Community
cancel
Showing results for 
Search instead for 
Did you mean: 
RBens2
Valued Contributor I
46 Views

Problems with IE and Kerberos

Hello All,

I'm trying to do some testing with AMT and Kerberos through Active Directory and I'm running into some issues with IE. I've got Kerberos working with DTK Commander and with the command line tools from the SDK, but I've been unable to get IE to connect to the WebUI on any of my test systems. I've tried XP, Vista, and Win7; and I've tried IE6, IE7, and IE8 - all to no avail. I know the docs talk about a KB fix for IE6, but I figured that IE7 or IE8 would work, but I haven't been able to get any of them to successfully authenticate to the ME. Any suggestions?

Thanks,
Roger

0 Kudos
6 Replies
Richard_B_Intel1
Employee
46 Views

Quoting - rogerb
Hello All,

I'm trying to do some testing with AMT and Kerberos through Active Directory and I'm running into some issues with IE. I've got Kerberos working with DTK Commander and with the command line tools from the SDK, but I've been unable to get IE to connect to the WebUI on any of my test systems. I've tried XP, Vista, and Win7; and I've tried IE6, IE7, and IE8 - all to no avail. I know the docs talk about a KB fix for IE6, but I figured that IE7 or IE8 would work, but I haven't been able to get any of them to successfully authenticate to the ME. Any suggestions?

Thanks,
Roger

Hi Roger-

Are you receiving a specific error? If so, what is it? Also, is it the same errorwithall versions of IE?

Finally, per the "Intel AMT Integration with Active Directory" document provided with the SDK,have you added the domain(s) containing the Intel AMT systems to IE's list of trusted sites?
Lance_A_Intel
Employee
46 Views


Hi Roger,
You may want to try the tips in this blog post.
RBens2
Valued Contributor I
46 Views

I'm logged into the system as a domain admin, and I've got IE setup to use windows authentication, but I still can't get the system to authenticate with the AMT client. When I hit the Login button in the WebUI, I get a dialog box for entering my User id and password, I enter the domain userid and password, and it just returns without authenticating. Each time I reenter the password, it just comes back with a no authentication. I also setup the DNS domain to be a trusted site, and that didn't seem to make a difference. I thought that kerberos would allow me to not have to be prompted to enter a username and password, that it would just use the SID from my login to Windows to authenticate me to the AMT client through the Kerberos server. Why is it asking me for a username and password?

Thanks,
Roger

Richard_B_Intel1
Employee
46 Views

Roger-
I believe I have duplicated your situation; let me look into the issues.

Richard_B_Intel1
Employee
46 Views

Roger-

Sorry for the delayed response. It appears the IE6Hotfix documented in the "Intel AMT Integration with Active Directory" .pdf (KB908209) is still necessary for Kerberos to work with IE7 and IE8. With thisHotfix in place I was able to provision an AMT 5.x system with the SDK's ConfigurationServer example (Kerberos enabled indefault.conf.xml) and then access the system via the WebUI without re-entering User Name & Password.

Trevor_Sullivan
Beginner
46 Views

Quoting - rogerb
Hello All,

I'm trying to do some testing with AMT and Kerberos through Active Directory and I'm running into some issues with IE. I've got Kerberos working with DTK Commander and with the command line tools from the SDK, but I've been unable to get IE to connect to the WebUI on any of my test systems. I've tried XP, Vista, and Win7; and I've tried IE6, IE7, and IE8 - all to no avail. I know the docs talk about a KB fix for IE6, but I figured that IE7 or IE8 would work, but I haven't been able to get any of them to successfully authenticate to the ME. Any suggestions?

Thanks,
Roger

Roger,

Even though the hotfix itself is not applicable to IE7 and IE8, you still must apply the registry fix that is referenced in the KB article.

32-bit Platform
HKEY_LOCAL_MACHINESoftwareMicrosoftInternet ExplorerMainFeature ControlFEATURE_INCLUDE_PORT_IN_SPN_KB908209

64-bit Platform
HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftInternet ExplorerMainFeature ControlFEATURE_INCLUDE_PORT_IN_SPN_KB908209

Data Type: REG_DWORD

Value Name: iexplore.exe

Value: 01


Trevor Sullivan
Systems Engineer
OfficeMax Corporation
Reply