Kerberos tickets can become obsolete in the following ways:
• The ticket expired after its defined lifetime, typically eight hours.
• An IT technician changed the password on the associated Active Directory object.
• The ticket cache is full because more than 24 tickets were received by Intel AMT in 10 minutes. (This is an unlikely situation – if this is the problem, retry until the oldest ticket expires. This could take, at most, ten minutes.)
Starting with Release 8.0, Intel AMT will reject a valid, unexpired ticket if the Authenticator timestamp is less than the timestamp on the corresponding ticket in the ticket cache. This can happen if the Intel AMT firmware was initialized within ten minutes of the Kerberos authentication attempt. The purpose of this change is to reduce the possibility of a replay attack. Here are two examples of how this could happen:
• A management console tries to power up Intel AMT using Kerberos authentication when sending the power-up command. As Intel AMT comes up, it will reject the connection.
• Using KVM to save BIOS settings may trigger a global reset. Continuing the KVM session will require a new ticket.
In both cases, Intel AMT will reject the request due to the timestamp mismatch.
Attempting to authenticate to Intel AMT with an obsolete ticket or what appears to be an out-of-date ticket, results in Intel AMT sending a 401 error (Unauthorized).
To recover from this situation, the IT user should purge the ticket cache on the console platform. The Active Directory authorization mechanism will generate new tickets as the need arises. Purge the ticket cache either with an available tool such as the Microsoft Kerberos Tray tool, or create one that uses the techniques in AMTKList.exe, a sample tool included in the Intel AMT SDK.
The AMTKList tickets option lists the tickets currently in the cache that have SPNs associated with Intel AMT (see Using Active Directory to Manage Intel AMT Devices). The purge option purges only those tickets that have Intel AMT-related SPNs. Use the purge option with a specific FQDN to purge only those tickets with that FQDN. For example:
AMTKList.exe purge workstation1.west.yourenterprise.com
AMTKList can be found at <SDK_root>\Windows\Intel_AMT\Tools.
Copyright © 2006-2022, Intel Corporation. All rights reserved.