3 Replies Latest reply on Feb 26, 2009 3:06 PM by sdavies

    Troubleshooting AMT WebUI Authentication




      I am unable to authenticate to the AMT WebUI from a Windows XP workstation.


      • XP is at Service Pack 2
      • Microsoft KB908209 is installed (Kerberos / IE6 hotfix)
      • Internal Subordinate and Root CA certs are in both Trusted Root and Intermediate CA stores


      I can authenticate to the WebUI from the Windows 2003 ConfigMgr server that provisioned the AMT device.


      Any ideas on where to start troubleshooting this authentication issue?




      Trevor Sullivan

      Systems Engineer

      OfficeMax Corporation

        • 1. Re: Troubleshooting AMT WebUI Authentication

          If browser displays Intel AMT WebUI login prompt, you can probably eliminate certificates as a cause of the problem


          Here are some sugguestions (in the order of least painful first):-


          Make sure Integrated Windows Authentication (IWA) is enabled in the browser


          Check you are specifying client FQDN as URL in Intel AMT WebUI and not an IP address or alias, otherwise Kerberos authentication will fail during lookup of SPN's


          Check registry key associated with KB908209 is also installed on the XP workstation. Without it, KB908209 is ineffective


          Check to make sure your XP system has sync'ed to network time otherwise Intel AMT may think you are trying replay attack and authentication will fail


          Remove any HTTP proxies your browser may be configured to use. Kerberos authentication through proxy is not supported by all proxies, so testing without a proxy (if you are using one) may help to identify the issue


          If none of these work then:-


          Use KerbTray (from Microsoft resource kits) to flush Kerberos ticket cache, or just logoff and logon again to XP workstation


          Start network packet capture program (preferably WireShark)


          Open browser, connect to Intel AMT WebUI (using FQDN) and try to logon to generate failure


          Stop packet capture program and inspect Kerberos protocol, especially TGS-REQ and TGS-REP to ensure your browser is getting a valid ticket back for the Intel AMT service at port 16992/16993. If you do not get valid ticket back (i.e. SPN not found) then re-check client FQDN. If client FQDN is correct then check SPN's are included in Active Directory objects using MMC + ADSIEdit and check DC replication occured if you are in multi-domain environment


          If you get valid Kerberos ticket back and you still cannot get authenticated, download copy of TOKENSZ from Microsoft download area along with copy of Microsoft document "Troubleshooting Kerberos Errors". Use instructions from docment to run TOKENSZ and inspect the Kerberos ticket size. Intel AMT has a limit of ~4KB on ticket size (recently increased to ~10KB). If you are logging into AMT WebUI using Windows credentials for a user who is member of many Windows groups then the Kerberos ticket size can become too large and authentication fails. In this instance, use a different Windows user to login with smaller group membership




          I hope this helps

          • 2. Re: Troubleshooting AMT WebUI Authentication



            Excellent response! Thank you for taking the time to respond in depth to my request for help


            I have used the tokensz tool before, but I know that the Kerberos ticket size is not an issue, because I can authenticate from my Windows 2003 site server using the same account that has an issue.

            I don't have any proxy servers configured in my browser.




            Ok, I just tried looking up the registry key, because that seemed like the easiest, and most likely suspect, and it was missing. After I added it, and restarted Internet Explorer, it worked!


            Thanks again for your help! This should be put into some sort of official document I'd be happy to type it up and post it.


            Trevor Sullivan

            Systems Engineer

            OfficeMax Corporation

            • 3. Re: Troubleshooting AMT WebUI Authentication

              Regarding your comment about an official document


              If you are using Microsoft SCCM, you may like to checkout the link http://communities.intel.com/message/10377


              Even if you do not use Microsoft SCCM, there is some useful stuff in here


              Best Regards