Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.
1381 Discussions

SCCM 2012 provisioned AMT authentication issue using HLAPI

Sergey
Novice
‎11-27-2012 07:08 AM
461 Views
Solved Jump to solution

Hello,

I have an issue authenticating to AMT machine successfully provisioned by SCCM 2012 using HLAPI: I get "(401) Unathorized" exception from AMT WSMAN service even if requests to SOAP service works fine.

Some more details:

  • AMT version is 7.1.30
  • We use our own CA to issue certificates to AMT computers
  • I can connect to and manage the device using SCCM Out of Band Console
  • I use such connection info:
    ConnectionInfoEX connectionInfo = new ConnectionInfoEX("someSomputer.someDomain.ad", null, null, true, null, ConnectionInfoEX.AuthMethod.Kerberos, null, null, null);
    Current user is domain admin. 
  • HLAPI successfully connects to the device using SOAP service: it returns version of the AMT ("7.1.30") in AMTInstanceManager.InitAMTInstanceMNG(). If I add my custom code to AMTInstanceManager I can get any data using this service:
    - TlsAthenticationType == TlsAthenticationType.ServerAuth in SecurityAdministrationService.GetTlsOptions()
    - And even certificate of the device by CertificateManagementEOI.GetAllCertificatesBlobs()
  • I enrolled certificate, added to local store and specified it's name in ConnectionInfoEX constructor, but I still got 401 exception. This cert has following OIDs: AMT Authenticate the Redirection Library (2.16.840.1.113741.1.2.1) and Client authentication (1.3.6.1.5.5.7.3.2).
  • If I specify my userName and password in ConnectionInfoEX I get 401 from SOAP. That's strange. 

Any ideas what is the difference in authentication between SOAP and WSMAN services?

Regards

0 Kudos
1 Solution
Sergey
Novice
‎11-28-2012 04:56 AM
461 Views
Solved Jump to solution
Finally I found source of the issue: HLAPI incorrectly sets up SPN in System.Net.AuthenticationManager.CustomTargetNameDictionary for Kerberos authentication for WSMAN service, it uses 16992 port instead of 16993 in key of the dictionary. For those who encounter the same problem: place following code just before your AMTInstanceFactory.CreateEX(connectionInfo): [csharp] string fqdn = string.Format("{0}.{1}", computerName, domain); string secureAmtUrl = string.Format("https://{0}:16993/wsman", fqdn); Uri secureAmtUri; if (Uri.TryCreate(secureAmtUrl, UriKind.Absolute, out secureAmtUri)) { if (!AuthenticationManager.CustomTargetNameDictionary.ContainsKey(secureAmtUri.AbsoluteUri)) { string spn = string.Format("HTTP/{0}:16993", fqdn); AuthenticationManager.CustomTargetNameDictionary.Add(secureAmtUri.AbsoluteUri, spn); } } [/csharp]

View solution in original post

0 Kudos
Copy link

Link Copied

5 Replies
Sergey
Novice
‎11-28-2012 04:56 AM
462 Views
Solved Jump to solution
Finally I found source of the issue: HLAPI incorrectly sets up SPN in System.Net.AuthenticationManager.CustomTargetNameDictionary for Kerberos authentication for WSMAN service, it uses 16992 port instead of 16993 in key of the dictionary. For those who encounter the same problem: place following code just before your AMTInstanceFactory.CreateEX(connectionInfo): [csharp] string fqdn = string.Format("{0}.{1}", computerName, domain); string secureAmtUrl = string.Format("https://{0}:16993/wsman", fqdn); Uri secureAmtUri; if (Uri.TryCreate(secureAmtUrl, UriKind.Absolute, out secureAmtUri)) { if (!AuthenticationManager.CustomTargetNameDictionary.ContainsKey(secureAmtUri.AbsoluteUri)) { string spn = string.Format("HTTP/{0}:16993", fqdn); AuthenticationManager.CustomTargetNameDictionary.Add(secureAmtUri.AbsoluteUri, spn); } } [/csharp]
0 Kudos
Copy link
Gael_H_Intel
Moderator
‎11-28-2012 11:02 AM
461 Views
Solved Jump to solution
Good catch. I will forward this information on to the engineering team.
0 Kudos
Copy link
Gael_H_Intel
Moderator
‎12-03-2012 08:34 AM
461 Views
Solved Jump to solution
What version of the SDK are you using? Our dev team thinks they fixed this.
0 Kudos
Copy link
Sergey
Novice
‎12-04-2012 12:14 AM
461 Views
Solved Jump to solution
Gael Hofemeier (Intel) wrote:

What version of the SDK are you using? Our dev team thinks they fixed this.

I'm using Intel_AMT_8_SDK_Gold4197.
0 Kudos
Copy link
Gael_H_Intel
Moderator
‎12-12-2012 10:31 AM
461 Views
Solved Jump to solution
We just updated the HLAPI on our site - you can download the 8.1 version now - the 8.1 SDK is out there too. http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk/
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.