Create a Kerberos User

Setup and Configuration of Intel AMT > Configuration Settings > Access Control List Management > ACL Management Using RBA and SIM > Use Cases (RBA/SIM) > Create a Kerberos User

Create a Kerberos User

The following steps describe how tocreate a Kerberos user. Intel AMT extends the Simple Identity Management model, using the permission granting mechanism in the Role based Authorization profile implementation.

1. Create a user/group in Active-Directory and get the SID of the user/group.

2. invoke CIM_RemoteIdentity.Create

a. InstanceID: This is a mandatory field but its value is ignored by Intel AMT.

b. Name: This is the SID of the user/group.

c. NameFormat: Set to 4 – The SID format.

Additional Information

You cannot create a Kerberos user using an SID that was used to create a different Kerberos user.

If the SID represents a group, all users that are members of that group will have the Intel AMT permissions assigned to the group.

The InstanceID field is ignored by Intel AMT.

This method creates three objects and all of the relevant associations, as shown in the Kerberos diagram:

• CIM_RemoteIdentity

• CIM_Role

• CIM_Privilege

The objects are one-to-one.

Kerberos identities receive the same initial privileges as Digest users. To change the privileges of a selected identity, change the permitted realms by using the CIM_Privilege Get and Put methods.

Instance Diagram

Classes Used in This Flow

• CIM_RemoteIdentity

SDK Sample

Not applicable