Table of Contents
Advertisement
allowing the removal of the certificate. If a certificate has not been mapped to the user, "Thumbprint:
A certificate has NOT been mapped to this user" is displayed, along with a button that
will start the certificate import process.
To set up a user for two-factor authentication and add a user certificate:
Log on to iLO using an account that has the Configure iLO Settings privilege. Click Administration.
1.
Select a user.
2.
Click View/Modify.
3.
Under the User Certificate Information section, click Add a certificate.
4.
On the Map User Certificate page, paste the user certificate into the text-box and click Import
5.
Certificate.
For more information on user administration, refer to the "User administration (on page 23)" section.
Using two-factor authentication with directory authentication
In some cases, configuring two-factor authentication with directory authentication is complicated. iLO can
use HP Extended schema or Default Directory schema to integrate with directory services. To ensure
security when two-factor authentication is enforced, iLO uses an attribute from the client certificate as the
directory user's login name. Which client certificate attribute iLO uses is determined by the Certificate
Owner configuration setting on the Two-Factor Authentication Settings page. If Certificate Owner is set to
SAN, iLO obtains the directory user's login name from the UPN attribute of the SAN. If the Certificate
Owner setting is set to Subject, iLO obtains the directory user's distinguished name from the subject of the
certificate.
Which one of these settings to choose depends on which directory integration method is used, how the
directory architecture is designed, and what information is contained in user certificates that are issued.
The following examples assume you have the appropriate permissions.
Authentication using Default Directory Schema, part 1: The distinguished name for a user in the directory
is CN=John Doe,OU=IT,DC=MyCompany,DC=com, and the following are the attributes of John Doe's
certificate:
Subject: DC=com/DC=MyCompany/OU=IT/CN=John Doe
SAN/UPN: john.doe@MyCompany.com
Authenticating to iLO with username:john.doe@MyCompany.com and password, will work if two-factor
authentication is not enforced. After two-factor authentication is enforced, if SAN is selected on the Two-
Factor Authentication Settings page, the login page automatically populates the Directory User field with
john.doe@MyCompany.com. The password can be entered, but the user will not be authenticated. The
user is not authenticated because john.doe@MyCompany.com, which was obtained from the certificate,
is not the distinguished name for the user in the directory. In this case, you must select Subject on the Two-
Factor Authentication Settings page. Then the Directory User field on the login page will be populated
with CN=John Doe,OU=IT,DC=MyCompany,DC=com, which is the user's actual distinguished name. If
the correct password is entered, the user is authenticated.
Authentication using Default Directory Schema, part 2: The distinguished name for a user in the directory
is CN=john.doe@MyCompany.com,OU=IT,DC=MyCompany,DC=com, and the following are the
attributes of John Doe's certificate:
Subject: DC=com/DC=MyCompany/OU=Employees/CN=John
Doe/E=john.doe@MyCompany.com
iLO security 62
Advertisement
Table of Contents
Troubleshooting
