Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
Announcements
FPGA community forums and blogs have moved to the Altera Community. Existing Intel Community members can sign in with their current credentials.
3051 Discussions

Problem with Keberos authentication

TKrem1
New Contributor I
5,750 Views

Hello, everyone,
we are currently trying to switch our AMT wakeup to Keberos authentication. Until now, the set admin account with password was used to start and manage clients. To ensure more security, Keberos will be used now.
We have set it up according to the templates of the Intel AMT Implementation and Reference Guide. The AD integration is active, objects are created under the computer name with the addition $IME. The users in question were authorized via the SCS profile.
Here we experimented with the rights, even full access does not have the desired effect.
If an authorized user tries to send a WakeUp it will be denied with missing rights.
Are there any experiences or further tips on this topic?

Thanks
Thomas

0 Kudos
1 Solution
TKrem1
New Contributor I
5,380 Views

Thanks to a troubleshooting we found our problem. It was homemade. The Powershell command for credential propagation required the domain in addition to the username.

Domain\Username immediately established the Keberos connection.

Thanks again.

View solution in original post

0 Kudos
10 Replies
JoseH_Intel
Moderator
5,741 Views

Hello TKrem1,

 

Thank you for joining the Intel community.

 

Could you please attach some screenshots if possible of your AD setup and the error message received. We will use them to elevate your issue to our senior team.

There are some issues reported about Kerberos and AD integration. It seems that the issue comes from Windows trying to access WS-Management service. Go to run 'Services.msc' at Windows start button and locate 'Windows Remote Management (WS-Management)' observe his current status, restart the service and set it to automatic.

 

We will look forward for your updates.

 

Regards

Jose A.

Intel Customer Support

 

 

0 Kudos
TKrem1
New Contributor I
5,735 Views

Hello, Jose,

I checked the WS-Management service. It is set to automatic and runs during the WakeUp attempt. I restarted the service, but it didn't help.
On the screens you can see the AD configuration in the SCS profile and the error message when the user tries to do the wakeup. If the command is sent with the default admin ID, the machine responds immediately.

 

Regards
Thomas

0 Kudos
JoseH_Intel
Moderator
5,723 Views

Hello TKrem1,


Thanks for the updates provided. I will proceed to elevate your issue to our senior team. I will let you know as soon as I get any word from them.


Regards


Jose A.

Intel Customer Support


0 Kudos
JoseH_Intel
Moderator
5,716 Views

Hello TKrem1,


Could you please confirm if you have PT Administrator selected for the user in permissions? 


Will look forward for your updates.


Regards


Jose A.

Intel Customer Support


0 Kudos
JoseH_Intel
Moderator
5,716 Views

Hello TKrem1,


Could you please confirm if you have PT Administrator selected for the user in permissions? 


Will look forward for your updates.


Regards


Jose A.

Intel Customer Support


0 Kudos
TKrem1
New Contributor I
5,711 Views

Hello Jose,
we have selected PT Adfministrator for the Testuser. It was the first permission we used.
After it didn't work we also gave him the other permissions.
At the end, the user had all possible permissions.
We we have updated the respective computers provisioning between the tests. 

Regards
Thomas

0 Kudos
MichaelA_Intel
Employee
5,513 Views

Hi Thomas,


Email sent to set up virtual troubleshooting. Plan to update forum when resolution is found.


Regards,

Michael


0 Kudos
TKrem1
New Contributor I
5,476 Views

Hi Michael,

sorry for the late reply.
Our Exchange Servers broke down and we can't get E-Mails at the moment.

I will react as soon as i get the e-mail.

Regards,
Thomas

0 Kudos
olliepope80
Beginner
5,419 Views

Clusters that use Kerberos for authentication have several possible sources of potential issues, including: Failure of the Key Distribution Center (KDC) Missing Kerberos or OS packages or libraries. Incorrect mapping of Kerberos REALMs for cross-realm authentication. 

Thanks and Best Regards:

BTS Merch

0 Kudos
TKrem1
New Contributor I
5,381 Views

Thanks to a troubleshooting we found our problem. It was homemade. The Powershell command for credential propagation required the domain in addition to the username.

Domain\Username immediately established the Keberos connection.

Thanks again.

0 Kudos
Reply