Authentication Options

Intel AMT supports both Digest and Kerberos authentication. Users added to the Intel AMT ACL are either digest or Kerberos users. An exception to this is the admin account, which always uses digest authentication.

The Kerberos facility must be enabled before defining Kerberos users. See Get/Set Kerberos Settings.

Intel AMT and Kerberos authentication

Intel AMT supports Kerberos authentication and authorization. This enables integrating Intel AMT with Microsoft* Active Directory. See Integration with Active Directory for a detailed description of this option.

Intel AMT and Digest Authentication

Intel AMT supports digest authentication per RFC 2617. Continuous use of digest authentication implies that each HTTP request must be sent twice, since the first attempt results in a 401 Digest challenge response. HTTP clients may optimize this by incrementing the nonce-count parameter. Intel AMT does not limit the nonce-counter beyond having a maximum internal representation. Clients must be able to process intermittent failures where the nonce is reset.

Intel AMT 14.0 and later supports quality of protection (QoP) options 'auth' and 'auth-int' as defined in RFC7616.

Performance Considerations

To optimize support for HTTP clients that do not implement the nonce-count increment method, Intel AMT 6.0 (and later releases) implements a digest session caching mechanism. This mechanism works only over a TLS session as follows: if the client uses http 1.1 keep-alive and maintains an open socket to Intel AMT, there will be a challenge/response exchange on the first request. Intel AMT will admit subsequent requests using the same digest credential.

 Note:

   if an application needs to switch to a different digest credential, it must explicitly close the session and start a new session.

   The digest session cache is reset when there is any change to the Intel AMT Access Control List, forcing the client to re-authenticate.

Copyright © 2006-2022, Intel Corporation. All rights reserved.