Two factor authentication

Two Factor Authentication
Copy for LLM
Copy page as Markdown for LLMs
View as Markdown
Open this page as Markdown
Open in ChatGPT
Get insights from ChatGPT
Open in Claude
Get insights from Claude

Two Factor Authentication (TFA) is a security feature that enhances security while logging in and creating a user session. TFA uses a One Time Password (OTP) token along with the username and password credentials. When a Microsoft Active Directory user logs into an HPE iLO via the Graphical User Interface or via Redfish, the user needs to provide the six digit token OTP received in an email sent by iLO toward the user's mailbox defined in its Microsoft Active Directory properties.

TFA is implemented in the HPE iLO Redfish service as an OEM extension in the AccountService schema. When enabled, it is applicable for Microsoft Active Directory users.

Two Factor Authentication pre-requisites

Prior to the TFA enablement the following pre-requisites are mandatory:

Microsoft Active Directory must be configured in iLO and working properly. Eligible Microsoft Active Directory users must be able to login with simple (non-TFA) authentication. Refer to the Directory Authentication section for more detail.
Microsoft Active Directory users eligible for logging in via TFA must have a valid email address configured within Microsoft Active Directory.
HPE iLO must be properly configured for sending mails via the SMTP configured server. Refer to the Manager Network Protocol section for the different properties related to the mail and alert configuration.

The following example shows a typical iLO Microsoft Active Directory configuration suitable for TFA.

GET /redfish/v1/AccountService/?$select=LDAP/LDAPService,
LDAP/ServiceAddresses, LDAP/ServiceEnabled, Oem/Hpe/DirectorySettings,
ActiveDirectory

The following example shows a typical iLO mail subsystem configuration suitable for TFA.

TIP

The AlertMailEmail property is only related to the Alert Mail subsystem; the email it contains may not be part of any user configuration in the Microsoft Active Directory server needed for TFA. However, it can be used to test and validate the connectivity to the SMTP server.

GET 
/redfish/v1/Managers/1/NetworkProtocol/?$select=Oem/Hpe/AlertMailSenderDomain,
Oem/Hpe/AlertMailSMTPServer, Oem/Hpe/AlertMailEmail, Oem/Hpe/AlertMailEnabled,
Oem/Hpe/AlertMailSMTPAuthEnabled, Oem/Hpe/AlertMailSMTPAuthPw,
Oem/Hpe/AlertMailSMTPSecureEnabled, Oem/Hpe/AlertMailSMTPPort,
Oem/Hpe/AlertMailSMTPAuthUser

The following example verifies that a Microsoft Active Directory user is properly configured (with a valid e-mail address) for TFA.

PS C:> Get-ADUser -Filter "Name -eq 'ilo_admin'" -SearchBase "DC=lj,DC=lab"
-Properties "mail" -Server dc.lj.lab -Credential lj\francois

NOTE

If the mail property of a Microsoft Active Directory user is empty, trying to log into iLO with this username, returns a 409 Conflict status error with a "MailNotConfigured" error response .

Enabling Two Factor Authentication

To enable TFA in an HPE iLO management controller, the above pre-requisites must be met and the following actions must be performed in that order:

Set SMTPForTFAEnabled to true
Set TwoFactorAuth to Enabled

The following example configures SMTPForTFAEnabled for TFA:

PATCH redfish/v1/Managers/1/NetworkProtocol

The following example configures TwoFactorAuth for TFA:

PATCH /redfish/v1/AccountService

NOTE

Attempting to authenticate a Microsoft Active Directory user using Basic-Auth when TFA is enabled results in a 401 Unauthorized No Valid Session response.
If you configure SMTPForTFAEnabled to false when TwoFactorAuth is enabled, then TwoFactorAuth is automatically disabled.
You receive a PropertyValueIncompatible response message when you:
- enable TwoFactorAuth when SMTPForTFAEnabled is set to false
- enable TwoFactorAuth when LDAPAuthenticationMode is not properly configured
- enable TwoFactorAuth when LDAPService is not properly configured

Using cURL and the basic user authentication mechanism, the following example performs a GET toward the AccountService URI. The request is successful with a local account (Administrator), but fails with a Microsoft Active Directory username.

curl  -ksu Administrator:"AdminPassword"  -X GET  https://ilo-ip/redfish/v1/AccountService/ | jq  '.Oem.Hpe.TwoFactorAuth'
"Enabled"

Creating a User Session with TFA

When TFA is enabled and the Microsoft Active Directory user credentials are provided in the body of a session creation request, a OneTimePasscodeSent response message is returned and an One Time Password (OTP) is sent to the configured Microsoft Active Directory user email.

POST /redfish/v1/Sessions

To perform the TFA the Redfish client needs to get the OTP from the mail sent to the Microsoft Active Directory user and provide it in the payload of a second POST request toward /redfish/v1/Sessions as a Token property, along with the Microsoft Active Directory user credentials. The Token is a six digit positive non-zero integer value.

POST /redfish/v1/Sessions