Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
Showing results for 
Search instead for 
Do you mean 

ILO AD Authentication...

Occasional Visitor

ILO AD Authentication...

I spent that past hour read the previous posts on this forum regarding this topic and still am having issues.

Here is my situation:
DL585 w/ ILO running firmware 1.82.

I want to use this with the default schema.
I put in the domain controller name, the Directory context (OU=USR,OU=LOC,DC=xx,DC=xxxxx,DC=com) and then went in and setup the Administrator group and User group.

When I run the test I either get:
Unable to authenticate test user me.user@xxxxxxx.com [Invalid credentials]
or
Unable to authenticate test user xx\userme [User Object not found]
or
Unable to authenticate test user userme@xx.xxxxxx.com
and finally
Unable to authenticate test user CN=userme,OU=USR,OU=LOC,DC=xx,DC=xxxxxxxx,DC=com [No login rights]


Any ideas? Thanks
3 REPLIES
Trusted Contributor

Re: ILO AD Authentication...

Hi,
The iLO configuration needs to specify the full distinguished name. When the AD object for the iLO is created and the iLO is configured manually, it is easy to not provide the correct syntax for the full distinguished name.

To configure the iLOs and to create the objects in AD is to use the Lights Out Migration tool to create the AD objects and configure the iLOs (RILOEs). The utility takes the user through the process of creating object names, adding them to AD and configuring the objects to work with AD. It is the third program in the iLO/AD package that can be downloaded.

For more info check http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00190541/c00190541.pdf?jumpid=reg_R1002_USEN

Minimum flexibility requires entry of the fully distinguished name and password to login. The user must be a member of a group that is allowed access to the iLO/RILOE.

Better flexibility requires that the Directory User Context be written to the iLO/RILOE II. When the user types in the the login name, the iLO concatenates the login name and Directory Search context then sends the request to the AD to find out what access (if any) that account has. The login name is actually the CN portion of the distinguished name that designates the account. This can be different than the account name in the AD as well as the usernames in DOMAINNAME\username and username@domain.ext.

Maximum flexibility requires that ActiveX controls be allowed, the use of the directory's DNS name when configuring the iLO, and that the client and iLO can both resolve the directory's DNS name to an IP address. With those conditions met, the user may also use the DOMAINNAME\username and username@domain.ext formats to login. In that case, the iLO resolves the domain name and sends the request to the correct directory.

Chill
RaMpaNTe
You heve a question... I have an aswer!!!
Occasional Visitor

Re: ILO AD Authentication...

I have ilo fw 1.82. I am trying to setup schema free integration. I can login with
fqdn and user name but not with domain\username or UPN name. In both cases I get [User Object Not Found] error.

I am using hostname in the directory servers field and activex controls are enabled. Hostname is be resolved from both ilo and the client. Still the problem persists. What could be the problem ?
Valued Contributor

Re: ILO AD Authentication...

Just want to add.
Assumptions
1.Domain name : xxxxxx.com
2.Active directory server IP address : 15.70.179.104
3.user's full name in Active directory :lango s
4.user's login name : lango

Check iLO Network settings
1.Login to iLO browser Interface
2.Goto "Administration->Network Settings".
3.Configure "Primary DNS server" with IP address "15.70.179.104".
4.Configure Domain name with "xxxxxx.com".
If this configuration is not done,"loginname@domain.com(lango@xxxxxx.com" and "xxxxxx\lango" is not
going to work as expected.

About Directory test settings page
In iLO browser Interface
1."Test settings" page under "Administration->Directory settings" can only be used for short name(lango s) and
Full distinguished name(CN=lango s,CN=Users,DC=xxxxxx,DC=com)
This cannot be used for "login@domain.com"(lango@xxxxxx.com) and "domain\loginname"(xxxxxx\lango).


Login failing with Full distinguished name
Ex: CN=lango s,CN=Users,DC=xxxxxx,DC=com
If the directory user login fails,this could be an issue with
mismatch in the Group configuration in iLO as compared to
Group configutation in Active directory.