SOLVED
Hi Johannes,
Kindly verify the pre-requisities mentioned in the user guide and provide us with the outcome.
Prerequisites for configuring authentication and directory server settings:
1.Verify that your iLO user account has the Configure iLO Settings privilege.
2.Install an iLO license that supports this feature.
3.Configure your environment to support Kerberos authentication or directory integration.
4.The Kerberos keytab file is available (Kerberos authentication only).
For more information please refer HPE iLO 5 User Guide (Page number 249 - 256)
Link: https://support.hpe.com/hpesc/public/docDisplay?docId=a00018324en_us
BR,
Shruthi
I'm an HPE employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Hi,
Please log a case with the HPE support team for further assistance on this since the pre-requirements are already met.
Link to log a case: https://support.hpe.com/portal/site/hpsc/scm/home?ac.admitted=1470780193089.125225703.1938120508
Br,
Shruthi
I'm an HPE employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Hi Johannes
The certificates on the domain controllers must use 1024-bit encryption and not 2048-bit encryption. As per Microsoft KB article Q321051 the private keys must not have strong protection enabled to be able to use third party LDAP over SSL authentication. For authentication to work correctly between iLO and the domain controller in AD, the domain controller must have LDAP over SSL capabilities. This means the domain controller must have a certificate assigned by a Certificate Authority. See the Microsoft Knowledge Base for more information on installing a Certificate Server on a domain controller so that other domain controllers can automatically obtain certificates. The existing PKI infrastructure can be used to obtain certificates. For information about this, refer to Microsoft Knowledge Base article in the following URL.
Click on below link to access the article titled "How to enable LDAP over SSL with a third-party certification authority"
For an alternate method to check SSL, use the Microsoft ldp.exe tool. If AD authentication fails, check the event log for an LDAP error.
In addition above action also check by reset iLO from iLO web console.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
I Suspect the issue with Directory Server & Certificate Authority .
Verifying an LDAP connection using below steps.
1. Start the Active Directory Administration Tool (Ldp.exe).
2. On the Connection menu, click Connect.
3. Type the name of the domain controller to which you want to connect.
a. You must use a proper DNS name for the SSL test to work.
4. Type 636 as the port number and check the SSL box
5. Click OK.
I work for HPE
HI
Can you please let me know after how many days you see this issue ??
I work for HPE
Can you please let us know the what is " Directory User Context 1" defined in iLO ??
I work for HPE
Can you please let us know the what is " Directory User Context 1" defined in iLO
I work for HPE
Hi SandurMaverick,
Thanks for the reply.
LDAP connection has been verified and it is working fine.
Domain authentication with LDAP Server working fine in 100's of servers during the notification of issue in a server ILO and this ensures that there is no issue with LDAP Connection
All the servers ILO's are configured similarly.
"Directory User Context" 1 , 2 and 3 has been updated with common directory subcontexts.
Every other tools configured with the same LDAP is working fine
After Resetting the ILO, domain authentication works fine, but after sometime again the issue starts
From ILO User Guide, it has been mentioned that if CA Certificate is not imported, Certificate validation step is skipped, But whereas domain login authentication fails stating that “LDAP server certificate validation failed.” Attached the screenshots for reference.
This issue exists in all generations and firmwares, 2.55 to 2.73 for ILO4 and 2.10 to 2.18 for ILO5.
HI Eeswarna,
Thank you for letting us know the issue..
as per you description the issue doesn't start when configured for the first Time & Domain Login works fine.. but the issue starts when you do the iLO reset after which you are seeing an issue of domain login failure due to certificate Validation failure.. i get your point . can you confirm the domain user on which the issue is seen is actually part of How many Security Groups ..
Command : to run on Domain Controller : dsquery user -samid ilouser | dsget user -memberof | dsget group -samid
I work for HPE
Hello Johannes_we & Eeswaran,
Can you update the March 10, 2020 updates Secuirty Patches from Microsoft & See this gets resolved
I work for HPE
Hello Vaitheeswaran
Can you please log a TICKET... we are not able to reproduce the issue which you are seeing ...
I work for HPE