Hi everyone,
I am trying to connect to an AMT machine that is provisioned with Kerberos authentication (no TLS at this point), using the HLAPI. The connection is done from a machine that is not in the same domain as the users defined for Kerberos authentication.
The connection to the machine works fine:
amt = AMTInstanceFactory.CreateEX(ci);
After I connect, I need to get the realms of the user. If I attempt:
KerberosEntry kerberosUser = amt.Config.ACL.GetKerberosUser(ci.UserName);
List<Realm> realms = kerberosUser.Realms;
it fails with an exception with failure: Intel.Manageability.Exceptions.ACLFailures.UserNameDoesNotExists
This probably makes sense, since the HLAPI GetKerberosUser() function uses the system functions to get the SID of the given username:
string sid = (userNameOrSID.Contains("\\")) ? GetUserNameSID(userNameOrSID) : userNameOrSID;
and GetUserNameSID tries:
NTAccount account = new NTAccount(userName);
SecurityIdentifier sIdentifier = (SecurityIdentifier)account.Translate(typeof(SecurityIdentifier));
It cannot translate the username to an SID because the object does not exist in the Active Directory this machine is part of.
My question is: can somehow the SID of the user that was used for Kerberos authentication be obtained from the AMT machine (AMT instance), instead of trying to resolve it locally from the machine where the connection is initiated?
If I could run the GetKerberosUser function giving directly the SID as parameter, instead of username, it would probably succeed and get the realms correctly.
Any advice would be greatly appreciated. Thanks in advance.