1 Reply Latest reply on Sep 5, 2017 9:31 AM by MonlyGM

    Intel SCS Kerberos Issue


      Hello All!



      First off, Digest Authentication works without ANY issue



      Im running into an issue with Kerberos Authentication. I was hoping someone could provide some insight as to whats going on.

      Below is the environment im working with


      1) Intel SCS Server v11.1 (Windows Server 2012)

      2) Lenovo X1 Carbon Gen 4  (Windows 10 1703)


      I am using the most basic Profile possible for AD Integration with ACL Groups


      No other options are being selected as of now (NO TLS, NO Home Domains, NO Remote, NO Network, etc)


      For the AD Integration piece, i performed the following:


      1) I created the OU in our active directory

      2) I gave the SCS Admin user FULL CONTROL to the OU


      For the ACL piece, i performed the following


      1) I created a SCS Admin Domain Local Group in Active Directory and added the SCS Admin user to the group

      2) I added the SCS Admin Group to the ACL in the profile (Permissions are EVERYTHING except Access Monitor)

      2) I added the SCS Admin User itself to the ACL in the profile (Permissions are EVERYTHING except Access Monitor)


      The profile has 2 entries, 1 is the SCS admin, and the other is the group




      When I remote_configure the X1 Carbon Laptop, everything succeeds and the system is Configured in Admin Control Mode


      I see the system report to the SCS server, and I am able to hit the AMT Web UI @ http://laptop.domain.com:16992


      Furthermore, I am able to access ALL AMT functions including KVM using the Intel Manageability Commander (Mesh Edition)




      ONLY with the DIGEST authentication (admin / ******)



      Kerberos is NOT working....


      I have performed the following troubleshooting steps for Kerberos


      1) I verified the computer account is being created in the OU (samAccountName = LAPTOP$iME)


      2) I verified the servicePrincipalName on the above object contains the following SPN's









      3) I verified there are NO duplicate SPN's in our environment (setspn -X)


      As far as I can tell, that is all that's required to get AD / Kerberos up and running



      When I try to hit the AMT Web UI using Internet Explorer or Chrome, I get a challenge for Username / Password


      If i type incorrect domain credentials, it goes to the Intel Login page and says (Incorrect Password)


      If i type correct domain credentials, I get a HTTP 400 - Bad Request




      When i use the Intel Manageability Commander (Kerberos NO TLS), I get "Error #400"


      When i use the Intel Manageability Commander (Digest), It works perfectly




      Im not sure whats going on here.


      I have the environment stripped down to the very minimum required to get a system provisioned via SCS with AD intefgration


      What am i missing?

      Any assistance is much appreciated!