SCCM 2012 provisioned AMT authentication issue using HLAPI

SCCM 2012 provisioned AMT authentication issue using HLAPI

Аватар пользователя Sergey

Hello,

I have an issue authenticating to AMT machine successfully provisioned by SCCM 2012 using HLAPI: I get "(401) Unathorized" exception from AMT WSMAN service even if requests to SOAP service works fine.

Some more details:

  • AMT version is 7.1.30
  • We use our own CA to issue certificates to AMT computers
  • I can connect to and manage the device using SCCM Out of Band Console
  • I use such connection info:
    ConnectionInfoEX connectionInfo = new ConnectionInfoEX("someSomputer.someDomain.ad", null, null, true, null, ConnectionInfoEX.AuthMethod.Kerberos, null, null, null);
    Current user is domain admin. 
  • HLAPI successfully connects to the device using SOAP service: it returns version of the AMT ("7.1.30") in AMTInstanceManager.InitAMTInstanceMNG(). If I add my custom code to AMTInstanceManager I can get any data using this service:
    - TlsAthenticationType == TlsAthenticationType.ServerAuth in SecurityAdministrationService.GetTlsOptions()
    - And even certificate of the device by CertificateManagementEOI.GetAllCertificatesBlobs()
  • I enrolled certificate, added to local store and specified it's name in ConnectionInfoEX constructor, but I still got 401 exception. This cert has following OIDs: AMT Authenticate the Redirection Library (2.16.840.1.113741.1.2.1) and Client authentication (1.3.6.1.5.5.7.3.2).
  • If I specify my userName and password in ConnectionInfoEX I get 401 from SOAP. That's strange. 

Any ideas what is the difference in authentication between SOAP and WSMAN services?

Regards

6 сообщений / 0 новое
Последнее сообщение
Пожалуйста, обратитесь к странице Уведомление об оптимизации для более подробной информации относительно производительности и оптимизации в программных продуктах компании Intel.
Аватар пользователя Sergey
Best Reply

Finally I found source of the issue: HLAPI incorrectly sets up SPN in System.Net.AuthenticationManager.CustomTargetNameDictionary for Kerberos authentication for WSMAN service, it uses 16992 port instead of 16993 in key of the dictionary. For those who encounter the same problem: place following code just before your AMTInstanceFactory.CreateEX(connectionInfo):

               string fqdn = string.Format("{0}.{1}", computerName, domain);

               string secureAmtUrl = string.Format("https://{0}:16993/wsman", fqdn);

                Uri secureAmtUri;

                if (Uri.TryCreate(secureAmtUrl, UriKind.Absolute, out secureAmtUri))

                {

                    if (!AuthenticationManager.CustomTargetNameDictionary.ContainsKey(secureAmtUri.AbsoluteUri))

                    {

                        string spn = string.Format("HTTP/{0}:16993", fqdn);

                        AuthenticationManager.CustomTargetNameDictionary.Add(secureAmtUri.AbsoluteUri, spn);

                    }

                }

Аватар пользователя Gael Hofemeier (Intel)

Good catch. I will forward this information on to the engineering team.

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
Аватар пользователя Gael Hofemeier (Intel)

What version of the SDK are you using? Our dev team thinks they fixed this.

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
Аватар пользователя Sergey

Quote:

Gael Hofemeier (Intel) wrote:

What version of the SDK are you using? Our dev team thinks they fixed this.

I'm using Intel_AMT_8_SDK_Gold4197.

Аватар пользователя Gael Hofemeier (Intel)

We just updated the HLAPI on our site - you can download the 8.1 version now - the 8.1 SDK is out there too.
http://software.intel.com/en-us/articles/download-the-latest-intel-amt-s...

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs

Зарегистрируйтесь, чтобы оставить комментарий.