Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Community Manager
861 Views

Why cant I get Kerberos to work with or without TLS?

Hi vPro Experts and Friends,

Seems like I could use a little help here- The problem I have with my SCS setup is that we cant remote KVM (VNC Viewer) nor run non KVM commands using Intel vPro PS module via kerberos authentication with or without TLS.

For non KVM commands, the PowerShell console errors saying "Unauthorised" while the VNC viewer brings up a credentials box asking for the digest credentials. Kerberos doesnt work at all but the digest user (admin and ACL) works fine with or without TLS.

Cant even login into the webUI using https://fqdn:16993/ https://fqdn:16993. I dont think there is any issue with the cert as we can provision just fine.

 

AD authentication with or without TLS = FAILS.

Only Digest credentials seems to be working.

 

We even tried with individual domain user accounts and it FAILS.

 

Client and Mgmt consoles are on the same domain + intranet + AMT clocks too are in sync.

CheckAmtAcl tool shows that the ACL includes the domain users and are already loaded into the MEBx with the provisioned profile.

My setup is as follows:

1. Two VMs (standalone win server 2008 without AD domain services and are connected to our corporate network) - Running SCS one and MPS on the other

 

2. Root CA is running on one of our physical domain controllers on the corporate network

 

3. AMT Objects OU, User accounts and Groups are located on another physical domain controller.

 

4. Vendor cert GoDaddy installed on the SCS server.

 

5. Client AMT version 6.2 and 7.x

 

6. TLS profile with AD integration

Please help.

Regards

 

Mohammed
0 Kudos
1 Reply
Highlighted
Employee
25 Views

Hello Mohammed,

As I see it you have at least 2 issues.

The first issue is you need to be using VNC Viewer Plus for KVM access.

The second issue is your kerberose failures, I would start checking the AD for the Object is created with in the AMTOU. If provisioning failed to do this, then you will need to investigate your provisioning profile on your SCS server.

I hope this helps

Joe

0 Kudos