ProLiant Servers (ML,DL,SL)
cancel
Showing results for 
Search instead for 
Did you mean: 

HPE ILO 5 Zero Sign In Failed

 
vmuniverse1
Frequent Visitor

HPE ILO 5 Zero Sign In Failed

Hello, it's driving me nuts, but I can't get Zero Sign In to work on ILO. I have a HPE ProLiant G10. ILO version 2.10 I have followed the user guide for Kerberos Authentication. Under Security --> Directory I enabled Kerberos and fill in the appropiate settings Kerberos realm: MYDOMAIN.LAN (all Capitals) Kerberos KDC address, KDC port: all correct settings I've created a Kerberos keytab and it is successfully uploaded. The following command: Ktpass +rndPass -ptype KRB5_NT_SRV_HST -princ HTTP/iloserver.domain.lan@DOMAIN.LAN -mapuser iloserver$@domain.lan -out c:\temp\myilo.keytab -crypto AES256-SHA1 It creates a keytab file and asks if I want to get a new password: Y I've added the -crypto because the Encryption settings in ILO has been set to "High Security" I've created a SSL certificate from my own CA and replaced the self-signed ceriticate. When I test my settings under Security --> Directory it says that all is a Success LOM Object exists = Not Run. All others are Success! I'ver followed the user guide lines for browser settings. Every time I try to login with "Zero Sign In" it give me a credential popup windows. Connecting to iloserver.domain.lan Blank Username and Password field. Domain: MYDOMAIN What am I missing?
7 REPLIES 7
vmuniverse1
Frequent Visitor

Re: HPE ILO 5 Zero Sign In Failed

I have tried the "Directorioes Support for ProLiant Management Processors"tool.

This is the latest version that support WIndows 2019.

I followed the steps for Kerberos authentication. Everything looks good, no error messages within the tool.

At the end it configures and I see the configurations I've entered here back in the in ILO 5 webinterface of the server.

But as soon as I hit the Zero Sign In button, it gives me the popup message for credentials.

KM26
HPE Pro

Re: HPE ILO 5 Zero Sign In Failed

Hi  vmuniverse1 ,

Please confirm if the iLO advanced license has been purchased for this server. 

Please check page 396 of the following guide and see if single sign on is enabled on the browser.

https://support.hpe.com/hpesc/public/docDisplay?docId=a00064988en_us

Thank You!
I am an HPE Employee

Accept or Kudo

vmuniverse1
Frequent Visitor

Re: HPE ILO 5 Zero Sign In Failed

Hello, yes ILO Advanced is installed (status OK)

I have also followed the settings for SSO for my browser. All the settings are as they should be.

I can login with myname@somedomain.lan, but as soons as I hit the Zero Sign In, it gives me this popup message.

SandurMavericK
HPE Pro

Re: HPE ILO 5 Zero Sign In Failed

Try doing these things.

1. log out of the SUT..

2. Clear the DNS  Cache at the Server & restart the DNS

3.  Now  at the SUT  use Alt+ Crtl+ Delete & login..

Using Alt+Crtl+ Delete, it will basically create a new Ticket & it will fix the issue.. 

Make Sure at the iLO , below things must be set correctly.

Refere  the link : https://www.youtube.com/watch?v=rGnm2Kc10J0 

 

Please do check all  Time of all Client , Server & ILO must be in sync.. i had this issue if any 1 is not in sync


I work for HPE

Accept or Kudo

SandurMavericK
HPE Pro

Re: HPE ILO 5 Zero Sign In Failed

1. Setup Domain Controller DNS & AD

Create Both Forward Lookup Zone & Reverse Lookup  Zone for the Subnets Used for iLO

2. Install the LDAP Role

3. Install the CA ( Root CA or Enterprise CA) - Import the CA Certificate to the windows Client Machine & Install the same.

Path : Open Certificate Authorithy --> Right Click --> your CA --> Properties--> View Certificate & Export

4. Set Group Policy at Domain Conntroller at Default Domain Policy

PATH : Policies -->Windows Settings-->Security Settings---> Local Policies-->

Uncheck All except "AES128_HMAC_SHA1" & AES256_HMAC_SHA1", Future Encryption Types at 

"Network Security: Configure Encryption types allowed for Kerberos" ( Security Policy)

5. Now Follow these steps as per the below link :

https://www.youtube.com/watch?v=rGnm2Kc10J0 

For High Security, FIPS & CSNA Generate with Supported Crypto
Ktpass +rndPass -ptype KRB5_NT_SRV_HST -princHTTP/myilo.somedomain.net@SOMEDOMAIN.NET -mapuser myilo$@somedomain.net-out myilo.keytab -crypto AES256-SHA1

Note : Date & Time Sync must be same for Domain Conrtoller + iLO + Client Machine.

Note : iLO must resolve with Hostname

Please configure the Browser as below
1. Enable authentication in Internet Explorer.
a. Select Tools > Internet options.
b. Click the Advanced tab.
c. Scroll to the Security section.
d. Verify that the Enable Integrated Windows Authentication option is selected.
e. Click OK.

2. Add the iLO domain to the Intranet zone.
a. Select Tools > Internet options.
b. Click the Security tab.
c. Click the Local intranet icon.
d. Click the Sites button.
e. Click the Advanced button.
f. Enter the site to add in the Add this website to the zone box
g. On a corporate network, *.example.net is sufficient.
h. Click Add.
i. Click Close.
j. To close the Local intranet dialog box, click OK.
k. To close the Internet Options dialog box, click OK.

3. Enable the Automatic login only in Intranet zone setting.
a. Select Tools > Internet options.
b. Click the Security tab.
c. Click the Local intranet icon.
d. Click Custom level.
e. Scroll to the User Authentication section.
f. Verify that the Automatic logon only in Intranet zone option is selected.
g. To close the Security Settings — Local Intranet Zone window, click OK.
h. To close the Internet Options dialog box, click OK.

4. If any options were changed in steps 1–3, close and restart Internet Explorer


I work for HPE

Accept or Kudo

SandurMavericK
HPE Pro

Re: HPE ILO 5 Zero Sign In Failed

I Know its  Crazy feeling when it doesnt work..

 Set Group Policy at Domain Controller at Default Domain Policy

PATH : Policies -->Windows Settings-->Security Settings---> Local Policies-->

Uncheck All except "AES128_HMAC_SHA1" & AES256_HMAC_SHA1", Future Encryption Types at

"Network Security: Configure Encryption types allowed for Kerberos" ( Security Policy)

Please make sure Date & time sync for iLO , Domain Controller & windows Client Machine must be Same


I work for HPE

Accept or Kudo

Adaptive
New Member

Re: HPE ILO 5 Zero Sign In Failed

Maybe you have been "hit" by the firmware related issue fixed in 2.18 : 

Zero Sign In login fails when Kerberos authentication is configured for a large number of groups.

best rgds

Brian