How to Enable Active Directory Integration
This section provides the step-by-step on how to enable Active Directory integration and settings within the Altiris 7 environment. The reader should have an existing familiarity and experience in configuring Intel AMT in an Altiris 7 environment using Digest authentication. Altiris 7 environments apply to both Symantec Management Platform and Dell Client Management 3.0.
Four focus points will be explored in this section:
- Delegating Rights and Permissions to Management AMT objects
- Out-of-Band Management Configuration Service Settings
- Defining the Kerberos groups and users in the provision profile
- Clock synchronization maintenance task
Delegating Rights and Permissions to Manage AMT Objects
When Active Directory integration is enabled, the AMTconfig service account will be creating, updating, and deleting Intel AMT computer objects in a defined Active Directory Organizational Unit. Therefore, the account must have sufficient privileges to perform these actions.
The following screen shows that the example AMTconfig service logon account is scsserviceacct@vprodemo.com. The default installation setting for the AMTconfig logon account is often the Altiris service AppID. The AMTconfig service will be granted privileges to specific Active Directory objects, thus must be a privileged domain account. Knowing what logon account is used will be important to a successful implementation.
The AMT objects will be created in a defined Organization Unit (OU) within Active Directory. This OU must be defined by the Active Directory administrator.
The AMTconfig service account will be delegated control to manage the objects in the defined AMT_OU. As shown in the following screen, right click on the AMT_OU and select Delegate Control.
The Delegation of Control Wizard will open. Add in the AMTconfig service account, as shown in the following screen with the example SCSserviceacct already added.
Click Next, and the following screen will appear to define what object types will be referenced. Select Computer Objects.
Note: If using Active Directory with Schema Extensions from a previous Altiris 6 Out-of-Band Management deployment, an additional option will be shown for Intel Management Engine objects. If using standard Active Directory integration, which does not require schema extensions, then select Computer objects. The preference is Computer objects and standard Active Directory integration.
Select the options to Create and Delete selected objects in this folder as shown above, and click next. On the Permissions screen, select Full Control. This will allow the AMTconfig service account to manage the AMT objects that will appear in the AMT_OU.
Click Next to complete the Delegation of Control Wizard. The necessary Active Directory permissions are now in place for the AMTconfig service account.
Out-of-Band Management Configuration Service Settings
Within the Configuration Service Settings for Altiris 7 Out-of-Band Management, select the General menu item. With the latest update for the Out-of-Band Management module, select Active Directory Integration and specify the target Active Directory OU where the AMT objects will be stored. In the example below, the AMT objects will be stored in AMT_OU. Click apply to save the settings.
Note: In pre-SP1 Altiris 7 environments or if using the Intel SCS console, three options for Active Directory may appear. These include None, Schema Extension, and Standard. The preferred mode of Active Directory integration is Standard when using Intel SCS 5.x or higher. The Schema Extension selection is provided for backwards compatibility to Intel SCS 3.x environments where Active Directory integration was enabled and utilized. The image above uses the latest available interface of the General service setting, thus only one option is shown in the interface: whether or not Active Directory integration should be enabled.
Defining the Kerberos groups and users in the provision profile
The next setting change, and core purpose of using Kerberos, is to specify what Active Directory groups and users will be granted access to the Intel AMT functionality. Once Active Directory Integration is enabled, there are two types of access control list (ACL) entries: Kerberos and Digest. The distinction is a Kerberos entry is associated to an Active Directory SID identifying a user or group of users. A Digest entry requires a separate user name and password to be defined, and this entry is stored in the Intel AMT firmware. The default Digest user, namely the Intel AMT admin account as defined on the General tab of the configuration profile, will remain intact. ACL entries in the configuration profile must be either Kerberos or Digest. Mixed authentication types in the ACL settings will not be accepted, thus once Active Directory integration is enabled, only Kerberos users can be defined.
To add a Kerberos entry, select Configuration Profiles, editing or creating the desired profile, and specifying what Active Directory group or user will be granted permissions. As shown in the following screen, the Administrator group will be granted full access to Intel AMT features. Additional groups or users can be added, and it is best to manage the access control by groups thus minimizing access control changes within every Intel AMT device.
Once the configuration profile is updated, the Resource Synchronization should reflect the settings to be applied at each configuration event. As shown in the screen below, the profile assignment settings indicate the target domain, profile name, and target Active Directory Organization Unit for the Intel AMT computer objects.
Initiate an Intel AMT provisioning event to configure a target system. If the General settings have logging set to Verbose Detailed, an entry similar to below will indicate that the AMTconfig service account created the AMT object within the AMT_OU as defined above.
The Intel AMT firmware is now configured, and an Active Directory AMT object has been created in the defined OU.
Clock Synchronization Maintenance Task
The nature of Kerberos authentication involves a time synchronization component to prevent replay attacks. Within the Configuration Profile, under the General tab, the max clock tolerance default setting is 5 minutes. This applies to the allowed difference in system time between the requesting service and the Intel AMT device. To ensure the Intel AMT clock is synchronized, the following maintenance setting can be enabled and adjusted.
The value of this setting will be used by the AMTconfig service to schedule when it attempts to contact the client system and synchronize clocks. Thus, if 5 systems were configured on the first day of the month, on the eighth day of the month, the AMTconfig service will attempt to contact those 5 systems for clock synchronization based on the recorded FQDN or hostname at the time of configuration. This information is stored in the IntelAMT database. If another 3 systems were configured on the second day of the month, the AMTconfig service will attempt clock synchronization on the ninth day of the month, and so forth. If the AMTconfig logs start to show a number or errors or the database grows rapidly, refer to the information provided here: Handling Large IntelAMT Databases.
At this point, Kerberos authentication can occur. However, the Altiris 7 Connection Profile must be updated to utilize Runtime AMT credentials. The next section will address what changes are needed.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries
Part 1: Configuring AD Integration and Kerberos Authentication for Intel vPro Technology
Part 3: Configuring AD Integration and Kerberos Authentication for Intel vPro Technology