Hello vPro Experts!

I would like to pass on some information that I discovered a while ago, based on a Microsoft Premiere Support ticket. I was having trouble getting the Microsoft Out-of-Band (OOB) Management Console functioning from a Windows XP system. I tried everything on a fresh, standard build of Windows XP, but nothing would work.

After working with Premiere Support, we finally discovered that Windows XP Service Pack 3 (SP3) was required for proper functioning of the Microsoft OOB console.

This behavior is actually related to some functionality that was added in SP3, specifically in the winhttp.dll library. There is a function called WinHttpSetOption in the WinHttp library, which is called with a parameter enabling the WinHttp Option Flag named WINHTTP_ENABLE_SPN_SERVER_PORT. This flag enables the WinHttp library to include the server port in the Kerberos Service Principle Name (SPN), since the AMT web service is running on a non-standard HTTP port (16993).

The Windows XP Service Pack 2 (SP2) version of the WinHttp library does not include this capability, and consequently fails to authenticate. In order to properly connect to ConfigMgr-provisioned AMT devices with the Microsoft OOB Console, please make sure your helpdesk / support systems are running Windows XP SP3.

If you have any questions, feel free to post them in the comments section, and I will do my best to answer them.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

vPro AMT can leverage Kerberos authentication to allow management from your management console to the AMT firmware. Depending on the management console of choice (e.g. SCCM, Altiris, SMS) you may be using Kerberos or digest authentication. If you are using a management console like SCCM that only uses Kerberos authentication, there are a few things you should be aware of in case you are having problems managing your vPro systems. If you are interested to know more about Kerberos authentication and AMT, you can refer to this previous posting in vPro Expert Center around an Altiris environment: http://communities.intel.com/docs/DOC-1913

In AMT (version 2.x, 3.x, 4.x, and 5.x) there is a Kerberos ticket size limit that varies among versions of AMT (see graph 1 below on specifics for each firmware version). With respect to Kerberos authentication, AMT has different limits for HTTP connection and Serial-Over-LAN (SoL).

The Intel® vPro firmware supports Kerberos service tickets that are 4K or smaller for HTTP connections (authenticating the management console to AMT). This 4K limit is specific to making an authenticated connection via Kerberos. IDER/SoL capabilities have a Kerberos ticket size limited to 3K. These 4K and 3K limits are values in Base 64. This ticket size for a given Kerberos account will vary based on variables like the account’s group memberships in the domain.

Therefore it is important to know the size of this ticket created when an account logs on to the management console. If a given account that is logging in to the management console tries to connect to AMT and exceeds these limits, you may either experience failure when trying to connect to AMT or invoke IDER/SoL.

If you are experiencing issues with connecting or using IDER/SoL, you can download a free Microsoft utility (Link to Utility) to validate the size of the Kerberos token for an account. The output from this utility will indicate the size of the token in binary value. You will need to convert this value from binary to Base 64 to determine if the account being used exceeds these thresholds - [Algorithm for Base64 to binary: (base64 length/4)*3].

Here is an example for the output from this utility for a logged in user:

C:\Tools\Kerberos>tokensz.exe /compute_tokensize | findstr -i complete

This is the output -> MaxToken (complete context)  2337

You will notice this binary value of 2337 will exceed several versions of AMT for use with IDER/SoL capabilities. In this example, the account would need to be reduced (e.g. removed from x number of domain groups) to decrease the Kerberos ticket size in order to use IDER/SoL.

Here is a video to show different examples of an account with various Kerberos token sizes and the different behaviors experienced on an AMT 4.0 system [Link to Video - WMV format].

Also, I would appreciate to hear from the entire community on what size Kerberos tokens your support group has that would be utilizing SCCM to manage vPro system.  Would these current size restrictions cause issues for your support teams?  Thanks in advance for the "real-world" feedback.

Check out the recent post on Altiris Juice for Kerberos authentication to Intel vPro systems.

The article provides background, how-to, known issues, and future considerations.

http://juice.altiris.com/node/4492