SCCM 2012 provisioned AMT authentication issue using HLAPI

SCCM 2012 provisioned AMT authentication issue using HLAPI

Portrait de Sergey
Sergey
mar, 27/11/2012 - 07:08

Hello,

I have an issue authenticating to AMT machine successfully provisioned by SCCM 2012 using HLAPI: I get "(401) Unathorized" exception from AMT WSMAN service even if requests to SOAP service works fine.

Some more details:

  • AMT version is 7.1.30
  • We use our own CA to issue certificates to AMT computers
  • I can connect to and manage the device using SCCM Out of Band Console
  • I use such connection info:
    ConnectionInfoEX connectionInfo = new ConnectionInfoEX("someSomputer.someDomain.ad", null, null, true, null, ConnectionInfoEX.AuthMethod.Kerberos, null, null, null);
    Current user is domain admin. 
  • HLAPI successfully connects to the device using SOAP service: it returns version of the AMT ("7.1.30") in AMTInstanceManager.InitAMTInstanceMNG(). If I add my custom code to AMTInstanceManager I can get any data using this service:
    - TlsAthenticationType == TlsAthenticationType.ServerAuth in SecurityAdministrationService.GetTlsOptions()
    - And even certificate of the device by CertificateManagementEOI.GetAllCertificatesBlobs()
  • I enrolled certificate, added to local store and specified it's name in ConnectionInfoEX constructor, but I still got 401 exception. This cert has following OIDs: AMT Authenticate the Redirection Library (2.16.840.1.113741.1.2.1) and Client authentication (1.3.6.1.5.5.7.3.2).
  • If I specify my userName and password in ConnectionInfoEX I get 401 from SOAP. That's strange. 

Any ideas what is the difference in authentication between SOAP and WSMAN services?

Regards

RSS Haut
6 posts / 0 nouveau(x)
Dernière contribution
Reportez-vous à notre Notice d'optimisation pour plus d'informations sur les choix et l'optimisation des performances dans les produits logiciels Intel.
Portrait de Sergey
Sergey
mer, 28/11/2012 - 04:56
Best Reply

Finally I found source of the issue: HLAPI incorrectly sets up SPN in System.Net.AuthenticationManager.CustomTargetNameDictionary for Kerberos authentication for WSMAN service, it uses 16992 port instead of 16993 in key of the dictionary. For those who encounter the same problem: place following code just before your AMTInstanceFactory.CreateEX(connectionInfo):

               string fqdn = string.Format("{0}.{1}", computerName, domain);

               string secureAmtUrl = string.Format("https://{0}:16993/wsman", fqdn);

                Uri secureAmtUri;

                if (Uri.TryCreate(secureAmtUrl, UriKind.Absolute, out secureAmtUri))

                {

                    if (!AuthenticationManager.CustomTargetNameDictionary.ContainsKey(secureAmtUri.AbsoluteUri))

                    {

                        string spn = string.Format("HTTP/{0}:16993", fqdn);

                        AuthenticationManager.CustomTargetNameDictionary.Add(secureAmtUri.AbsoluteUri, spn);

                    }

                }

Haut
Portrait de Gael Hofemeier (Intel)
Gael Hofemeier (Intel)
mer, 28/11/2012 - 11:02

Good catch. I will forward this information on to the engineering team.

Follow me on Twitter: @GH_IntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
Haut
Portrait de Gael Hofemeier (Intel)
Gael Hofemeier (Intel)
lun, 03/12/2012 - 08:34

What version of the SDK are you using? Our dev team thinks they fixed this.

Follow me on Twitter: @GH_IntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
Haut
Portrait de Sergey
Sergey
mar, 04/12/2012 - 00:14

Quote:

Gael Hofemeier (Intel) wrote:

What version of the SDK are you using? Our dev team thinks they fixed this.

I'm using Intel_AMT_8_SDK_Gold4197.

Haut
Portrait de Gael Hofemeier (Intel)
Gael Hofemeier (Intel)
mer, 12/12/2012 - 10:31

We just updated the HLAPI on our site - you can download the 8.1 version now - the 8.1 SDK is out there too.
http://software.intel.com/en-us/articles/download-the-latest-intel-amt-s...

Follow me on Twitter: @GH_IntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
Haut

Connectez-vous pour laisser un commentaire.