Kerberos and IDE redirection, API question

Kerberos and IDE redirection, API question

Hi,

According to the AD integration guide:

A client application initiates an SOL or IDE-R session with an Intel AMT device by calling either IMR_IDEROpenTCPSession or IMR_SOLOpenTCPSession both are functions in the redirection library. These functions have as input parameters the username and password of the client. The library opens a socket with the Intel AMT device and negotiates the protocol to be used between them. If the SOL/IDE-R authentication was enabled, then the library will attempt to contact a ticket granting server for establishing a Kerberos connection. If this fails, the library will attempt to connect using the username/password combination.

So is it correct that only kerberos authentication credentials of current windows user can be used for SOL/IDE-R? Can I specify the credential (domain, user, password) of other user for SOL/IDE-R library?

3 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Hi earlnsk,

When using the kerberos authentication, the current windows user will negotiate the kerberos tokes to authenticate himself with Intel AMT device. Also this user needs to be added in the ACL in AMT along with the realm that can be accessed. If for some reason, kerberos connection cannot be established, the credentials entered as part of the username and password will be used. Once again, this set of username and password need to bepresent in the AMT device ACL list with the correct realms.

Also the AD integration guide says: Note that if the normal mode of operations is to connect using Kerberos, the username/password parameters to the library functions will be ignored.

Hope this helps.

Thank you for explanation.

So the redirection library use the following authentication schema:
1. Trying connect using current Windows user credentials (Kerberos).
2. If step 1 was not successful and BIOS settings are permits, user and password will be used (Digest user in ACL)

Kerberos credentials of other user cannot be specified to redirection library.

Leave a Comment

Please sign in to add a comment. Not a member? Join today