Introduction to certificate services – HP Remote Insight Lights-Out Edition II Board User Manual
Page 66
RILOE II security 66
Owner is set to SAN, RILOE II obtains the directory user's login name from the UPN attribute of the SAN.
If the Certificate Owner setting is set to Subject, RILOE II obtains the directory user's distinguished name
from the subject of the certificate.
Which one of these settings to choose depends on which directory integration method is used, how the
directory architecture is designed, and what information is contained in user certificates that are issued.
The following examples assume you have the appropriate permissions.
Authentication using Default Directory Schema, part 1: The distinguished name for a user in
the directory is CN=John Doe,OU=IT,DC=MyCompany,DC=com, and the following are the attributes of
John Doe's certificate:
•
Subject: DC=com/DC=MyCompany/OU=IT/CN=John Doe
•
SAN/UPN: [email protected]
Authenticating to RILOE II with username:[email protected] and password, will work if two-
factor authentication is not enforced. After two-factor authentication is enforced, if SAN is selected on the
Two-Factor Authentication Settings page, the login page automatically populates the Directory User field
with [email protected]. The password can be entered, but the user will not be authenticated.
The user is not authenticated because [email protected], which was obtained from the
certificate, is not the distinguished name for the user in the directory. In this case, you must select Subject
on the Two-Factor Authentication Settings page. Then the Directory User field on the login page will be
populated with CN=John Doe,OU=IT,DC=MyCompany,DC=com, which is the user's actual distinguished
name. If the correct password is entered, the user is authenticated.
Authentication using Default Directory Schema, part 2: The distinguished name for a user in
the directory is [email protected],OU=IT,DC=MyCompany,DC=com, and the following
are the attributes of John Doe's certificate:
•
Subject: DC=com/DC=MyCompany/OU=Employees/CN=John
Doe/[email protected]
•
SAN/UPN: [email protected]
•
Search context on the Directory Settings page is set to: OU=IT,DC=MyCompany,DC=com
In this example, if SAN is selected on the Two-Factor Authentication Settings page, the Directory User field
on the login page is populated with [email protected]. After the correct password is entered,
the user is authenticated. The user is authenticated even though [email protected] is not the
distinguished name for the user. The user is authenticated because RILOE II attempts to authenticate using
the search context fields ([email protected], OU=IT, DC=MyCompany, DC=com)
configured on the Directory Settings page. Becasue this is the correct distinguished name for the user,
RILOE II successfully finds the user in the directory.
NOTE: Selecting Subject on the Two-Factor Authentication Settings page causes authentication to fail,
because the subject of the certificate is not the distinguished name for the user in the directory.
When using the HP Extended schema method, HP recommends selecting the SAN option on the Two-
factor Authentication Settings page.
Introduction to certificate services
Certificate Services are used to issue signed digital certificates to network hosts. The certificates are used
to establish SSL connections with the host and verify the authenticity of the host.
Installing Certificate Services allows Active Directory to receive a certificate that allows Lights-Out
processors to connect to the directory service. Without a certificate, RILOE II cannot connect to the
directory server.