HPE Community
Server Management - Remote Server Management
1752608 Members
4304 Online
108788 Solutions
New Discussion юеВ

Re: KeyTab File Base64 encoding for HPeILO PowerShell Kerberos Configuration

 
SOLVED
Go to solution
Teemoe
Occasional Collector

тАО03-11-2020 08:44 AM

тАО03-11-2020 08:44 AM

KeyTab File Base64 encoding for HPeILO PowerShell Kerberos Configuration

I've been going down the road to enable Kerberos "Zero Auth" on our HPE Servers' ILO.
I've created the Computer Object in AD, added the SPNs, created the KeyTab and configured the Kerberos Auth config. Uploading the KeyTab via the Browser works fine and enables SSO.
Now wanting to automate this, using the HPeILO-CMDlets, everything works well except uploading the KeyTab file.
Apparently HPe expects this as Base64:

 

-Keytab <string[]> Specifies the contents of the keytab file which is a binary file containing pairs of principals and encrypted passwords. In the Windows environment, the keytab file is generated with a ktpass utility. After generating a binary keytab file using the appropriate utility, use a Base64 encoder to convert the binary file to ASCII format. Place the Base64 contents between: -----BEGIN KEYTAB----- and -----END KEYTAB-----.</string[]>

 


So I took the ktpass keytab and parsed this to Binary then to Base64

 

 

 

$keytab = Get-Content .\ILO.keytab
$keytab looks like this:
 U 
DOMAIN.LOCAL HTTP hostname.domain.local    V├│├н├И├Л тАУ┬н┬н┬▒┬░├С┬╢┼а

$Bytes = [System.Text.Encoding]::Unicode.GetBytes($keytab)
$keytabBase64 =[Convert]::ToBase64String($Bytes)
$keytabBase64
$keytabUpload =@"
-----BEGIN KEYTAB-----
$keytabBase64
-----END KEYTAB-----
"@

 

 


Trying to upload like so

 

 

$session | Set-HPEiLOKerberosConfig -KerberosEnabled Yes -Realm DOMAIN.LOCAL -KDCAddress DOMAIN.LOCAL -KDCPort 88 -Keytab $keytabUpload

 

 


I'm getting the following Error:

 

 

Keytab Error, Keytab not properly encoded.

 

 


Again, using the same, original ILO.keytab and uploading it into the Config via the Web UI works. So the original file is good.
I assume I'm doing something wrong with the base64 encoding but I'm not sure what. Any help is greatly appreciated

0 Kudos
Reply
2 REPLIES 2
DANDKS
HPE Pro

тАО03-21-2020 10:44 PM - edited тАО03-21-2020 10:52 PM

тАО03-21-2020 10:44 PM - edited тАО03-21-2020 10:52 PM

Re: KeyTab File Base64 encoding for HPeILO PowerShell Kerberos Configuration

Please refer to the below Advisory,

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-a00088213en_us

Refer to the User Guide at: Configuring Kerberos authentication settings in iLO

https://support.hpe.com/hpesc/public/docDisplay?docId=a00018324en_us

Let us know if any user guide is being followed, if yes, please share the link for the User Guide that is being followed.

Thank you


I am an HPE employee
Accept or Kudo
0 Kudos
Reply
Teemoe
Occasional Collector

тАО03-24-2020 05:23 AM

тАО03-24-2020 05:23 AM

Solution

Re: KeyTab File Base64 encoding for HPeILO PowerShell Kerberos Configuration

Found a Solution thanks to Reddit.

Get-Content has a switch to import straight as Byte, which can be turned into Base64 and then uploaded using the HPEILO CMDLets:

$keytab = Get-Content .\$ILO.keytab -Encoding Byte

$keytabBase64 =[Convert]::ToBase64String($keytab)

$keytabBase64

$keytabUpload ="-----BEGIN KEYTAB-----

$keytabBase64

-----END KEYTAB-----"

$session | Set-HPEiLOKerberosConfig -KerberosEnabled Yes -Realm DOMAIN.COM -KDCAddress DOMAIN.COM -KDCPort 88 -Keytab $keytabUpload
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.