CollapseAll image

Get/Set Kerberos Settings

The following steps describe how to retrieve and set the Kerberos settings. In Release 8.0 and later releases, see Set Kerberos Settings to Support AES Ciphers to enable the full cipher set. The MasterKey and EncryptionTyper properties are deprecated in Release 8.0.

1.  Retrieve the instance of AMT_KerberosSettingData, where the “InstanceID” key equals “Intel (r) AMT: Kerberos Settings”.

2.  Examine the following properties, or set these properties by invoking AMT_KerberosSettingData.Put:

Property

Value

RealmName

Kerberos realm name – This is the domain where the platform is located, for example, west.myenterprise.com.

ServicePrincipalName

An array of strings, each of which names a distinct service principal. This field is not used and ignored by Intel AMT.

ServicePrincipalProtocol

An array of 16-bit enumeration values: {0,1,2,3} This field is not used and ignored by Intel AMT.

KeyVersion

Key version number – its value is initially 1. When a console updates the master key, it can also update this value. Intel AMT saves the value and returns it in response to a Get but does not otherwise use the value. See Kerberos Security Considerations.

EncryptionAlgorithm

Identifies the encryption algorithm used by Intel AMT. This value is always 0 (representing RC4 encryption and HMAC authentication).

MasterKey

The master key used by Intel AMT. This property is not returned by a Get.

MaximumClockTolerance

Indicates the number of minutes by which the clocks of the Intel AMT device and client and KDC can be out of sync. The maximum and default value is 5 minutes.

KrbEnabled

Indicates whether Kerberos authentication is enabled or disabled.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$kerberosSettingsDataRef =$wsmanConnectionObject.NewReference("SELECT * FROM AMT_KerberosSettingData WHERE InstanceID='Intel (r) AMT: Kerberos Settings'")

$kerberosSettingsDataInstance =$kerberosSettingsDataRef.Get()

$kerberosSettingsDataInstance.SetProperty("RealmName","intel.com")

$kerberosSettingsDataInstance.SetProperty("ServicePrincipalName","N/A")

$kerberosSettingsDataInstance.SetProperty("ServicePrincipalProtocol","0")

$kerberosSettingsDataInstance.SetProperty("KeyVersion","1")

$kerberosSettingsDataInstance.SetProperty("EncryptionAlgorithm","0")

$kerberosSettingsDataInstance.SetProperty("MasterKey","4ZzPde5U4GsGpZB68TzvQg==") # The masterKey in RC4HMAC format.

$kerberosSettingsDataInstance.SetProperty("MaximumClockTolerance","5")

$kerberosSettingsDataInstance.SetProperty("KrbEnabled","true")

$kerberosSettingsDataRef.Put($kerberosSettingsDataInstance)

 

 

 

 Note:

   When Kerberos is disabled (KrbEnabled is set to false) AMT_KerberosSettingData will only return the following three properties: InstanceID, ElementName and KrbEnabled. In addition, disabling Kerberos (AMT_KerberosSettingData.Put(KrbEnabled = false), will also disable the credential caching state. (See also Get/Set Credential Cache State.)

   Changing the master key: The Kerberos master key is shared between Active Directory and the Intel AMT device. It is inserted to the Intel AMT device during setup and configuration and inserted into Active Directory. The key can be changed manually at any time, but the values in Active Directory and Intel AMT must match, so updating one requires updating the other as well.

   Enabling Kerberos will not succeed if the network time was not set first.

 

Instance Diagram

Classes Used in This Flow

SDK Sample

Not applicable

 

See Also:

   Integration with Active Directory

   ACL Management Using AMT_AuthorizationService

   ACL Management Using RBA and SIM

Copyright © 2006-2022, Intel Corporation. All rights reserved.