Kerberos and AD integration, cannot access Web interface.. desperate for help

T_16 · ‎08-08-2013

Hi there,

I have enabled AD integration on our vPro hosts with the mindset of assigning admin priviledges to the IT team.

Now, using Intel Managability commander tool, and Real VNC Plus, I can authenticate great to the KVM stuff and the SOL interface, no pop ups, just straight through (with VNC+ anyway)

However, when trying to browse the web interface, NOTHING works...! This is from a Workstation running W7 SP1, and IE10... Tried other browers like Chrome, Firefox etc and its just the same.

Although the Firefox log on prompt actually states DIGEST in the window. This is odd, as Digest was not set up in the profile, but just AD integration.

Is the Web UI always digest by default and not integrated with AD? Also I could not log into the Mebx manually with ANY credentials at BIOS boot!

I'm not sure I'm doing much wrong as the process seemed really simple, so its making me feel even more stupid, if anyone can help I would be very, very grateful as I am rather desperate to get this working before a big rollout.

Thanks!

Juliano_M_ · ‎08-08-2013

What do you mean with Nothing work?

Are you trying to reach the https url? For example:

https://clientvpro02.infrainfo.lab:16993/wsman

Instead of

http://clientvpro02.infrainfo.lab:16992/wsman

The port change ok?

Gael_H_Intel · ‎08-08-2013

I would like to first address your not being able to log into the MEBx - the mebx cannot be set up for kerberos. You need to access it via the "admin" username with the password that you initially changed it to when you first enabled AMT.

None of your other usernames will work for the MEBx.

For kerberos and IE, there is an advanced settings (Go to Internet Options--> Advanced -- look at the settings under "Security):

Enable Integrated Windows Authentication - if this box is checked, it will automatically try to log on with your normal user credentials - not your AMT user credential.

When you do try to log on - make sure you are signing on with your domain included: domain\username , for example.

And along with Juliano's questions - are your clients enabled for TLS mode or non-TLS mode?

You can also read more about setting your system up for kerberos authentication in the Implementation and reference guide:

http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/DOCS/Implementation%20and%20Reference%20Guide/default.htm?turl=WordDocuments%2Fconfiguringintelamtforkerberosauthentication.htm

T_16 · ‎08-12-2013

Hi,

TLS is not set up, it was just Kerberos. Ive done the IE setting, and that does not work either. When I use VNC+ it authtenicates great, but NO browers FF, Chrome, IE will authentice via Kerberos.

FF will say in its pop up that its looking for a DIGEST log on but Kerberos must be working for VNC+ to auto log in without a prompt??

IE will jsut keep prompting, no matter what credentials I am using.. DOMAIN\User or whatever. IT accepts nothing. Not even the digst default admin log on.

Its so bizzarre

As I say VNC authenticates and goes in, but no web browsers do with any credentials.

So frustrating.

Thanks!

T_16 · ‎08-12-2013

I dont know what "Compute the Kerberos master key from the Intel AMT object password."

Means in that guide. I dont think ive done that.. despite the fact VNC+ works ok.

Gael_H_Intel · ‎08-12-2013

Could you have an anti virus program that is filtering communications? Have you tried it from a different computer? Did you reboot your computer after modifying the IE setting that allows Kerberos authentication?

What version of AMT are you working with? And are you accessing the webui using: http://<ipaddress>:16992 ? Are you doing this on the local client itself, or from a remote computer?

What are you typing in your browser in order to access the Web UI?

In case Kerberos is used, and the browser supports Kerberos authentication, you should authenticate with a domain user that has access rights to the Intel AMT. (In Internet Explorer, support for Kerberos is defined in: Tools > Internet Options > Advanced. In the "Security" section, select Enable Integrated Windows Authentication.)

----------From the Implementation and Reference Guide:

The web browser will establish a TCP connection to the Intel AMT platform and access the top-level Intel AMT Configuration web page. To view this information, you will be prompted to authenticate by logging in with a user that was defined in the Intel AMT ACL:

If the Intel AMT device is in SMB Mode, you should use the default “admin” with the MEBx password (which is also the current network password).
If the Intel AMT device is in Enterprise Mode, you should use a user that was defined during the provisioning process, or the default admin with the current network password (which may vary from the MEBx password).
In case Kerberos is used, and the browser supports Kerberos authentication, you should authenticate with a domain user that has access rights to the Intel AMT. (In Internet Explorer, support for Kerberos is defined in: Tools > Internet Options > Advanced. In the "Security" section, select Enable Integrated Windows Authentication.)

Gael_H_Intel · ‎08-12-2013

Kerberos Master Key:

Changing the master key: The Kerberos master key is shared between Active Directory and the Intel AMT device. It is inserted to the Intel AMT device during setup and configuration and inserted into Active Directory. The key can be changed manually at any time, but the values in Active Directory and Intel AMT must match, so updating one requires updating the other as well.

• Enabling Kerberos will not succeed if the network time was not set first.

I found another thread on the vPro expert center that might help.

http://communities.intel.com/docs/DOC-2984

You might also want to check out this thread: http://communities.intel.com/message/108495#108495