HP Integrated Lights-Out 2 User Manual
Page 50
Using two-factor authentication with directory authentication
In some cases, configuring two-factor authentication with directory authentication is complicated.
iLO 2 can use HP Extended schema or Default Directory schema to integrate with directory services.
To ensure security when two-factor authentication is enforced, iLO 2 uses an attribute from the
client certificate as the directory user's login name. Which client certificate attribute iLO 2 uses is
determined by the Certificate Owner Field configuration setting on the Two-Factor Authentication
Settings page. If Certificate Owner Field is set to SAN, iLO 2 obtains the directory user's login
name from the UPN attribute of the SAN. If the Certificate Owner Field setting is set to Subject,
iLO 2 obtains the directory user's distinguished name from the subject of the certificate.
Which Certificate Owner Field setting to choose depends on the directory integration method used,
the directory architecture, and what information is contained in the user certificates that are issued.
The following examples assume you have the appropriate permissions.
Authentication using Default Directory Schema, part 1: The distinguished name for a user in the
directory is CN=John Doe,OU=IT,DC=MyCompany,DC=com, and the following are the attributes
of John Doe's certificate:
•
Subject: DC=com/DC=MyCompany/OU=IT/CN=John Doe
•
SAN/UPN: [email protected]
Authenticating to iLO 2 with username:[email protected] and password works if
two-factor authentication is not enforced. After two-factor authentication is enforced, if SAN is
selected on the Two-Factor Authentication Settings page, the login page automatically populates
the Directory User field with [email protected]. The password can be entered, but the
user is not authenticated. The user is not authenticated because [email protected],
which was obtained from the certificate, is not the distinguished name for the user in the directory.
In this case, you must select Subject on the Two-Factor Authentication Settings page. The Directory
User field on the login page is then populated with the user's actual distinguished name, as follows:
CN=John Doe,OU=IT,DC=MyCompany,DC=com
If the correct password is entered, the user is authenticated.
Authentication using Default Directory Schema, part 2: The distinguished name for a user in the
directory is [email protected],OU=IT,DC=MyCompany,DC=com, and the following
are the attributes of John Doe's certificate:
•
Subject: DC=com/DC=MyCompany/OU=Employees/CN=John Doe/
•
SAN/UPN: [email protected]
•
Search context on the Directory Settings page is set to: OU=IT,DC=MyCompany,DC=com
In this example, if SAN is selected on the Two-Factor Authentication Settings page, the Directory
User field on the login page is populated with [email protected]. After the correct
password is entered, the user is authenticated. The user is authenticated even though
[email protected]
is not the distinguished name for the user. The user is authenticated
because iLO 2 attempts to authenticate using the search context fields
([email protected], OU=IT, DC=MyCompany, DC=com) configured on the
Directory Settings page. Because this is the correct distinguished name for the user, iLO 2 successfully
finds the user in the directory.
NOTE:
Selecting Subject on the Two-Factor Authentication Settings page causes authentication
to fail, because the subject of the certificate is not the distinguished name for the user in the directory.
When authenticating using the HP Extended Schema method, HP recommends selecting the SAN
option on the Two-factor Authentication Settings page.
50
Configuring iLO 2