Simpler Navigation coming for Servers and Operating Systems
Coming soon: a much simpler Servers and Operating Systems section of the Community. We will combine many of the older boards, and you won't have to click through so many levels to get at the information you need. If you are looking for an older board and do not find it, check the consolidated boards, as the posts are still there.
Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II)
cancel
Showing results for 
Search instead for 
Did you mean: 

ILO 2 Default Schema Authentication Problems

Kimik
Frequent Advisor

ILO 2 Default Schema Authentication Problems

Hello,

I've setup enough domain information to Test auth into AD. I have 2 problems - 1 - sometimes the ILO Directory settings screen hangs forcing me to reload the browser session. It's not the browser hanging, just that Directory screen. Seems to go into endless loop retrieving the config from the ILO. The settings I previously enter into for AD and Groups are all blank. This is an ILO 2 v1.50.

Second problem, more of a question, does the SSL error "certificate does not match Directory Server" mean I will get authentication errors? Despite my erratic setup with the first problem, I am still able to test ... when I bash in a test username and PW I get that certificate error, and the authentication fails. Does the certificate need to match?


There's no present like time
5 REPLIES
M.S.Srivatsa
Valued Contributor

Re: ILO 2 Default Schema Authentication Problems

Refer whitepaper below and check if this can provide some information on this.

Integrating HP ProLiant Lights-Out processors with Microsoft® Active Directory
http://bizsupport.austin.hp.com/bc/docs/support/SupportManual/c00190541/c00190541.pdf
barnett chan
Trusted Contributor

Re: ILO 2 Default Schema Authentication Problems

The certificate needs to match. If this is a test enviorment, you may want to reinstall the root ca in your AD.
Kimik
Frequent Advisor

Re: ILO 2 Default Schema Authentication Problems

the error returned is "Warning: certificate does not match Directory Server Address"

In the Directory server config, I enter the domain name instead of a specific domain controller. This would be the most redundant setting correct? I don't really want to specify a single D.C. incase that's down, cannot logon to ILO with domain accounts.

Is there a recommended way to configure an ILO for logon redundancy? Can the certificate not matching error be ignored?



There's no present like time
Kimik
Frequent Advisor

Re: ILO 2 Default Schema Authentication Problems

These are the test results I get. So it says it connects with SSL, passes the certficate check, but then doesn't bind, and fails the user authentication test.

It seems like the certificate warning doesn't prevent the authentication attempt, but that fails and I cannot see any logging on the DC that it's connected to.

Test Description Status
Ping Directory Server Passed
Directory Server IP Address Not run
Directory Server DNS Name Passed
Connect to Directory Server Passed
Connect using SSL Passed
Certificate of Directory Server Passed
Bind to Directory Server Not run
Directory Administrator login Not run
User Authentication Failed
User Authorization Not run
Directory User Context 1 Not run
Directory User Context 2 Not run
Directory User Context 3 Not run
LOM Object exists Not run
LOM Object password Not run

Warning: certificate does not match Directory Server Address
Unable to authenticate test user xxxxxxxx[Invalid credentials]
Ceasing tests.
Some diagnostics FAILED for server

There's no present like time
Kimik
Frequent Advisor

Re: ILO 2 Default Schema Authentication Problems


...update .. following the tips at

http://forums12.itrc.hp.com/service/forums/questionanswer.do?threadId=1005787&admit=109447627+1217989567271+28353475


I can now logon to ILO but only with full name and not SAMaccount name.

This is pretty stupid - are HP going to allow this in the future?
There's no present like time