About Intel AMT > Integration with Active Directory > Configuration Example > Configure a Remote Platform or Local Host to Work with Intel AMT using Kerberos

Configure a Remote Platform or Local Host to Work with Intel AMT using Kerberos

   The platform needs to be recognized by the domain.

The platform is recognized in the domain by setting the domain and hostname and attempting to login. Then any user on the platform that activates a management console program or an SDK sample must be in the Active Directory group that was defined in default.config.xml (in the example, this is the AMT User group).

   Microsoft Hotfix must be installed.

The SDK samples and any other program authenticating with an Intel AMT instance with Kerberos using the WinHTTP library need Microsoft hotfix KB899900 installed.

   Run the proxyconfig command.

   If Microsoft Internet Explorer (IE) is used to connect to the WebUI feature of Intel AMT, the domains containing Intel AMT platforms must be included in IE’s list of trusted sites. Add the domain by selecting the IE Tools>Options menu, selecting the Security tab and selecting either Local intranet or Trusted sites. Click Sites…

Under Trusted sites, add the domain (for example, *.intel.com). Under Local internet, select Advanced… and add the domain explicitly.

Click on Custom Level, then scroll downto User Authentication – Logon  and select the third option: Automatic logon with the current user name and password. This will enable the browser to use the same username and password as the Kerberos user defined in Active Directory that logged into Windows. Also make sure that in IE Tools>Options>Advanced menu that the Enable Integrated Windows Authetication option is selected.

These changes require closing all windows/tabs and restarting Internet Explorer.

Other applications or other versions of Internet Explorer may have similar configuration requirements.

   All calls to Intel AMT must address the device using the FQDN. The Active Directory entry for the Intel AMT platform is defined with the FQDN, so trying to connect using only the host name will fail. In the example, intel-sdp will not work, but intel-sdp.amt.intel.com will. This is also the case when using TLS as the certificates are based on the FQDN and not the hostname.

   Make sure that the time difference between the management console and Intel AMT is at most five minutes. This time should be based on the domain server time. If this is not done, it may not be possible to connect as tickets are no longer valid. It may be necessary to log in as an Administrator to make this change and to have certificates update to the new time.

Copyright © 2006-2022, Intel Corporation. All rights reserved.