Intel Communities: Message List

Common Name on VeriSign Certificate

webadmin@intel.com — Mon, 25 Jun 2012 14:38:01 GMT

Hi,

I'm in the process of purchasing an AMT provisioning certificate from VeriSign and when generating the CSR on the SCCM server which the OOB Management point is installed on, one of the field require that you enter the Common Name for the certificte. Reviewing a number of articles the common name should consist of the hostname + domain name (FQDN) which is the internal FQDN of the server.

However, when requesting a certifcate from VeriSign I'm not able to do so and VeriSign informend me that they do not provide certificates for internal domains anymore. The only solutions they've provided me with are:

1. use the hostname + public domain name for the common name and add the internal IP address of the server as a Subject Alternative Name

2. use the hostname + public domain name for the common name, however this will required that the public DNS zone is configured on your internal DNS servers and a host record created for this server.

Has anyone come across this problem and do anyone have any suggestions please. Also, unfortunately I can only use VeriSign and none of the other providers.

Any suggestions will be greatly appreciated.

Many thanks

Pierre

Re: Not able to connect over SOL using a Digest Master Password

webadmin@intel.com — Wed, 09 May 2012 10:01:35 GMT

Hi all, I'm pleased to report that this issue has been resolved in Intel AMT SDK 8.0, where you can now pass the default admin user name and calculated Digest Master Password credentials through to establish a Serial Over LAN session.

On a personal note, I'm also pleased to report that the Intel team do take issues we come accross serious and are actively improving Intel vPro and associated tool sets. As with this problem I was facing, it was esculated to the Engineering/Developers team and within a few days they resolved the issue and released a new version of the SDK.

So, thank you to the team at Intel!!

Best Regards,

Pierre

Automatically Create a Digest User and Password in AMT

webadmin@intel.com — Fri, 27 Apr 2012 14:53:58 GMT

Hi, I’m trying to create a PowerShell script to automatically create a digest user account and password in AMT and be able to add the account even if the workstation is powered down.

I’ve been testing the New-Item AMT:\Config\ACL\Digest\”Username” option as described in the following URL: http://communities.intel.com/community/openportit/vproexpert/microsoft-vpro/blog/2011/03/30/powershell-module-for-intel-vpro-technology-version-30-amtsystem-powershell-drive-provider - however, I get prompted to manually enter a password which I’m need to avoid.

The objective of what I’m trying to achieve is the following:

1. The workstation is vPro enabled using SCS and the default digest admin account and the password is set using the Digest Master Password feature in the SCS. (I cannot use TLS/Kerberos and cannot set a digest account in the profile either).

2. PROBLEM: As you cannot establish a SOL session using the default admin account and DMP (as the DMP is 44 characters in lengths and currently SOL only accepts a maximum password length of 32 character), I want to write a script in PowerShell to connect to the vPro enabled workstation and create a digest account and password automatically. – For additional information on this please refer to: http://communities.intel.com/message/152489

3. I’ll then Invoke-AMTForceBoot to establish a SOL session, and once complete, automatically delete the account again.

Below is a copy of the script I’m working on and it works fine when I manually enter the password for the created digest user when prompted (Currently in the script I’m prompting for the hostname and default admin account and DMP, however I’ll be passing these through from the extended script automatically)

# Begin flow template

Import-Module 'IntelvPro'

$hostname = read-Host ("Workstation Name")

$Cred_DMP = Get-Credential #DMP Credentials

# Add Digest User Account for SOL connection

New-PSDrive -Name AMT -PSProvider amtsystem -Root "/" -ComputerName $hostname -Credential $Cred_DMP

New-Item AMT:\Config\ACL\Digest\TestUser #Digest Username is hard coded

At this section part I get prompted to enter a password for the digest user account ‘TestUser’

Set-ItemProperty AMT:\Config\ACL\Digest\TestUser -Name Privileges -Value RC,REDIR,EVTLOG

# Connect to workstation with SOL

Invoke-AMTForceBoot -ComputerName $hostname -Port 16992 -Operation reset -Device BIOSSetup -Console SOL -SOLTerminalPath "telnet" -SOLTerminalArgList "-t ANSI 127.0.0.1 %Port" -Username TestUser -Password P@ssw0rd

Currently the username and password is both hard coded, but aiming to be able to pass this through as –Credential $SOL_CRED

# Remove Digest User Account for SOL

Start-Sleep -Seconds 40

Remove-Item AMT:\Config\ACL\Digest\TestUser

Remove-Module 'IntelvPro'

# End flow template

As mentioned before, when I run the script and manually enter the password for the created digest user ‘TestUser’ the script works as it should.

It would be create if I could get a script to create the necessary digest account and password automatically.

Regards,

Pierre

Not able to connect over SOL using a Digest Master Password

webadmin@intel.com — Wed, 28 Mar 2012 15:24:36 GMT

A bit a background to my problem:

Due to a number of reasons I can only use the SCS service and digest authentication and cannot use AD Integration or PKI and TLS for security to provision and access the workstation. Also, the workstations are pre-configured at the factory with a PSK for zero touch provisioning.

Due to these restrictions and security requirements we can only use the default digest user account, admin and no additional manually created digest accounts in the SCS profile. To satisfy security requirements further, we need to set the admin account password using the Digest Master Password (DMP)setting within SCS.

I can successfully connect to a workstation via WebUI and VNC Viewer Plus using the default account, admin and the calculated DMP. Also, I can successfully connect to the workstation using the Manageability Commander Tool using these credentials. However, when I go to the Remote Control Tab and select Take Control to connect to the workstation via SOL I get the following error: Serial-over-LAN error: IMR_RES_INVALID_PARAMETER - when I select OK the Manageability Terminal Tool window launch and the status of Serial-over-LAN is Disconnected.

Doing research I found the following extract in the Intel AMT Implementation and Reference Guide in the TCP Parameters, Redirection Sample Console GUI section:

The lengths of the user name and user password are limited by the Redirection SDK to 32 characters. If either the user name or password exceeds this limit, IMR_RES_INVALID_PARAMETER, will be returned.

The length of the digest master password is 44 characters…

I then tested SOL with the default admin account and a password I set manually which is less than 32 characters and SOL connects successfully.

Therefore, I have the following questions and am hoping that someone is able to answer my questions:

How to get SOL working with the default admin account using a Digest Master Password or is this not possible?
Is there a way to truncate the DMP to conform to the maximum password length requirements?
Is there an alternative tool or utility to connect via SOL using the digest account, admin and DMP password?
Am I able to increase the length of the password in the Redirection SDK?

Many thanks

Pierre

Re: RCS-Backup.ps1 issue

webadmin@intel.com — Wed, 14 Mar 2012 09:38:47 GMT

Hi Josh, I found some part of the solution to the problem.

If you register the RCS Service under a local or domain user account during installation and run the backup script under this account the backup is successfull. However if you register the RCS Service under the Network Service system account (most secure) you cannot do a backup.

I've trawled through the Intel Setup and configuration Service - User Guide a few times and I found the following:

On page 27 the guide tells you that you can run the RCS using a built-in Security account, extract below:

Note:
• You can also run the RCS using a built-in security account. To do this, enter “Network Service” in the Username field or click Browse to select it. If you want to use this account, see “Using the Network Service Account” on page 30.
• The user you select to run the RCS must have a password (unless it is the Network Service user account).

On page 30 it informs you that using this account is the most secure option, extract below:

The Windows operating system includes a built-in security account named “Network Security”. During installation of the RCS you can select this account to run the RCS. When the RCS runs under this account, the RCS communicates on the network using the credentials of the computer running the RCS. This can increase security because it is not easy to impersonate a computer.

To do a succesfull backup using the Network Service account it states on page 31 you need to create a task in Task Scheduler that runs under the Network Service account, extract below:

Backup User Verification
Make sure that you run the backup using the Network Service account. To do this, you can create a task in Task Scheduler that runs under the Network Service account. If you use the RCS-Backup.ps1 Powershell cmdlet, make sure that you use the -SkipUserVerification parameter.

However, to be able to schedule a task with task scheduler to run under the "NT AUTHORITY\NETWORKSERVICE" account you require Task Scheduler 2.0. see URL: http://msdn.microsoft.com/en-us/library/windows/desktop/bb736357(v=vs.85).aspx - extract

/RU username

A value that specifies the user context under which the task runs. For the system account, valid values are "", "NT AUTHORITY\SYSTEM", or "SYSTEM". For Task Scheduler 2.0 tasks, "NT AUTHORITY\LOCALSERVICE", and "NT AUTHORITY\NETWORKSERVICE" are also valid values.

Task Scheduler 2.0 is only available on Windows 2008 and Windows Vista, see URL: http://msdn.microsoft.com/en-us/library/windows/desktop/aa383614(v=vs.85).aspx - extract

The Task Scheduler requires the following operating systems.

Task Scheduler 1.0: Client requires Windows Vista, Windows XP, Windows 2000 Professional, Windows Me, or Windows 98. Server requires Windows Server 2008, Windows Server 2003 or Windows 2000 Server.
Task Scheduler 2.0: Client requires Windows Vista. Server requires Windows Server 2008.

In my environment I've installed RCS on a Windows 2003 server, therefore I'm not able to run the backup under the NT Authority\NetworkService account due to the version of Task Scheduler.

Regards,

Pierre

Re: RCS-Backup.ps1 issue

webadmin@intel.com — Mon, 12 Mar 2012 14:27:55 GMT

Hi, further to this, I've created an empty scsadmin.dat file in the directory, now I'm getting a different error:

PS D:\SOURCE\vPro\vpro powershell> .\RCS-Backup.ps1 -SkipUserVerification $True

DEBUG: RCS-Backup: backup with "D:\SOURCE\vPro\vpropowershell\Backup\prof.bak", "D:\SOURCE\vPro\vpropowershell\Backup\psk.bak" [ ]

DEBUG: RCSServer's status is Running

DEBUG: Stopping RCSServer .

DEBUG: Waiting for RCSServer to be Stopped

DEBUG: RCSServer's status is Stopped

DEBUG: RCSServer's start mode is Auto

DEBUG: RCSServer Disabled

DEBUG: DpDecrypt-File: C:\Documents and Settings\All Users\Application Data\Intel_Corporation\RCSConfServer\Profile.xml start

ConvertTo-SecureString : Key not valid for use in specified state.

At D:\SOURCE\vPro\vpro powershell\RCS-Backup.ps1:361 char:32

+ $sstr = ConvertTo-SecureString <<<< ([BitConverter]::ToString($ba) -replace ('-',''))

+ CategoryInfo : InvalidArgument: (:) [ConvertTo-SecureString], CryptographicException

+ FullyQualifiedErrorId :ImportSecureString_InvalidArgument_CryptographicError,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand

DEBUG: DpDecrypt-Bytes: could not be decrypted.Exception:Value cannot be null.

Parameter name: s

DEBUG: Exception caught:21

DEBUG: RCSServer's start mode is Disabled

DEBUG: RCSServer Auto

DEBUG: Restarting RCSServer

I also get the above error when #blocked out any references to scsadmin.dat file.

Regards,

Pierre

RCS-Backup.ps1 issue

webadmin@intel.com — Mon, 12 Mar 2012 12:17:26 GMT

Hi, I’m having the following problem:

When I try and do a backup using the RCS-Backup.ps1 PowerShell script included in the SCS 7.1 download the backup fails.

After turning on debugging in the script I identified the following error:

C:\Documents and Settings\All Users\Application Data\Intel_Corporation\RCSConfServer\scsadmin.dat Does not exist (or permissions problem).

This refers to the following file: scsadmin.dat — Contains a record for each system configured using Intel SCS 5.x/6.x and the password of its default Digest admin user. This file only exists if the admin passwords were migrated from Intel SCS 5.x/6.x.

I do not have this file in the RCSConfServer directory as I did not do an upgrade/migrate from an earlier versions, I did a clean install of V7.1.

The syntax I’m using is as follows:

.\RCS-Backup.ps1 -Operation Backup -Password "********" -Profiles "D:\SOURCE\vPro\vpro powershell\Backup\profiles.bak" -PSK "D:\SOURCE\vPro\vpro powershell\Backup\PSK.bak" -Cred "D:\SOURCE\vPro\vpro powershell\Backup\cred.bak" -DMP "D:\SOURCE\vPro\vpro powershell\Backup\dmp.bak" -SkipUserVerification $True

However, if I remove the –cred parameter I still get the same error.

Any assistance will be greatly appreciated.

Many thanks

Pierre