About Intel AMT > Integration with Active Directory > Configuring Intel AMT for Kerberos Authentication

Configuring Intel AMT for Kerberos Authentication

The following tasks must be performed to prepare an Intel AMT device for Active Directory:

   Create an Intel AMT object in the Active Directory database.

   Create the SPNs for the Intel AMT object in Active Directory.

   Compute the Kerberos master key from the Intel AMT object password.

   Set the time on the Intel AMT device using the Network Time Interface.

   Configure the Intel AMT Kerberos parameters.

   Configure the Intel AMT ACL.

The following maintenance functions must also be performed:

   Change the Intel AMT object password.

   Update the Intel AMT master key.

The task that adds or modifies Active Directory database entries requires privileges to:

   Create Intel AMT objects.

   Change an Intel AMT object password.

   Update the link attribute in the Active Directory computer object.

These functions are performed either via Active Directory API functions or via Intel AMT API functions.

The sample Setup and Configuration Server in the Intel AMT SDK performs a simplified version of several of the above functions. It creates a user entry (not an Intel AMT object entry) in the Active Directory database and creates the SPNs for the entry. When the sample Configuration Server detects the Kerberos option in the default.config.xml file, it creates the directory entry and the associated SPNs using functions in the file KerberosUtil.cpp, which can be found in the Intel AMT SDK directory
<SDK_Root>\Windows\Intel_Manageability_Configuration\Configuration\ConfigurationServer\Src. These functions call Microsoft-supplied sample code that calls Active Directory API functions. The application must run (that is, be executed by a user) with sufficient Active Directory privileges to create a user and add to or modify its properties.

The Sample Configuration Application sets Kerberos options in the Intel AMT device by invoking the AMT_KerberosSettingData.Put method.

The Sample Configuration Application also updates the time on the Intel AMT device using the Network Time Interface. It uses the methods of the AMT_TimeSynchronizationService class. This approach is used to minimize differences between client and server clocks necessary for timestamp validation.

Use CIM_RemoteIdentity.Create to create a Kerberos ACL entry, or use AMT_AuthorizationService.AddUserAclEntryEx.

Copyright © 2006-2022, Intel Corporation. All rights reserved.