Two-factor authentication login – HP Remote Insight Lights-Out Edition II Board User Manual

RILOE II security 65

Two-factor authentication login

When you connect to RILOE II and two-factor authentication is required, the Client Authentication page
prompts you to select the certificate you want to use. The Client Authentication page displays all of the
certificates available to authenticate a client. Select your certificate. The certificate can be a certificate
mapped to a local user in RILOE II, or a user specific certificate issued for authenticating to the domain.

After you have selected a certificate, if the certificate is protected with a password or if the certificate is
stored on a smart card, a second page appears prompting you to enter the PIN or password associated
with the chosen certificate.

The certificate is examined by RILOE II to ensure it was issued by a trusted CA by checking the signature
against the CA certificate configured in RILOE II. RILOE II determines if the certificate has been revoked
and if it maps to a user in the RILOE II local user database. If all of these tests pass, then the normal RILOE
II user interface appears.

If your credential authentication fails, the Login Failed page appears. If login fails, you are instructed to
close the browser, open a new browser page, and try connecting again. If directory authentication is
enabled, and local user authentication fails, RILOE II displays a login page with the directory user name
field populated with either the User Principal Name from the certificate or the Distinguished Name
(derived from the subject of the certificate). RILOE II requests the password for the account. After providing
the password, you are authenticated.

Using two-factor authentication with directory authentication

In some cases, configuring two-factor authentication with directory authentication is complicated. RILOE II
can use HP Extended schema or Default Directory schema to integrate with directory services. To ensure
security when two-factor authentication is enforced, RILOE II uses an attribute from the client certificate as
the directory user's login name. Which client certificate attribute RILOE II uses is determined by the
Certificate Owner configuration setting on the Two-Factor Authentication Settings page. If Certificate