topic Quote:Gael Hofemeier (Intel) in Intel® Business Client Software Development

SCCM 2012 provisioned AMT authentication issue using HLAPI

Sergey — Tue, 27 Nov 2012 15:08:23 GMT

Hello,

I have an issue authenticating to AMT machine successfully provisioned by SCCM 2012 using HLAPI: I get "(401) Unathorized" exception from AMT WSMAN service even if requests to SOAP service works fine.

Some more details:

AMT version is 7.1.30
We use our own CA to issue certificates to AMT computers
I can connect to and manage the device using SCCM Out of Band Console
I use such connection info:
ConnectionInfoEX connectionInfo = new ConnectionInfoEX("someSomputer.someDomain.ad", null, null, true, null, ConnectionInfoEX.AuthMethod.Kerberos, null, null, null);
Current user is domain admin.
HLAPI successfully connects to the device using SOAP service: it returns version of the AMT ("7.1.30") in AMTInstanceManager.InitAMTInstanceMNG(). If I add my custom code to AMTInstanceManager I can get any data using this service:
- TlsAthenticationType == TlsAthenticationType.ServerAuth in SecurityAdministrationService.GetTlsOptions()
- And even certificate of the device by CertificateManagementEOI.GetAllCertificatesBlobs()
I enrolled certificate, added to local store and specified it's name in ConnectionInfoEX constructor, but I still got 401 exception. This cert has following OIDs: AMT Authenticate the Redirection Library (2.16.840.1.113741.1.2.1) and Client authentication (1.3.6.1.5.5.7.3.2).
If I specify my userName and password in ConnectionInfoEX I get 401 from SOAP. That's strange.

Any ideas what is the difference in authentication between SOAP and WSMAN services?

Regards

Finally I found source of the

Sergey — Wed, 28 Nov 2012 12:56:21 GMT

Finally I found source of the issue: HLAPI incorrectly sets up SPN in System.Net.AuthenticationManager.CustomTargetNameDictionary for Kerberos authentication for WSMAN service, it uses 16992 port instead of 16993 in key of the dictionary. For those who encounter the same problem: place following code just before your AMTInstanceFactory.CreateEX(connectionInfo): [csharp] string fqdn = string.Format("{0}.{1}", computerName, domain); string secureAmtUrl = string.Format("https://{0}:16993/wsman", fqdn); Uri secureAmtUri; if (Uri.TryCreate(secureAmtUrl, UriKind.Absolute, out secureAmtUri)) { if (!AuthenticationManager.CustomTargetNameDictionary.ContainsKey(secureAmtUri.AbsoluteUri)) { string spn = string.Format("HTTP/{0}:16993", fqdn); AuthenticationManager.CustomTargetNameDictionary.Add(secureAmtUri.AbsoluteUri, spn); } } [/csharp]

Good catch. I will forward

Gael_H_Intel — Wed, 28 Nov 2012 19:02:52 GMT

Good catch. I will forward this information on to the engineering team.

What version of the SDK are

Gael_H_Intel — Mon, 03 Dec 2012 16:34:54 GMT

What version of the SDK are you using? Our dev team thinks they fixed this.

Quote:Gael Hofemeier (Intel)

Sergey — Tue, 04 Dec 2012 08:14:21 GMT

Gael Hofemeier (Intel) wrote:
What version of the SDK are you using? Our dev team thinks they fixed this.

I'm using Intel_AMT_8_SDK_Gold4197.

We just updated the HLAPI on

Gael_H_Intel — Wed, 12 Dec 2012 18:31:23 GMT

We just updated the HLAPI on our site - you can download the 8.1 version now - the 8.1 SDK is out there too. http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk/