Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2942 Discussions

Troubleshooting AMT WebUI Authentication

idata
Employee
2,903 Views

Hello,

I am unable to authenticate to the AMT WebUI from a Windows XP workstation.

  • XP is at Service Pack 2
  • Microsoft KB908209 is installed (Kerberos / IE6 hotfix)
  • Internal Subordinate and Root CA certs are in both Trusted Root and Intermediate CA stores

I can authenticate to the WebUI from the Windows 2003 ConfigMgr server that provisioned the AMT device.

Any ideas on where to start troubleshooting this authentication issue?

Thanks,

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
3 Replies
Steven_D_Intel1
Employee
1,148 Views

If browser displays Intel AMT WebUI login prompt, you can probably eliminate certificates as a cause of the problem

Here are some sugguestions (in the order of least painful first):-

Make sure Integrated Windows Authentication (IWA) is enabled in the browser

Check you are specifying client FQDN as URL in Intel AMT WebUI and not an IP address or alias, otherwise Kerberos authentication will fail during lookup of SPN's

Check registry key associated with KB908209 is also installed on the XP workstation. Without it, KB908209 is ineffective

Check to make sure your XP system has sync'ed to network time otherwise Intel AMT may think you are trying replay attack and authentication will fail

Remove any HTTP proxies your browser may be configured to use. Kerberos authentication through proxy is not supported by all proxies, so testing without a proxy (if you are using one) may help to identify the issue

If none of these work then:-

Use KerbTray (from Microsoft resource kits) to flush Kerberos ticket cache, or just logoff and logon again to XP workstation

Start network packet capture program (preferably WireShark)

Open browser, connect to Intel AMT WebUI (using FQDN) and try to logon to generate failure

Stop packet capture program and inspect Kerberos protocol, especially TGS-REQ and TGS-REP to ensure your browser is getting a valid ticket back for the Intel AMT service at port 16992/16993. If you do not get valid ticket back (i.e. SPN not found) then re-check client FQDN. If client FQDN is correct then check SPN's are included in Active Directory objects using MMC + ADSIEdit and check DC replication occured if you are in multi-domain environment

If you get valid Kerberos ticket back and you still cannot get authenticated, download copy of TOKENSZ from Microsoft download area along with copy of Microsoft document "Troubleshooting Kerberos Errors". Use instructions from docment to run TOKENSZ and inspect the Kerberos ticket size. Intel AMT has a limit of ~4KB on ticket size (recently increased to ~10KB). If you are logging into AMT WebUI using Windows credentials for a user who is member of many Windows groups then the Kerberos ticket size can become too large and authentication fails. In this instance, use a different Windows user to login with smaller group membership

I hope this helps

0 Kudos
idata
Employee
1,148 Views

Hello,

Excellent response! Thank you for taking the time to respond in depth to my request for help

I have used the tokensz tool before, but I know that the Kerberos ticket size is not an issue, because I can authenticate from my Windows 2003 site server using the same account that has an issue.

 

I don't have any proxy servers configured in my browser.

-----------------

Ok, I just tried looking up the registry key, because that seemed like the easiest, and most likely suspect, and it was missing. After I added it, and restarted Internet Explorer, it worked!

Thanks again for your help! This should be put into some sort of official document I'd be happy to type it up and post it.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
Steven_D_Intel1
Employee
1,148 Views

Regarding your comment about an official document

If you are using Microsoft SCCM, you may like to checkout the link http://communities.intel.com/message/10377 http://communities.intel.com/message/10377

Even if you do not use Microsoft SCCM, there is some useful stuff in here

Best Regards

SDavies

0 Kudos
Reply