Kerberos Ticket Size can stop you from connecting to vPro Systems and using IDER/SoL.

vPro AMT can leverage Kerberos authentication to allow management from your management console to the AMT firmware. Depending on the management console of choice (e.g. SCCM, Altiris, SMS) you may be using Kerberos or digest authentication. If you are using a management console like SCCM that only uses Kerberos authentication, there are a few things you should be aware of in case you are having problems managing your vPro systems. If you are interested to know more about Kerberos authentication and AMT, you can refer to this previous posting in vPro Expert Center around an Altiris environment:

In AMT (version 2.x, 3.x, 4.x, and 5.x) there is a Kerberos ticket size limit that varies among versions of AMT (see graph 1 below on specifics for each firmware version). With respect to Kerberos authentication, AMT has different limits for HTTP connection and Serial-Over-LAN (SoL).

The Intel® vPro firmware supports Kerberos service tickets that are 4K or smaller for HTTP connections (authenticating the management console to AMT). This 4K limit is specific to making an authenticated connection via Kerberos. IDER/SoL capabilities have a Kerberos ticket size limited to 3K. These 4K and 3K limits are values in Base 64. This ticket size for a given Kerberos account will vary based on variables like the account’s group memberships in the domain.

Therefore it is important to know the size of this ticket created when an account logs on to the management console. If a given account that is logging in to the management console tries to connect to AMT and exceeds these limits, you may either experience failure when trying to connect to AMT or invoke IDER/SoL.

If you are experiencing issues with connecting or using IDER/SoL, you can download a free Microsoft utility (Link to Utility) to validate the size of the Kerberos token for an account. The output from this utility will indicate the size of the token in binary value. You will need to convert this value from binary to Base 64 to determine if the account being used exceeds these thresholds - [Algorithm for Base64 to binary: (base64 length/4)*3].

Here is an example for the output from this utility for a logged in user:

C:\Tools\Kerberos>tokensz.exe /compute_tokensize | findstr -i complete

This is the output -> MaxToken (complete context)  2337

You will notice this binary value of 2337 will exceed several versions of AMT for use with IDER/SoL capabilities. In this example, the account would need to be reduced (e.g. removed from x number of domain groups) to decrease the Kerberos ticket size in order to use IDER/SoL.

Here is a video to show different examples of an account with various Kerberos token sizes and the different behaviors experienced on an AMT 4.0 system [Link to Video - WMV format].

Also, I would appreciate to hear from the entire community on what size Kerberos tokens your support group has that would be utilizing SCCM to manage vPro system.  Would these current size restrictions cause issues for your support teams?  Thanks in advance for the "real-world" feedback.

Kerberos Token Size Limits.jpg