- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have an issue authenticating to AMT machine successfully provisioned by SCCM 2012 using HLAPI: I get "(401) Unathorized" exception from AMT WSMAN service even if requests to SOAP service works fine.
Some more details:
- AMT version is 7.1.30
- We use our own CA to issue certificates to AMT computers
- I can connect to and manage the device using SCCM Out of Band Console
- I use such connection info:
ConnectionInfoEX connectionInfo = new ConnectionInfoEX("someSomputer.someDomain.ad", null, null, true, null, ConnectionInfoEX.AuthMethod.Kerberos, null, null, null);
Current user is domain admin. - HLAPI successfully connects to the device using SOAP service: it returns version of the AMT ("7.1.30") in AMTInstanceManager.InitAMTInstanceMNG(). If I add my custom code to AMTInstanceManager I can get any data using this service:
- TlsAthenticationType == TlsAthenticationType.ServerAuth in SecurityAdministrationService.GetTlsOptions()
- And even certificate of the device by CertificateManagementEOI.GetAllCertificatesBlobs() - I enrolled certificate, added to local store and specified it's name in ConnectionInfoEX constructor, but I still got 401 exception. This cert has following OIDs: AMT Authenticate the Redirection Library (2.16.840.1.113741.1.2.1) and Client authentication (1.3.6.1.5.5.7.3.2).
- If I specify my userName and password in ConnectionInfoEX I get 401 from SOAP. That's strange.
Any ideas what is the difference in authentication between SOAP and WSMAN services?
Regards
1 Solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Finally I found source of the issue: HLAPI incorrectly sets up SPN in System.Net.AuthenticationManager.CustomTargetNameDictionary for Kerberos authentication for WSMAN service, it uses 16992 port instead of 16993 in key of the dictionary. For those who encounter the same problem: place following code just before your AMTInstanceFactory.CreateEX(connectionInfo):
[csharp]
string fqdn = string.Format("{0}.{1}", computerName, domain);
string secureAmtUrl = string.Format("https://{0}:16993/wsman", fqdn);
Uri secureAmtUri;
if (Uri.TryCreate(secureAmtUrl, UriKind.Absolute, out secureAmtUri))
{
if (!AuthenticationManager.CustomTargetNameDictionary.ContainsKey(secureAmtUri.AbsoluteUri))
{
string spn = string.Format("HTTP/{0}:16993", fqdn);
AuthenticationManager.CustomTargetNameDictionary.Add(secureAmtUri.AbsoluteUri, spn);
}
}
[/csharp]
Link Copied
5 Replies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Finally I found source of the issue: HLAPI incorrectly sets up SPN in System.Net.AuthenticationManager.CustomTargetNameDictionary for Kerberos authentication for WSMAN service, it uses 16992 port instead of 16993 in key of the dictionary. For those who encounter the same problem: place following code just before your AMTInstanceFactory.CreateEX(connectionInfo):
[csharp]
string fqdn = string.Format("{0}.{1}", computerName, domain);
string secureAmtUrl = string.Format("https://{0}:16993/wsman", fqdn);
Uri secureAmtUri;
if (Uri.TryCreate(secureAmtUrl, UriKind.Absolute, out secureAmtUri))
{
if (!AuthenticationManager.CustomTargetNameDictionary.ContainsKey(secureAmtUri.AbsoluteUri))
{
string spn = string.Format("HTTP/{0}:16993", fqdn);
AuthenticationManager.CustomTargetNameDictionary.Add(secureAmtUri.AbsoluteUri, spn);
}
}
[/csharp]
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good catch. I will forward this information on to the engineering team.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version of the SDK are you using? Our dev team thinks they fixed this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gael Hofemeier (Intel) wrote:I'm using Intel_AMT_8_SDK_Gold4197.What version of the SDK are you using? Our dev team thinks they fixed this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We just updated the HLAPI on our site - you can download the 8.1 version now - the 8.1 SDK is out there too.
http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk/
Reply
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page