topic Re: iLO2 no longer authenticates AD users through username in Server Management - Remote Server Management

iLO2 no longer authenticates AD users through username

ChristianWickham — Fri, 09 Apr 2010 03:17:15 GMT

We have upgraded to iLO firmware 1.81 recently, using firmware boot CD 7.9 in around 230 HP servers and blades.
Now we can no longer authenticate against AD and can only authenticate with either a local iLO user or the AD Name of a user.
We used to be able to log in with;

DOMAIN\username
Username@domain.com
Username

And now it results in failure for each of these valid logins, and the only way we can authenticate is with;

Surname\, Firstname - Job role

which is the AD Name (not even the display name).
So, I know that LDAP authentication is working (because I can log in with the above name), but I cannot authenticate with any "usable" username.
We have an AD structure that organises accounts under location and type, so I have entered the following search contexts;

ou=Users,OU=Site1,OU=City1,OU=State1,OU=Country,DC=Domain,DC=com
ou=Users,OU=Site2,OU=City2,OU=State2,OU=Country,DC=Domain,DC=com
@domain.com
DOMAIN
CN=AdminGroup,OU=Groups,OU=Site1,OU=City1,OU=State1,OU=Country,DC=Domain,DC=com

And my account exists in four of these search contexts. I can authenticate OK, but not with a normal format to the same account - I get "User Object Cannot be Found" when I test the settings. I have checked capitalisation and spacing, and tried every combination I can think of, but the only one that works is the Name in AD (which is not the same as the Outlook/Exchange "Display Name").

I have tried this with IE6,7 and 8
AD is Windows 2003
This worked before...

Can anyone help?

Re: iLO2 no longer authenticates AD users through username

Rajeshwari, Hiresave — Tue, 13 Apr 2010 05:32:35 GMT

There is a requirement that has to be fulfilled. Can you please verify the following in your setup.

For schemaless Directory configuration, please ensure that the following settings are modified as required so that user can logon with Email format and Netbios formats successfully:
1. DIR_SERVER_ADDRESS value need to be set todirectory server DNS Name or FQDN(Full qualified Domain Name)
2. Please check and update the following iLO Network Settings.
2a. The domain name of iLO should match the domain of the directory server.
2b. One of the primary, secondary or teritiary DNS server must have the same IP address as the Directory server.

Re: iLO2 no longer authenticates AD users through username

ChristianWickham — Tue, 13 Apr 2010 06:30:40 GMT

Thanks for your help. I have checked, and all is exactly as you specified.

Our AD domain is "COMPANYNAME"
The DNS namespace is "companyname.com.au"
The LDAP server specified in "Directory Server Address" is DCSERVER3.companyname.com.au - this matches the capitalisation of the DC/GC server's SSL certificate. We have also tried dcserver2.companyname.com.au and this matches the capitalisation of that DC/GC.
The DNS suffix for the iLO in network is set to match our DNS namespace.
The DNS server specified in the iLO configuration is the IP for DCSERVER3, and the secondary DNS server is the IP for dcserver2.

Thanks, anything else we can try?

Re: iLO2 no longer authenticates AD users through username

ChristianWickham — Mon, 03 May 2010 05:05:25 GMT

I have updated to iLO 1.82 and this still does not work.

I used to be able to log in as;
DOMAIN\username
Username@domain.com
username

but now I can only log in as

Surname\, Firstname - Job role

with iLO 1.82, I get more LDAP search contexts, but this has not helped. I have however managed to trust SSO with HP SIM and so now I can access iLO through a link in HP Systems Insight Manager for each server - and it states in the top right hand corner that my username is DOMAIN\Username and authenticated with LDAP - but why can I not log in through the web interface directly?

Re: iLO2 no longer authenticates AD users through username

JimHanson — Wed, 12 May 2010 17:56:10 GMT

Look at the bottom of this thread for the Active-X information. It worked for me.

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1005787

Re: iLO2 no longer authenticates AD users through username

ChristianWickham — Mon, 17 May 2010 04:11:04 GMT

OK, tried that (enabling ActiveX) and this did not help. I am using IE8 - does that make much difference?

Re: iLO2 no longer authenticates AD users through username

ChristianWickham — Tue, 18 May 2010 06:30:32 GMT

I was wrong, it did work!

I made the change in Local Intranet zone, but all my iLOs are on a different subnet to me.
So, I changed my Internet Zone configuration to prompt to initialise and run ActiveX controls, and it all started working again!

Thanks for your help.

Re: iLO2 no longer authenticates AD users through username

ChristianWickham — Tue, 18 May 2010 06:48:48 GMT

The change is in Internet Options, under the Internet zone, within “ActiveX Controls and Plug-ins” area

Parameter “Initialize and script ActiveX controls not marked as safe for scripting”
Change from “Disable”
Change to “Prompt”