Setup and Configuration of Intel AMT > Configuration Settings > Kerberos Settings > Use Cases > Set Kerberos Settings to Support AES Ciphers
CollapseAll image

Set Kerberos Settings to Support AES Ciphers

The following steps describe how to configure the Kerberos settings to enable the full cipher set, including AES ciphers (Applicable from Release 8.0).

4.  Retrieve the instance of AMT_KerberosSettingData, where the “InstanceID” key equals “Intel (r) AMT: Kerberos Settings”.

5.  Set the following properties by invoking AMT_KerberosSettingData.Put:




Kerberos realm name – This is the domain where the platform is located, for example,


An array of strings, each of which names a distinct service principal. This field is not used and ignored by Intel AMT.


An array of 16-bit enumeration values: {0,1,2,3} This field is not used and ignored by Intel AMT.


Key version number – its value is initially 1. When a console updates the master key, it can also update this value. Intel AMT saves the value and returns it in response to a Get but does not otherwise use the value. See Kerberos Security Considerations.


This property is deprecated in Release 8.0 in favor of using the Passphrase/Salt combination. Do not set this property when setting the Passphrase. Intel AMT will reject a Put with both Passphrase and MasterKey.a


Indicates the number of minutes by which the clocks of the Intel AMT device and client and KDC can be out of sync. The maximum and default value is 5 minutes.


Required element used by Intel AMT to support the AES ciphers. A possible value is a strong password.


Additional required element used to support the AES cipher. A possible value is a string unique to the platform, such as its FQDN.


The maximum, and default value is 4096. Required for AES cipher configuration.


Indicates whether Kerberos authentication is enabled or disabled.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.


$kerberosSettingsDataRef =$wsmanConnectionObject.NewReference("SELECT * FROM AMT_KerberosSettingData WHERE InstanceID='Intel (r) AMT: Kerberos Settings'")

$kerberosSettingsDataInstance =$kerberosSettingsDataRef.Get()















   When Kerberos is disabled (KrbEnabled is set to false) AMT_KerberosSettingData will only return the following three properties: InstanceID, ElementName and KrbEnabled. In addition, disabling Kerberos (AMT_KerberosSettingData.Put(KrbEnabled = false), will also disable the credential caching state. (See also Get/Set Credential Cache State.)

   Enabling Kerberos will not succeed if the network time was not set first.


Instance Diagram

Classes Used in This Flow

SDK Sample

Not applicable


See Also:

   Integration with Active Directory

   ACL Management Using AMT_AuthorizationService

   ACL Management Using RBA and SIM


Copyright © 2006-2022, Intel Corporation. All rights reserved.