Server Management - Remote Server Management
1748117 Members
3660 Online
108758 Solutions
New Discussion юеВ

iLO2 no longer authenticates AD users through username

 
Go to solution
ChristianWickham
Frequent Advisor

iLO2 no longer authenticates AD users through username

We have upgraded to iLO firmware 1.81 recently, using firmware boot CD 7.9 in around 230 HP servers and blades.
Now we can no longer authenticate against AD and can only authenticate with either a local iLO user or the AD Name of a user.
We used to be able to log in with;

DOMAIN\username
Username@domain.com
Username

And now it results in failure for each of these valid logins, and the only way we can authenticate is with;

Surname\, Firstname - Job role

which is the AD Name (not even the display name).
So, I know that LDAP authentication is working (because I can log in with the above name), but I cannot authenticate with any "usable" username.
We have an AD structure that organises accounts under location and type, so I have entered the following search contexts;

ou=Users,OU=Site1,OU=City1,OU=State1,OU=Country,DC=Domain,DC=com
ou=Users,OU=Site2,OU=City2,OU=State2,OU=Country,DC=Domain,DC=com
@domain.com
DOMAIN
CN=AdminGroup,OU=Groups,OU=Site1,OU=City1,OU=State1,OU=Country,DC=Domain,DC=com

And my account exists in four of these search contexts. I can authenticate OK, but not with a normal format to the same account - I get "User Object Cannot be Found" when I test the settings. I have checked capitalisation and spacing, and tried every combination I can think of, but the only one that works is the Name in AD (which is not the same as the Outlook/Exchange "Display Name").

I have tried this with IE6,7 and 8
AD is Windows 2003
This worked before...

Can anyone help?
7 REPLIES 7
Rajeshwari, Hiresave
Trusted Contributor
Solution

Re: iLO2 no longer authenticates AD users through username

There is a requirement that has to be fulfilled. Can you please verify the following in your setup.

For schemaless Directory configuration, please ensure that the following settings are modified as required so that user can logon with Email format and Netbios formats successfully:
1. DIR_SERVER_ADDRESS value need to be set todirectory server DNS Name or FQDN(Full qualified Domain Name)
2. Please check and update the following iLO Network Settings.
2a. The domain name of iLO should match the domain of the directory server.
2b. One of the primary, secondary or teritiary DNS server must have the same IP address as the Directory server.
ChristianWickham
Frequent Advisor

Re: iLO2 no longer authenticates AD users through username

Thanks for your help. I have checked, and all is exactly as you specified.

Our AD domain is "COMPANYNAME"
The DNS namespace is "companyname.com.au"
The LDAP server specified in "Directory Server Address" is DCSERVER3.companyname.com.au - this matches the capitalisation of the DC/GC server's SSL certificate. We have also tried dcserver2.companyname.com.au and this matches the capitalisation of that DC/GC.
The DNS suffix for the iLO in network is set to match our DNS namespace.
The DNS server specified in the iLO configuration is the IP for DCSERVER3, and the secondary DNS server is the IP for dcserver2.

Thanks, anything else we can try?
ChristianWickham
Frequent Advisor

Re: iLO2 no longer authenticates AD users through username

I have updated to iLO 1.82 and this still does not work.

I used to be able to log in as;
DOMAIN\username
Username@domain.com
username

but now I can only log in as

Surname\, Firstname - Job role

with iLO 1.82, I get more LDAP search contexts, but this has not helped. I have however managed to trust SSO with HP SIM and so now I can access iLO through a link in HP Systems Insight Manager for each server - and it states in the top right hand corner that my username is DOMAIN\Username and authenticated with LDAP - but why can I not log in through the web interface directly?
JimHanson
New Member

Re: iLO2 no longer authenticates AD users through username

Look at the bottom of this thread for the Active-X information. It worked for me.

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1005787
ChristianWickham
Frequent Advisor

Re: iLO2 no longer authenticates AD users through username

OK, tried that (enabling ActiveX) and this did not help. I am using IE8 - does that make much difference?
ChristianWickham
Frequent Advisor

Re: iLO2 no longer authenticates AD users through username

I was wrong, it did work!

I made the change in Local Intranet zone, but all my iLOs are on a different subnet to me.
So, I changed my Internet Zone configuration to prompt to initialise and run ActiveX controls, and it all started working again!

Thanks for your help.
ChristianWickham
Frequent Advisor

Re: iLO2 no longer authenticates AD users through username

The change is in Internet Options, under the Internet zone, within тАЬActiveX Controls and Plug-insтАЭ area

Parameter тАЬInitialize and script ActiveX controls not marked as safe for scriptingтАЭ
Change from тАЬDisableтАЭ
Change to тАЬPromptтАЭ