You are here: Troubleshooting > Kerberos Authentication Failure

Kerberos Authentication Failure

If integration with Active Directory (AD) is enabled, during configuration Intel SCS creates an AD object for the Intel AMT device. The values of the Service Principal Name (SPN) attribute in this object are used in Kerberos tickets during AD authentication.

If the AD forest contains more than one object representing the same Intel AMT device, the Kerberos authentication will fail. This is because identical SPN values exist for different objects. The AD does not know which SPN to use, and thus an error occurs.

Multiple objects can be created during reconfiguration when you change the AD Organizational Unit (ADOU) defined in the profile (see Defining Active Directory Integration). If you do not use the /ADOU flag in the CLI, Intel SCS does not know the location of the old object and thus cannot delete it.

Solution:

Make sure that the AD forest contains only one AD object for each Intel AMT device.

If not:

  1. Manually delete the object from the old ADOU.
  2. Wait approximately 15 minutes, or manually purge the Kerberos tickets. (You can use the Klist.exe application to purge the tickets.)