I recently extended our AD schema, selected "Integrate with Active Directory" on the General config page of the SCS console and added the SMSAMTUser_xxx accounts along with my NT acct to the AMT profile ACL and reprovisioned a sample of my vPro systems. I can perform all the AMT functions via the SMS 2003 sp2 admin console but can no longer access these same machines using either the Web UI or AMT Commander even when running these utilities logged as the SMSAMTUser_xxx accounts or any other account. Am I missing something here? I thought that both the Web UI and the AMT Commander supported Kerberos authenication. Any advice would be appreciated.
If you are attempting to access the Webui from Internet Explorer you may need to edit the registry as described here: http://support.microsoft.com/default.aspx/kb/938305
Internet Explorer will try to use the credentials of the user logged onto the system to access the Webui. I sometimes disable that feature by performing the following: Open the Internet Explorer Tools menu, select Internet Options and then the Advanced tab. Go to the Security section and remove the check from Integrated Windows Authentication.
If you are using Mutual TLS authentication ensure that you are trying to access the Webui from a system that has the correct certificates.
By disabling the Integrated Windows Authenication I can now use the digest 'admin' account to access my vPro clients - even after they've been reprovisioned to be AD Integrated. Still can't use my NT account or even the SMSAMTUser_xxx accounts to connect though - even though my NT account and the SMSAMTUser_xxx accounts are defined in SCS profile ACL list with the first 5 realms.
Do you happen to know if AMT Kerberos works across multiple domains in the same forest? The reason I ask is that I have client that belongs to the same domain as the SMS Primary Site Server and SMSAMTUser_xxx account and I can manage this PC OK using the SMS console (still cannot connect via the AMT cmdr or Web UI with my account with is in another domain). I did a full reprovision of a PC in another domain within the same forest other than the domain where my SMS servers and accounts live and I cannot discover or manage this PC. When I attempt to discover this PC I get "Intel(R) AMT Discovery: System located, but not accessible: Wrong Intel(R) AMT username/password or Kerberos credentials).
AMT Kerberos authentication works across multiple domains in the same forest.
If you are using IE6 to attempt kerberos authentication via the WebUI, you will need to install the patch in Microsoft knowledge base article KB899900 and KB908209. Reenable integrated authentication in your browser after installing the patches and try Kerberos authentication again.
Are you using TLS or Mutual TLS? If you are, try accessing the WebUI from the same system that the SMS console is installed on.
Are you using the full AD domain\user ID when you attempt to log into the Web UI?
In other words you must use x.y.z\userid instead of x\userid as the login id.
This, along with the registery key found in http://support.microsoft.com/kb/908209 and enabling integrated windows authentication in IE allows me to use a Kerberos ID to access the web UI with a TLS profile applied. Hope this helps