Updating the Connection Profile for Kerberos Authentication
Once Intel AMT systems are configured with Kerberos authentication enabled, whether or not the configuration was performed by the Altiris environment, the Connection Profile is updated to allow console communications based on the logged on domain user.
The Connection Profile defines what credentials will be used based on enabled protocols. To access and adjust the Connection Profile, from the main Symantec Management Console, select Settings > All Settings. From the Settings menu, expand Monitoring and Alerting > Credential Settings. As shown below, select Credentials Management and a list of existing credentials will be shown. Kerberos authentication to Intel AMT configured systems requires the Runtime AMT credentials, which come pre-configured with the Out-of-Band Management installation.
With the credentials in place, the connection profile must be updated to designate what protocols and associated credentials will be utilized. Expand Protocol Management > Connection Profiles as shown on the left side.
Under Manage Connection Profiles, select and edit the desired connection profile. In the example shown below, the Default Connection Profile is being changed to indicate the AMT protocol will use Runtime Credentials. The Runtime Credentials will use the logged on user's domain account to authenticate to the target client system. Thus, per the settings in the previous section, only logged-on users of the Domain Administrator group will be allowed to access Intel AMT systems.
With the Connection Profile settings in place, the Real-Time system manager usage is ready. All 1-to-1 operational usage models are supported as they relate to Intel AMT and out-of-band management.
A second connection profile might be preferred for 1-to-many operational usage models as defined by the TaskServer. A TaskServer job will require a defined connection profile, and is meant to operate at a scheduled time. Thus, a connection profile with a defined Intel AMT service account may be best for 1-to-many operational usages, or a Kerberos account can be used based on the Altiris AppID.
Further customizations can be defined on what console users are allowed to utilize specific connection profiles. In such situations, true role based security would be in effect on both the Altiris 7 console and the connections to target systems.
To the previous paragraphs, a side comment on how Microsoft SCCM handles authentication to Intel AMT which may be of interest for interoperability. In the introduction of this series the reference to Microsoft SCCM indicating Kerberos and TLS are required. This is true for their Out-of-Band Console. However, the Intel AMT admin password is randomized per system and encrypted in the database. For 1-to-many operations, such as a Microsoft SCCM Advertisement to wake-up systems, the service account utilizes the Intel AMT admin account for digest authentication and TLS for encryption. A similar model could be done with the Altiris 7 environment. However, if the Intel AMT admin password is randomized per system and the list of passwords is known by only one solution, interoperability will be difficult in this model. For this reason, if both Microsoft SCCM and Altiris 7 will exist in the same environment, and if both will be used to interact with Intel AMT systems, and Microsoft SCCM advertisement will be utilized for 1-to-many operations - it may be best for Microsoft SCCM to own the configuration of Intel AMT, and both management solutions to authenticate via Kerberos for 1-to-1 operations.
The next section explores the AMT object created due to Active Directory Integration. This greater understanding along with previous sections will provide valuable insight for the final section on troubleshooting AD integration.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries
Part 2: Configuring AD Integration and Kerberos Authentication for Intel vPro Technology
Part 4: Configuring AD Integration and Kerberos Authentication for Intel vPro Technology