Server Management - Remote Server Management

Re: ILO Kerberos Sign-In Issues

 
Peter J West
Frequent Advisor

ILO Kerberos Sign-In Issues

Hi,

I tried using this video guide to configure kerberos integration for one of our ILO's: https://www.youtube.com/watch?v=rGnm2Kc10J0

Unfortunately it does not seem to be working.  A diagnostic tests says the following:

Directory Server DNS Name: Success

Ping Directory Server: Success

Connect to Directory Server: Success

Bind to Directory Server: Success

Directory Administrator Login: Success

User Authorization: Success

Directory User Contexts: Success

 

I have a suspicion that this error is causing my problem:

Connect using SSL  Success  Certificate subject OK, verify OK, error code 27 (certificate not trusted), Subject /CN=xxxx.xx.xxxx.xxxx Issued By /DC=root/DC=xxxx/CN=XXXCA1 

 

But - how do I go about making the certificate so that it is trusted?

The ILO already has a certificate installed from the same CA which is used by the Directory Server.

Any clues?

Pete

3 REPLIES 3
Peter J West
Frequent Advisor

Re: ILO Kerberos Sign-In Issues

Just to follow up on this.

It looks like almost everything is working as expected, but for some reason it's not able to confirm that the login being used is a member of the appropriate group.

If I deliberately enter a bad password when doing the test then it fails on many of the tests; but when you enter valid credentials everything passes apart from this:

User Authentication  Warning  Test user ilotest@xxx.xxx.xxx not authenticated, or does not have login rights. 

Quite strange.  Any ideas would be welcomed.

SandurMavericK
HPE Pro

Re: ILO Kerberos Sign-In Issues

Try doing these things.

1. log out of the SUT..

2. Clear the DNS  Cache at the Server & restart the DNS

3.  Now  at the SUT  use Alt+ Crtl+ Delete & login..

Using Alt+Crtl+ Delete, it will basically create a new Ticket & it will fix the issue.. 

Make Sure at the iLO , below things must be set correctly.

Refere  the link : https://www.youtube.com/watch?v=rGnm2Kc10J0 

 

Please do check all  Time of all Client , Server & ILO must be in sync.. i had this issue if any 1 is not in sync


I work for HPE

Accept or Kudo

SandurMavericK
HPE Pro

Re: ILO Kerberos Sign-In Issues

1. Setup Domain Controller DNS & AD

Create Both Forward Lookup Zone & Reverse Lookup  Zone for the Subnets Used for iLO

2. Install the LDAP Role

3. Install the CA ( Root CA or Enterprise CA) - Import the CA Certificate to the windows Clinet Machine & Install the same.

Path : Open Certificate Authorithy --> Right Click --> your CA --> Properties--> View Certificate & Export

4. Set Group Policy at Domain Controller at Default Domain Policy

PATH : Policies -->Windows Settings-->Security Settings---> Local Policies-->

Uncheck All except "AES128_HMAC_SHA1" & AES256_HMAC_SHA1", Future Encryption Types at 

"Network Security: Configure Encryption types allowed for Kerberos" ( Security Policy)

5. Now Follow these steps as per the below link :

https://www.youtube.com/watch?v=rGnm2Kc10J0 

For High Security, FIPS & CSNA Generate with Supported Crypto (Command)
Ktpass +rndPass -ptype KRB5_NT_SRV_HST -princHTTP/myilo.somedomain.net@SOMEDOMAIN.NET -mapuser myilo$@somedomain.net-out myilo.keytab -crypto AES256-SHA1

Note : Date & Time Sync must be same for Domain Conrtoller + iLO + Client Machine.

Note : iLO must resolve with Hostname

Please configure the Browser as below
1. Enable authentication in Internet Explorer.
a. Select Tools > Internet options.
b. Click the Advanced tab.
c. Scroll to the Security section.
d. Verify that the Enable Integrated Windows Authentication option is selected.
e. Click OK.

2. Add the iLO domain to the Intranet zone.
a. Select Tools > Internet options.
b. Click the Security tab.
c. Click the Local intranet icon.
d. Click the Sites button.
e. Click the Advanced button.
f. Enter the site to add in the Add this website to the zone box
g. On a corporate network, *.example.net is sufficient.
h. Click Add.
i. Click Close.
j. To close the Local intranet dialog box, click OK.
k. To close the Internet Options dialog box, click OK.

3. Enable the Automatic login only in Intranet zone setting.
a. Select Tools > Internet options.
b. Click the Security tab.
c. Click the Local intranet icon.
d. Click Custom level.
e. Scroll to the User Authentication section.
f. Verify that the Automatic logon only in Intranet zone option is selected.
g. To close the Security Settings — Local Intranet Zone window, click OK.
h. To close the Internet Options dialog box, click OK.

4. If any options were changed in steps 1–3, close and restart Internet Explorer

 


I work for HPE

Accept or Kudo