Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.
Announcements
FPGA community forums and blogs on community.intel.com are migrating to the new Altera Community and are read-only. For urgent support needs during this transition, please visit the FPGA Design Resources page or contact an Altera Authorized Distributor.
1403 Discussions

SCCM 2012 provisioned AMT authentication issue using HLAPI

Sergey
Novice
‎11-27-2012 07:08 AM
1,019 Views
Solved Jump to solution

Hello,

I have an issue authenticating to AMT machine successfully provisioned by SCCM 2012 using HLAPI: I get "(401) Unathorized" exception from AMT WSMAN service even if requests to SOAP service works fine.

Some more details:

  • AMT version is 7.1.30
  • We use our own CA to issue certificates to AMT computers
  • I can connect to and manage the device using SCCM Out of Band Console
  • I use such connection info:
    ConnectionInfoEX connectionInfo = new ConnectionInfoEX("someSomputer.someDomain.ad", null, null, true, null, ConnectionInfoEX.AuthMethod.Kerberos, null, null, null);
    Current user is domain admin. 
  • HLAPI successfully connects to the device using SOAP service: it returns version of the AMT ("7.1.30") in AMTInstanceManager.InitAMTInstanceMNG(). If I add my custom code to AMTInstanceManager I can get any data using this service:
    - TlsAthenticationType == TlsAthenticationType.ServerAuth in SecurityAdministrationService.GetTlsOptions()
    - And even certificate of the device by CertificateManagementEOI.GetAllCertificatesBlobs()
  • I enrolled certificate, added to local store and specified it's name in ConnectionInfoEX constructor, but I still got 401 exception. This cert has following OIDs: AMT Authenticate the Redirection Library (2.16.840.1.113741.1.2.1) and Client authentication (1.3.6.1.5.5.7.3.2).
  • If I specify my userName and password in ConnectionInfoEX I get 401 from SOAP. That's strange. 

Any ideas what is the difference in authentication between SOAP and WSMAN services?

Regards

0 Kudos
1 Solution
Sergey
Novice
‎11-28-2012 04:56 AM
1,019 Views
Solved Jump to solution
Finally I found source of the issue: HLAPI incorrectly sets up SPN in System.Net.AuthenticationManager.CustomTargetNameDictionary for Kerberos authentication for WSMAN service, it uses 16992 port instead of 16993 in key of the dictionary. For those who encounter the same problem: place following code just before your AMTInstanceFactory.CreateEX(connectionInfo): [csharp] string fqdn = string.Format("{0}.{1}", computerName, domain); string secureAmtUrl = string.Format("https://{0}:16993/wsman", fqdn); Uri secureAmtUri; if (Uri.TryCreate(secureAmtUrl, UriKind.Absolute, out secureAmtUri)) { if (!AuthenticationManager.CustomTargetNameDictionary.ContainsKey(secureAmtUri.AbsoluteUri)) { string spn = string.Format("HTTP/{0}:16993", fqdn); AuthenticationManager.CustomTargetNameDictionary.Add(secureAmtUri.AbsoluteUri, spn); } } [/csharp]

View solution in original post

0 Kudos
Copy link

Link Copied

5 Replies
Sergey
Novice
‎11-28-2012 04:56 AM
1,020 Views
Solved Jump to solution
Finally I found source of the issue: HLAPI incorrectly sets up SPN in System.Net.AuthenticationManager.CustomTargetNameDictionary for Kerberos authentication for WSMAN service, it uses 16992 port instead of 16993 in key of the dictionary. For those who encounter the same problem: place following code just before your AMTInstanceFactory.CreateEX(connectionInfo): [csharp] string fqdn = string.Format("{0}.{1}", computerName, domain); string secureAmtUrl = string.Format("https://{0}:16993/wsman", fqdn); Uri secureAmtUri; if (Uri.TryCreate(secureAmtUrl, UriKind.Absolute, out secureAmtUri)) { if (!AuthenticationManager.CustomTargetNameDictionary.ContainsKey(secureAmtUri.AbsoluteUri)) { string spn = string.Format("HTTP/{0}:16993", fqdn); AuthenticationManager.CustomTargetNameDictionary.Add(secureAmtUri.AbsoluteUri, spn); } } [/csharp]
0 Kudos
Copy link
Gael_H_Intel
Moderator
‎11-28-2012 11:02 AM
1,019 Views
Solved Jump to solution
Good catch. I will forward this information on to the engineering team.
0 Kudos
Copy link
Gael_H_Intel
Moderator
‎12-03-2012 08:34 AM
1,019 Views
Solved Jump to solution
What version of the SDK are you using? Our dev team thinks they fixed this.
0 Kudos
Copy link
Sergey
Novice
‎12-04-2012 12:14 AM
1,019 Views
Solved Jump to solution
Gael Hofemeier (Intel) wrote:

What version of the SDK are you using? Our dev team thinks they fixed this.

I'm using Intel_AMT_8_SDK_Gold4197.
0 Kudos
Copy link
Gael_H_Intel
Moderator
‎12-12-2012 10:31 AM
1,019 Views
Solved Jump to solution
We just updated the HLAPI on our site - you can download the 8.1 version now - the 8.1 SDK is out there too. http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk/
0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.