Re: HLAPI: Kerberos authentication - getting the realms of a user from a machine that is not in the domain

idata · ‎04-03-2017

Hi everyone,

I am trying to connect to an AMT machine that is provisioned with Kerberos authentication (no TLS at this point), using the HLAPI. The connection is done from a machine that is not in the same domain as the users defined for Kerberos authentication.

The connection to the machine works fine:

amt = AMTInstanceFactory.CreateEX(ci);

After I connect, I need to get the realms of the user. If I attempt:

KerberosEntry kerberosUser = amt.Config.ACL.GetKerberosUser(ci.UserName);

List realms = kerberosUser.Realms;

it fails with an exception with failure: Intel.Manageability.Exceptions.ACLFailures.UserNameDoesNotExists

This probably makes sense, since the HLAPI GetKerberosUser() function uses the system functions to get the SID of the given username:

string sid = (userNameOrSID.Contains("\\")) ? GetUserNameSID(userNameOrSID) : userNameOrSID;

and GetUserNameSID tries:

NTAccount account = new NTAccount(userName);

SecurityIdentifier sIdentifier = (SecurityIdentifier)account.Translate(typeof(SecurityIdentifier));

It cannot translate the username to an SID because the object does not exist in the Active Directory this machine is part of.

My question is: can somehow the SID of the user that was used for Kerberos authentication be obtained from the AMT machine (AMT instance), instead of trying to resolve it locally from the machine where the connection is initiated?

If I could run the GetKerberosUser function giving directly the SID as parameter, instead of username, it would probably succeed and get the realms correctly.

Any advice would be greatly appreciated. Thanks in advance.

Yehuda_S_Intel · ‎04-14-2017

Hi Anitallica,

It seems to me like what you are attempting to do is somewhat against the proper usage of kerberos authentication. Let MC be the machine from which you are trying to make the connection and AMT the machine you are trying to connect to. Is it the case that MC and AMT are in different domains that are related in the domain hierarchy or do they belong to completely disjoint domains?

In the case of having the domains belong to the same hierarchy ( meaning they are sibling domans or parent/childs of eachother) you can probably use the C# ActiveDirectory modules to resolve the SID.

To answer your question about querying AMT for the user, this will only be possible if you have an other means of authenticating with AMT, for example Digest credentials or a different kerberos user that does belong to the domain (and have access to the Security Administration , General Info Realms) , in which scenario you can Invoke https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/HTMLDocuments/WS-Management_Class_Reference/AMT_AuthorizationService.htm# EnumerateUserAclEntries AMT_AuthorizationService.EnumerateUserAclEntries in order to get the ACL entries in AMT.

Hope this answers your question

Ariel Silverman

Anitallica

idata · ‎04-18-2017

Hi Ariel,

Thanks for the reply!

The machine I am connecting from may just as well be in a workgroup, so not at all connected with the domain.The login with Kerberos works, apparently it's the AMT target machine that verifies the provided Kerberos user, so I don't need to find an alternative method for logging in.. I am just not sure how I would invoke AMT_AuthorizationService.EnumerateUserAclEntries. I assume this is part of the low lever API, it's not accessible in the HLAPI, is that correct? If yes, how would I, from my IAMTInstance object, use the AMT_AuthorizationService?

Thanks.