User accounts, Generating a keytab, Key version number – HP Integrated Lights-Out 4 User Manual
Page 252: User accounts generating a keytab
User accounts
A user account must be present and enabled in the domain directory for each user who is allowed
to log in to iLO.
Generating a keytab
This section describes how to generate a keytab file for iLO in a Windows environment.
The iLO host name that you use for keytab generation must be identical to the configured iLO host
name. iLO host names are case sensitive.
1.
Use the ktpass command to generate a keytab and set the shared secret.
The command is case sensitive and has special characters.
ktpass -out iloname.keytab +rndPass -ptype KRB5_NT_SRV_HST -mapuser
[email protected] -princ HTTP/[email protected]
The output should be similar to the following:
Targeting domain controller: domaincontroller.example.net
Using legacy password setting method
Successfully mapped HTTP/iloname.example.net to iloname.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to iloname.
keytab: Keytab version: 0x502
keysize 69 HTTP/[email protected] ptype 3
(KRB5 _NT_SRV_HST) vno 3 etype 0x17 (RC4-HMAC) keylength 16
(0x5a5c7c18ae23559acc2 9d95e0524bf23)
NOTE:
The ktpass command might display a message about not being able to set the
UPN. This is acceptable because iLO is a service, not a user. You might be prompted to
confirm the password change on the computer object. Click OK to close the window and
continue creating the keytab file. Do not use the -kvno option of the ktpass command. This
option causes the knvo in the keytab file to be out of sync with the kvno in Active Directory.
2.
Use the SetSPN command to assign the Kerberos SPN to the computer object. For example:
SetSPN -A HTTP/iloname.example.net iloname
If the SetSPN command displays an error message, do the following:
a.
Use MMC with the ADSIEdit snap-in and find the computer object for iLO.
b.
Set the DNSHostName property to the iLO DNS name. For example:
cn=iloname,ou=us,ou=clients,dc=example,dc=net
3.
Use the SetSPN -L iloname command to display the SPNs and DN for the iLO.
Verify that the HTTP/iloname.example.net service is displayed.
NOTE:
The SetSPN command might display a message about not being able to set the
UPN. This is acceptable because iLO is a service, not a user. You might be prompted to
confirm the password change on the computer object. Click OK to close the window and
continue creating the keytab file.
Key version number
If a domain controller OS is reinstalled, the key version number sequence resets. You must regenerate
and reinstall the keytab files that iLO uses for devices associated with that domain controller.
252 Directory services