” - if your iLOs are in the same subnet as you, then this change should be in Intranet zone

Parameter “Initialize and script ActiveX controls not marked as safe for scripting”
Change from “Disable”
Change to “Prompt”