Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

KVM and Active Directory

IDosk
Beginner
1,938 Views

Is there posibility to use Active Directory authentication to access to KVM?

0 Kudos
8 Replies
Alan_A_Intel
Employee
850 Views

idosk,

Yes, it's possible to use Active Directory to authenticate your KVM connections. You will need to select both Active Directory Integration and Access Control List in your SCS profile. Then in the ACL section give your Active Directory user or group the necessary access rights.

For more information about this download Intel SCS and look through the Intel SCS User Guide.

https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=20921 https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=20921

0 Kudos
IDosk
Beginner
850 Views

I can only connect to KVM if I grant permission "PT Administration" directly to user account.

If I grant this permission to a group (which includes my user account), I can't connect to KVM.

Is there possibility to grant permission for an AD group for connect to KVM?

0 Kudos
Alan_A_Intel
Employee
850 Views

Granting permissions to an AD group instead of a single user is possible. Just make sure that you are logged into the computer initiating the KVM connection with a user from that AD group. Also, if you're using RealVNC Viewer Plus to initiate the connection, verify "Use single sign-on if VNC Server supports it" is checked.

0 Kudos
IDosk
Beginner
850 Views

I really logged into the computer initiating the KVM connection with a user from AD group which has "PT Administration". And "Use single sign-on if VNC Server supports it" is checked. But I get error: "The user account [Intel(r) AMT: RemoteID 35] does not have the relevant permissions to access the AMT server."

0 Kudos
Alan_A_Intel
Employee
850 Views

I would suggest trying a klist purge command to clear any old Kerberos tickets. This will eliminate the possibility of an old Kerberos ticket being used in error.

0 Kudos
IDosk
Beginner
850 Views

Alan,

I tried klist purge, log off, reboot my client machine but it didn't help.

I noticed that when I grant permission directly to an user, I get two tickets:

  1. Server: HTTP/pc57.mydomain.com:16992
  2. Server: HTTP/pc57.mydomain.com:16994

But if i grant permission to a group (which contains my user account), I get only one ticket:

Server: HTTP/pc57.mydomain.com:16992.

But why I haven't received ticket for port 16994? Maybe there are some requirements to this group?

0 Kudos
Alan_A_Intel
Employee
850 Views

idosk,

I've recently learned that RealVNC is aware of this issue and is working on an update. The update is scheduled to be released in the early part of October.

As for the 16994 Kerberos ticket, this is for Serial Over Lan and IDE Redirection which is set after you've established a connection to the client. You're not seeing this ticket because you're not able to establish the initial connection.

0 Kudos
IDosk
Beginner
850 Views

It is really problem with RealVNC.

I've tried DameWare Mini Remote Control and it works well

0 Kudos
Reply