I have an issue with AMT and AD Integration. Right now I have setup an SCS and a few different profiles with AD Integration, ACL's, and Digest Users.
I have imported my Windows Server CA hash into the 2 test computers I have (1x HP Elitedesk 800, and 1x HP 8200 Elite).
When I use ACUConfig.exe to apply the profile from my SCS I can see the associated AD Computer Account being created in the OU that I've specified in the AMT Profile - so I believe the SCS has sufficient rights into this OU (I setup the permissions on the OU per the Intel Deployment Guide).
However when I try to authenticate using my domain credentials, it just does not work. The Digest Users that I have specified in the Profile all work fine - just not the domain credentials.
If I delete the (AMT) computer account, and apply a different AMT Profile (one that also has AD Integration enabled) then I can see the new computer account being created. Again I still cannot login using domain credentials - but I can with the Digest Users I specified in this different profile.
If I check the status of the computer (ACUConfig.exe /output console status) it shows the client being configured properly, and running in PKI and Admin Control Mode.
Please help. I am sure everything is configured properly - and applying different profiles is working (confirmed by using different Digest Users in different profiles). If there is a log I can check to see authentication errors that would be great - have not been able to find one yet.
The problem most likely is that the users involved are part of a lot of security groups. Which makes the AD user fairly large and AMT is probably not able to handle such a large profile size. Try using a user with fewer security groups and let me know your results.
I created a new user, and made it a member of AMTAdministrators (user is only a member of this group, and Domain Users).
When I login with this user, I get the same error as before: "Log on failed. Incorrect user name or password, or user account temporarily locked" - however I can confirm the account is valid and working by logging into a Windows computer with it.
Logging in with the Digest User works fine still.
On another note, I have specifically added a domain user (i.e. not a group) to the AMT Profile, but that has made no difference either.
What tool are you connecting to the Intel AMT client and getting the errors?
If using IE and connecting to the webUI, make sure that within Internet Options that the check box for "Enable Integrated Windows Authentication is checked"
Hey Joe, I do have Enable Integrated Windows Authentication checked.
The tools I am using to connect are Internet Explorer, Firefox, and VNCViewer Plus. All tools have the same problem - AD Authentication does not work, Digest User works fine.