Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2980 Discussions

Problem with Keberos authentication

TKrem1
New Contributor I
‎08-04-2020 05:33 AM
4,348 Views
Solved Jump to solution

Hello, everyone,
we are currently trying to switch our AMT wakeup to Keberos authentication. Until now, the set admin account with password was used to start and manage clients. To ensure more security, Keberos will be used now.
We have set it up according to the templates of the Intel AMT Implementation and Reference Guide. The AD integration is active, objects are created under the computer name with the addition $IME. The users in question were authorized via the SCS profile.
Here we experimented with the rights, even full access does not have the desired effect.
If an authorized user tries to send a WakeUp it will be denied with missing rights.
Are there any experiences or further tips on this topic?

Thanks
Thomas

0 Kudos
1 Solution
TKrem1
New Contributor I
‎09-10-2020 06:03 AM
3,978 Views
Solved Jump to solution
In response to olliepope80

Thanks to a troubleshooting we found our problem. It was homemade. The Powershell command for credential propagation required the domain in addition to the username.

Domain\Username immediately established the Keberos connection.

Thanks again.

View solution in original post

In response to olliepope80
0 Kudos
Copy link

Link Copied

10 Replies
JoseH_Intel
Moderator
‎08-04-2020 05:51 PM
4,339 Views
Solved Jump to solution

Hello TKrem1,

 

Thank you for joining the Intel community.

 

Could you please attach some screenshots if possible of your AD setup and the error message received. We will use them to elevate your issue to our senior team.

There are some issues reported about Kerberos and AD integration. It seems that the issue comes from Windows trying to access WS-Management service. Go to run 'Services.msc' at Windows start button and locate 'Windows Remote Management (WS-Management)' observe his current status, restart the service and set it to automatic.

 

We will look forward for your updates.

 

Regards

Jose A.

Intel Customer Support

 

 

0 Kudos
Copy link
TKrem1
New Contributor I
‎08-05-2020 01:14 AM
4,333 Views
Solved Jump to solution
In response to JoseH_Intel

Hello, Jose,

I checked the WS-Management service. It is set to automatic and runs during the WakeUp attempt. I restarted the service, but it didn't help.
On the screens you can see the AD configuration in the SCS profile and the error message when the user tries to do the wakeup. If the command is sent with the default admin ID, the machine responds immediately.

 

Regards
Thomas

In response to JoseH_Intel
Preview file
907 KB
Preview file
54 KB
Preview file
870 KB
0 Kudos
Copy link
JoseH_Intel
Moderator
‎08-05-2020 05:44 PM
4,321 Views
Solved Jump to solution

Hello TKrem1,


Thanks for the updates provided. I will proceed to elevate your issue to our senior team. I will let you know as soon as I get any word from them.


Regards


Jose A.

Intel Customer Support


0 Kudos
Copy link
JoseH_Intel
Moderator
‎08-06-2020 07:09 PM
4,314 Views
Solved Jump to solution

Hello TKrem1,


Could you please confirm if you have PT Administrator selected for the user in permissions? 


Will look forward for your updates.


Regards


Jose A.

Intel Customer Support


0 Kudos
Copy link
JoseH_Intel
Moderator
‎08-06-2020 07:10 PM
4,314 Views
Solved Jump to solution

Hello TKrem1,


Could you please confirm if you have PT Administrator selected for the user in permissions? 


Will look forward for your updates.


Regards


Jose A.

Intel Customer Support


0 Kudos
Copy link
TKrem1
New Contributor I
‎08-06-2020 10:53 PM
4,309 Views
Solved Jump to solution
In response to JoseH_Intel

Hello Jose,
we have selected PT Adfministrator for the Testuser. It was the first permission we used.
After it didn't work we also gave him the other permissions.
At the end, the user had all possible permissions.
We we have updated the respective computers provisioning between the tests. 

Regards
Thomas

In response to JoseH_Intel
0 Kudos
Copy link
MichaelA_Intel
Employee
‎08-10-2020 10:48 AM
4,111 Views
Solved Jump to solution

Hi Thomas,


Email sent to set up virtual troubleshooting. Plan to update forum when resolution is found.


Regards,

Michael


0 Kudos
Copy link
TKrem1
New Contributor I
‎08-18-2020 04:05 AM
4,074 Views
Solved Jump to solution
In response to MichaelA_Intel

Hi Michael,

sorry for the late reply.
Our Exchange Servers broke down and we can't get E-Mails at the moment.

I will react as soon as i get the e-mail.

Regards,
Thomas

In response to MichaelA_Intel
0 Kudos
Copy link
olliepope80
Beginner
‎09-03-2020 03:21 PM
4,017 Views
Solved Jump to solution

Clusters that use Kerberos for authentication have several possible sources of potential issues, including: Failure of the Key Distribution Center (KDC) Missing Kerberos or OS packages or libraries. Incorrect mapping of Kerberos REALMs for cross-realm authentication. 

Thanks and Best Regards:

BTS Merch

0 Kudos
Copy link
TKrem1
New Contributor I
‎09-10-2020 06:03 AM
3,979 Views
Solved Jump to solution
In response to olliepope80

Thanks to a troubleshooting we found our problem. It was homemade. The Powershell command for credential propagation required the domain in addition to the username.

Domain\Username immediately established the Keberos connection.

Thanks again.

In response to olliepope80
0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.