Table of Contents
Advertisement
(Active Directory server) where you want to map iDRAC6 to a user
account in Active Directory.
For example, use the following ktpass command to create the Kerberos
keytab file:
C:\> ktpass.exe -princ
HTTP/idracname.domainname.com@DOMAINNAME.COM -
mapuser DOMAINNAME\username -mapOp set -crypto
DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -pass
<password> +DesOnly -out c:\krbkeytab
NOTE:
If you find any issues with the iDRAC6 user the keytab file is created
for, create a new user and a new keytab file. If the same keytab file which was
initially created is again executed, it will not configure correctly.
After the above command executes successfully, run the following
command:
C:\>setspn -a HTTP/idracname.domainname.com
username
The encryption type that iDRAC6 uses for Kerberos authentication is
DES-CBC-MD5. The principal type is KRB5_NT_PRINCIPAL. The
properties of the user account that the Service Principal Name is mapped
to should have the following account property enabled:
•
Use DES encryption types for this account
NOTE:
You must create an Active Directory user account for use with the
-mapuser option of the ktpass command. Also, you should have the same
name as the iDRAC DNS name to which you will upload the generated keytab
file.
NOTE:
It is recommended that you use the latest ktpass utility to create the
keytab file. Also, while generating the keytab file, use lowercase letters for
the idracname and the Service Principal Name.
This procedure will produce a keytab file that you should upload to
iDRAC6.
NOTE:
The keytab contains an encryption key and should be kept secure.
For more information on the ktpass utility, see the Microsoft website at:
http://technet.microsoft.com/en-us/library/cc779157(WS.10).aspx
Enabling Kerberos Authentication
169
- Quick Links:
- Configuration Tasks
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
