I am unable to authenticate to the AMT WebUI from a Windows XP workstation.
I can authenticate to the WebUI from the Windows 2003 ConfigMgr server that provisioned the AMT device.
Any ideas on where to start troubleshooting this authentication issue?
If browser displays Intel AMT WebUI login prompt, you can probably eliminate certificates as a cause of the problem
Here are some sugguestions (in the order of least painful first):-
Make sure Integrated Windows Authentication (IWA) is enabled in the browser
Check you are specifying client FQDN as URL in Intel AMT WebUI and not an IP address or alias, otherwise Kerberos authentication will fail during lookup of SPN's
Check registry key associated with KB908209 is also installed on the XP workstation. Without it, KB908209 is ineffective
Check to make sure your XP system has sync'ed to network time otherwise Intel AMT may think you are trying replay attack and authentication will fail
Remove any HTTP proxies your browser may be configured to use. Kerberos authentication through proxy is not supported by all proxies, so testing without a proxy (if you are using one) may help to identify the issue
If none of these work then:-
Use KerbTray (from Microsoft resource kits) to flush Kerberos ticket cache, or just logoff and logon again to XP workstation
Start network packet capture program (preferably WireShark)
Open browser, connect to Intel AMT WebUI (using FQDN) and try to logon to generate failure
Stop packet capture program and inspect Kerberos protocol, especially TGS-REQ and TGS-REP to ensure your browser is getting a valid ticket back for the Intel AMT service at port 16992/16993. If you do not get valid ticket back (i.e. SPN not found) then re-check client FQDN. If client FQDN is correct then check SPN's are included in Active Directory objects using MMC + ADSIEdit and check DC replication occured if you are in multi-domain environment
If you get valid Kerberos ticket back and you still cannot get authenticated, download copy of TOKENSZ from Microsoft download area along with copy of Microsoft document "Troubleshooting Kerberos Errors". Use instructions from docment to run TOKENSZ and inspect the Kerberos ticket size. Intel AMT has a limit of ~4KB on ticket size (recently increased to ~10KB). If you are logging into AMT WebUI using Windows credentials for a user who is member of many Windows groups then the Kerberos ticket size can become too large and authentication fails. In this instance, use a different Windows user to login with smaller group membership
I hope this helps
Excellent response! Thank you for taking the time to respond in depth to my request for help
I have used the tokensz tool before, but I know that the Kerberos ticket size is not an issue, because I can authenticate from my Windows 2003 site server using the same account that has an issue.
I don't have any proxy servers configured in my browser.
Ok, I just tried looking up the registry key, because that seemed like the easiest, and most likely suspect, and it was missing. After I added it, and restarted Internet Explorer, it worked!
Thanks again for your help! This should be put into some sort of official document I'd be happy to type it up and post it.