Filter
Top Products
Configuring iDRAC6 for Single Sign-On or Smart Card Login 189
Since the iDRAC6 is a device with a non-Windows operating system, run
the
ktpass
utility—part of Microsoft Windows—on the domain controller
(Active Directory server) where you want to map the iDRAC6 to a user
account in Active Directory.
For example, use the following
ktpass
command to create the Kerberos
keytab file:
C:\>ktpass -princ
HOST/dracname.domainname.com@DOMAINNAME.COM -
mapuser dracname -crypto DES-CBC-MD5 -ptype
KRB5_NT_PRINCIPAL -pass * -out c:\krbkeytab
The encryption type that iDRAC6 uses for Kerberos authentication is
DES-CBC-MD5. The principal type is KRB5_NT_PRINCIPAL. The
properties of the user account that the Service Principal Name is mapped
to should have
Use DES encryption types for this account
property
enabled.
NOTE: It is recommended that you use the latest ktpass utility to create the
keytab file.
This procedure will produce a keytab file that you should upload to the
iDRAC6.
NOTE: The keytab contains an encryption key and should be kept secure.
For more information on the
ktpass
utility, see the Microsoft website at:
http://technet2.microsoft.com/windowsserver/en/library/64042138-9a5a-
4981-84e9-d576a8db0d051033.mspx?mfr=true
• The iDRAC6 time should be synchronized with the Active Directory
domain controller. You can also use the following RACADM time zone
offset command to synchronize the time:
racadm config -g cfgRacTuning -o
cfgRacTuneTimeZoneOffset <offset value>
• To enable single sign-on for Extended schema, ensure that the
Trust this
user for delegation to any service (Kerberos only)
option is selected on the
Delegation
tab for the keytab user. This tab is available only after creating
the keytab file using
ktpass
utility.