Table of Contents
Advertisement
Since the iDRAC6 is a device with a non-Windows operating system, run
the ktpass utility—part of Microsoft Windows—on the domain controller
(Active Directory server) where you want to map the iDRAC6 to a user
account in Active Directory.
For example, use the following ktpass command to create the Kerberos
keytab file:
C:\>ktpass -princ
HOST/dracname.domainname.com@DOMAINNAME.COM -
mapuser dracname -crypto DES-CBC-MD5 -ptype
KRB5_NT_PRINCIPAL -pass * -out c:\krbkeytab
The encryption type that iDRAC6 uses for Kerberos authentication is
DES-CBC-MD5. The principal type is KRB5_NT_PRINCIPAL. The
properties of the user account that the Service Principal Name is mapped
to should have Use DES encryption types for this account property
enabled.
NOTE:
It is recommended that you use the latest ktpass utility to create the
keytab file.
This procedure will produce a keytab file that you should upload to the
iDRAC6.
NOTE:
The keytab contains an encryption key and should be kept secure.
For more information on the ktpass utility, see the Microsoft website at:
http://technet2.microsoft.com/windowsserver/en/library/64042138-9a5a-
4981-84e9-d576a8db0d051033.mspx?mfr=true
•
The iDRAC6 time should be synchronized with the Active Directory
domain controller. You can also use the following RACADM time zone
offset command to synchronize the time:
racadm config -g cfgRacTuning -o
cfgRacTuneTimeZoneOffset <offset value>
•
To enable single sign-on for Extended schema, ensure that the Trust this
user for delegation to any service (Kerberos only) option is selected on the
Delegation tab for the keytab user. This tab is available only after creating
the keytab file using ktpass utility.
Configuring iDRAC6 for Single Sign-On or Smart Card Login
189
- Quick Links:
- Diagnostic Commands
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
