Setup and Configuration of Intel AMT > Configuration Settings > Kerberos Settings > Use Cases > Set Kerberos Settings to Support AES Ciphers
CollapseAll image

Set Kerberos Settings to Support AES Ciphers

The following steps describe how to configure the Kerberos settings to enable the full cipher set, including AES ciphers (Applicable from Release 8.0).

4.  Retrieve the instance of AMT_KerberosSettingData, where the “InstanceID” key equals “Intel (r) AMT: Kerberos Settings”.

5.  Set the following properties by invoking AMT_KerberosSettingData.Put:

Property

Value

RealmName

Kerberos realm name – This is the domain where the platform is located, for example, west.myenterprise.com.

ServicePrincipalName

An array of strings, each of which names a distinct service principal. This field is not used and ignored by Intel AMT.

ServicePrincipalProtocol

An array of 16-bit enumeration values: {0,1,2,3} This field is not used and ignored by Intel AMT.

KeyVersion

Key version number – its value is initially 1. When a console updates the master key, it can also update this value. Intel AMT saves the value and returns it in response to a Get but does not otherwise use the value. See Kerberos Security Considerations.

MasterKey

This property is deprecated in Release 8.0 in favor of using the Passphrase/Salt combination. Do not set this property when setting the Passphrase. Intel AMT will reject a Put with both Passphrase and MasterKey.a

MaximumClockTolerance

Indicates the number of minutes by which the clocks of the Intel AMT device and client and KDC can be out of sync. The maximum and default value is 5 minutes.

Passphrase

Required element used by Intel AMT to support the AES ciphers. A possible value is a strong password.

Salt

Additional required element used to support the AES cipher. A possible value is a string unique to the platform, such as its FQDN.

IterationCount

The maximum, and default value is 4096. Required for AES cipher configuration.

KrbEnabled

Indicates whether Kerberos authentication is enabled or disabled.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$kerberosSettingsDataRef =$wsmanConnectionObject.NewReference("SELECT * FROM AMT_KerberosSettingData WHERE InstanceID='Intel (r) AMT: Kerberos Settings'")

$kerberosSettingsDataInstance =$kerberosSettingsDataRef.Get()

$kerberosSettingsDataInstance.SetProperty("RealmName","Intel.com")

$kerberosSettingsDataInstance.SetProperty("ServicePrincipalName","N/A")

$kerberosSettingsDataInstance.SetProperty("ServicePrincipalProtocol","0")

$kerberosSettingsDataInstance.SetProperty("KeyVersion","1")

$kerberosSettingsDataInstance.SetProperty("MaximumClockTolerance","5")

$kerberosSettingsDataInstance.SetProperty("Passphrase","P@ssw0rd")

$kerberosSettingsDataInstance.SetProperty("Salt","INTEL.COMComputerName")

$kerberosSettingsDataInstance.SetProperty("IterationCount","4096")

$kerberosSettingsDataInstance.SetProperty("KrbEnabled","true")

$kerberosSettingsDataRef.Put($kerberosSettingsDataInstance)

 

 

 

 Note:

   When Kerberos is disabled (KrbEnabled is set to false) AMT_KerberosSettingData will only return the following three properties: InstanceID, ElementName and KrbEnabled. In addition, disabling Kerberos (AMT_KerberosSettingData.Put(KrbEnabled = false), will also disable the credential caching state. (See also Get/Set Credential Cache State.)

   Enabling Kerberos will not succeed if the network time was not set first.

 

Instance Diagram

Classes Used in This Flow

SDK Sample

Not applicable

 

See Also:

   Integration with Active Directory

   ACL Management Using AMT_AuthorizationService

   ACL Management Using RBA and SIM

 

Copyright © 2006-2022, Intel Corporation. All rights reserved.