About Intel AMT > Integration with Active Directory > Using Active Directory to Manage Intel AMT Devices

Using Active Directory to Manage Intel AMT Devices

Intel AMT supports the Kerberos option based on the following standards:

   Kerberos V5 (RFC 1510)

   GSS-API (RFC 1964)

   SPNEGO (RFC 2578)

Intel AMT supports the RC4-HMAC cipher suite.

Starting with Release 8.0, Intel AMT also supports the Advanced EncryptionStandard (AES) and the AES128-CTS-HMAC-SHA1-96 and AES256-CTS-HMAC-SHA1-96 cipher algorithms. To enable these ciphers, a setup and configuration application or other console must provide the appropriate field values. See Set Kerberos Settings to Support AES Ciphers.

Intel AMT is a Kerberized UNIX service from the point of view of Active Directory. Each device registers with Active Directory and provides six Service Principal Names (SPNs) for the six services it provides:

SPN

Service

HTTP/FQDN:16992

SOAP over HTTP

HTTP/FQDN:16993

SOAP over HTTPS

HTTP/FQDN:16994

Redirection over TCP

HTTP/FQDN:16995

Redirection over TLS

HTTP/FQDN:623

DMTF manageability over TCP

HTTP/FQDN:664

DMTF manageability over TLS

The SOAP SPNs support all of the Intel AMT functionality that uses SOAP over HTTP or HTTPS for remote communications. However, see Notes and Limitations.

The Intel AMT redirection functionality communicates using TCP/IP with or without TLS.

The DASH SPNs support WS-Management communications modeled on DASH profiles.

Each Intel AMT device is recorded in the Active Directory database as an Intel AMT object, which is defined as an Active Directory computer object with the version of Intel AMT linked to it. The Intel AMT device hostname makes the entry unique. Active Directory uses the Intel AMT device password to create the device secret.

The Sample Configuration Application performs this function in a simplified way by registering each Intel AMT device as a user with the associated SPNs. The Intel AMT Setup and Configuration Server provides scripts for extending the Active Directory schema, and creates AMT objects for all configured Intel AMT devices.

The Intel AMT device maintains an Access Control List (ACL) of those users that can access Realms within the device. When a Management Console client application manages the device directly and uses Digest authentication, the ACL contains an entry per user. Each entry contains a user ID, a password, a list of the Intel AMT realms to which the user has access, and whether the user has local access, remote access, or both.

Username

Password

Realms

Access

User01

*************

Admin; Storage

Remote

User02

*************

Agent Presence

Remote; Local

When the Intel AMT device is configured to work with Active Directory, an ACL entry contains an SID, a list of realms, and local/remote access permissions. An SID can be for an individual user or it can be an Active Directory Group and represent multiple users.

SID

Realms

Access

01050000374FF6…

Admin; Storage

Remote

0105000013AC81…

Agent Presence

Remote; Local

An Intel AMT device can operate with both forms of ACL simultaneously, so that a Management Console application that is Kerberized can access an Intel AMT device using Kerberos, while another application can contact the same device using Digest authentication. Note that the MEBx SOL/Storage Redirection settings can limit redirection applications to Kerberos-only ACL entries.

Copyright © 2006-2022, Intel Corporation. All rights reserved.