- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All!
----------------
First off, Digest Authentication works without ANY issue
----------------
Im running into an issue with Kerberos Authentication. I was hoping someone could provide some insight as to whats going on.
Below is the environment im working with
1) Intel SCS Server v11.1 (Windows Server 2012)
2) Lenovo X1 Carbon Gen 4 (Windows 10 1703)
I am using the most basic Profile possible for AD Integration with ACL Groups
No other options are being selected as of now (NO TLS, NO Home Domains, NO Remote, NO Network, etc)
For the AD Integration piece, i performed the following:
1) I created the OU in our active directory
2) I gave the SCS Admin user FULL CONTROL to the OU
For the ACL piece, i performed the following
1) I created a SCS Admin Domain Local Group in Active Directory and added the SCS Admin user to the group
2) I added the SCS Admin Group to the ACL in the profile (Permissions are EVERYTHING except Access Monitor)
2) I added the SCS Admin User itself to the ACL in the profile (Permissions are EVERYTHING except Access Monitor)
The profile has 2 entries, 1 is the SCS admin, and the other is the group
----------------
When I remote_configure the X1 Carbon Laptop, everything succeeds and the system is Configured in Admin Control Mode
I see the system report to the SCS server, and I am able to hit the AMT Web UI @ http://laptop.domain.com:16992
Furthermore, I am able to access ALL AMT functions including KVM using the Intel Manageability Commander (Mesh Edition)
BUT....
ONLY with the DIGEST authentication (admin / ******)
----------------
Kerberos is NOT working....
I have performed the following troubleshooting steps for Kerberos
1) I verified the computer account is being created in the OU (samAccountName = LAPTOP$iME)
2) I verified the servicePrincipalName on the above object contains the following SPN's
HTTP/LAPTOP.DOMAIN.COM:664
HTTP/LAPTOP.DOMAIN.COM:623
HTTP/LAPTOP.DOMAIN.COM:16995
HTTP/LAPTOP.DOMAIN.COM:16994
HTTP/LAPTOP.DOMAIN.COM:16993
HTTP/LAPTOP.DOMAIN.COM:16992
3) I verified there are NO duplicate SPN's in our environment (setspn -X)
As far as I can tell, that is all that's required to get AD / Kerberos up and running
----------------
When I try to hit the AMT Web UI using Internet Explorer or Chrome, I get a challenge for Username / Password
If i type incorrect domain credentials, it goes to the Intel Login page and says (Incorrect Password)
If i type correct domain credentials, I get a HTTP 400 - Bad Request
---------------
When i use the Intel Manageability Commander (Kerberos NO TLS), I get "Error # 400"
When i use the Intel Manageability Commander (Digest), It works perfectly
---------------
Im not sure whats going on here.
I have the environment stripped down to the very minimum required to get a system provisioned via SCS with AD intefgration
What am i missing?
Any assistance is much appreciated!
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All,
The issue has been identified and resolved.
Root cause was Token Bloat
The maximum Kerberos token size allowable by vPro / AMT is located here
https://software.intel.com/en-us/node/631441 https://software.intel.com/en-us/node/631441
When testing the above setup using an account with a token size within the allowable limits, the issue has been resolved.
I confirmed that Kerberos is now working as expected, along with Kerberos with TLS
Thanks!
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All,
The issue has been identified and resolved.
Root cause was Token Bloat
The maximum Kerberos token size allowable by vPro / AMT is located here
https://software.intel.com/en-us/node/631441 https://software.intel.com/en-us/node/631441
When testing the above setup using an account with a token size within the allowable limits, the issue has been resolved.
I confirmed that Kerberos is now working as expected, along with Kerberos with TLS
Thanks!
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page