SCCM 2012 provisioned AMT authentication issue using HLAPI

SCCM 2012 provisioned AMT authentication issue using HLAPI


I have an issue authenticating to AMT machine successfully provisioned by SCCM 2012 using HLAPI: I get "(401) Unathorized" exception from AMT WSMAN service even if requests to SOAP service works fine.

Some more details:

  • AMT version is 7.1.30
  • We use our own CA to issue certificates to AMT computers
  • I can connect to and manage the device using SCCM Out of Band Console
  • I use such connection info:
    ConnectionInfoEX connectionInfo = new ConnectionInfoEX("", null, null, true, null, ConnectionInfoEX.AuthMethod.Kerberos, null, null, null);
    Current user is domain admin. 
  • HLAPI successfully connects to the device using SOAP service: it returns version of the AMT ("7.1.30") in AMTInstanceManager.InitAMTInstanceMNG(). If I add my custom code to AMTInstanceManager I can get any data using this service:
    - TlsAthenticationType == TlsAthenticationType.ServerAuth in SecurityAdministrationService.GetTlsOptions()
    - And even certificate of the device by CertificateManagementEOI.GetAllCertificatesBlobs()
  • I enrolled certificate, added to local store and specified it's name in ConnectionInfoEX constructor, but I still got 401 exception. This cert has following OIDs: AMT Authenticate the Redirection Library (2.16.840.1.113741.1.2.1) and Client authentication (
  • If I specify my userName and password in ConnectionInfoEX I get 401 from SOAP. That's strange. 

Any ideas what is the difference in authentication between SOAP and WSMAN services?


6 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.
Best Reply

Finally I found source of the issue: HLAPI incorrectly sets up SPN in System.Net.AuthenticationManager.CustomTargetNameDictionary for Kerberos authentication for WSMAN service, it uses 16992 port instead of 16993 in key of the dictionary. For those who encounter the same problem: place following code just before your AMTInstanceFactory.CreateEX(connectionInfo):

               string fqdn = string.Format("{0}.{1}", computerName, domain);

               string secureAmtUrl = string.Format("https://{0}:16993/wsman", fqdn);

                Uri secureAmtUri;

                if (Uri.TryCreate(secureAmtUrl, UriKind.Absolute, out secureAmtUri))


                    if (!AuthenticationManager.CustomTargetNameDictionary.ContainsKey(secureAmtUri.AbsoluteUri))


                        string spn = string.Format("HTTP/{0}:16993", fqdn);

                        AuthenticationManager.CustomTargetNameDictionary.Add(secureAmtUri.AbsoluteUri, spn);



Good catch. I will forward this information on to the engineering team.

What version of the SDK are you using? Our dev team thinks they fixed this.


Gael Hofemeier (Intel) wrote:

What version of the SDK are you using? Our dev team thinks they fixed this.

I'm using Intel_AMT_8_SDK_Gold4197.

We just updated the HLAPI on our site - you can download the 8.1 version now - the 8.1 SDK is out there too.

Leave a Comment

Please sign in to add a comment. Not a member? Join today