Home > Intel Communities > Open Port IT Community > Intel® vPro™ Expert Center > Microsoft Manageability > Blog > 2008 > August > 19
Up to Blog Posts in Microsoft Manageability
Previous Next

Microsoft Manageability

Currently Being Moderated
Matt Royer
10

Intel WS-MAN Translator 1.0 released

Posted by Matt Royer on Aug 19, 2008 5:15:16 PM

As explained in the SCCM SP1 & WS-MAN Translator: How vPro firmware versions less than 3.2.1 are supported blog, The Intel WS-MAN Translator is crucial component to providing support for vPro Client with firmware versions less than 3.2.1 with Microsoft System Center Configuration Manager.

 

Intel has just posted the production release of the Intel WS-MAN Translator 1.0 and is available for download at the following location: http://softwarecommunity.intel.com/articles/eng/3840.htm. At that location you will find the install binaries and documentation on how to install the translator. However, here is a high level overview of how to install and configure the Intel WS-MAN Translator.

 

Pre-installation Steps

 

Generate a Certificate Request on SCCM Server for Intel WS-MAN Translator

 

  1. On the SCCM Server, go to Start > All Programs > Administrative Tools > Internet Information Services (IIS)

  2. Expand Web Sites and Right Click on Default Web Site and select Properties
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1723/GenerateCert1.JPG!*

  3. In the Default Web Site Properties windows Select the Directory Security Tab. In the Secure Communications section, click the Server Certificate button
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1724/GenerateCert2.JPG!

  4. This will launch the Web Server Certificate Wizard. Click Next
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1725/GenerateCert3.JPG!*

  5. In the IIS Certificate Wizard Window, select Create a new certificate . Click Next
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1726/GenerateCert4.JPG!*

  6. Select Send the request immediately to an online certification authority. Click Next
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1727/GenerateCert5.JPG!

  7. Enter a Name for the certificate: WS-MAN Translator Server Certificate. Click Next
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1728/GenerateCert6.JPG!

  8. Enter Organization Information (Organization and Organizational Unit) and Click Next
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1729/GenerateCert7.JPG!*

  9. Enter the Common name: This is the FQDN of your server you are installing the Intel WS-MAN Translator on and should be the same as the FQDN of your SCCM Server. Click Next
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1730/GenerateCert8.JPG!

  10. Enter in your Geographical Information. Click Next
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1731/GenerateCert9.JPG!

  11. Enter 443 for the SSL Port for this web site. Click Next
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1732/GenerateCert10.JPG!

  12. In the Choose a Certification Authority Window, select your issuing Certificate Authority. Click Next
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1733/GenerateCert11.JPG!*

  13. Confirm your request and click Next
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1734/GenerateCert12.JPG!

  14. Once Wizard is complete, click Finished
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1735/GenerateCert13.JPG!*

 

Modifying Windows Remote Management (WinRM) to support Basic Authentication

 

  1. On the SCCM Server, open a command prompt and run the following command: winrm set winrm/config/client/auth @{Basic="true"} (command line is case sensitive)
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1716/WINRM1.JPG!

  2. You should see Basic = True returned

 

Set Delegation for the SCCM Server

 

  1. On your Domain Infrastructure Image, Click Start > All Programs > Administrator Tools > Active Directory Users and Computers > vprodemo.com > Computers. Right Click on SCCM Server and select Properties.
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11434-1782/Computer.JPG!

  2. Check the box Trust Computer for Delegation and click OK
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11434-1781/delegation.JPG!*
    Note: If you do not allow this, you will need to setup the WS-MAN Translator (during configuration steps) run time account with a user that has permission to the AMT client. At that point the credentials configured in the run time account are used to manage the client for Kerberos authentication.

 

 

 

 

Installing the Intel WS-MAN Translator

 

 

 

 

  1. On the SCCM Server, run the Intel WS-MAN Translator Setup

  2. In the Intel WS-Management Translator setup window, click Next
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1736/Install1.JPG!*

  3. In the Intel WS-Management Translator setup window, click Next
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1737/Install2.JPG!*

  4. During the installation, keep all of the Default settings until installation wizard is complete and install has finished.
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1738/Install3.JPG!
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1740/Install5.JPG!

 

Configuring the Intel WS-MAN Translator

 

  1. Click Start > All Programs > Intel WS-Management Translator > wtranscfg.exe to configure the Translator

  2. In the WS-Translator Configuration Wizard Window, Set common setup accounts & Set TLS/forwarding options. Click Next
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1718/ConfigTrans1.JPG!*

  3. In the Set initial setup password window, enter the password you configured within SCCM Out of Band Management Properties > Provisioning setting Section > MEBx Account. Click Next
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1719/ConfigTrans2.JPG!*

  4. In the Set Common Pre-Shared Key window, should select a more random and secure PID and PPS for security reasons. Click Next.
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1720/ConfigTrans3.JPG!

  5. In the Import Common Setup Certificate, Click Browse and select the Same Certificate you used in SCCM Out of Band Management Properties > Certificates Section > Provisioning Certificate. Click Next.
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1721/ConfigTrans4.JPG!

  6. In the Select TLS/forwarding options windows, select (default Options): Listening Port: 443 & Forwarding Port: 16993. For the Server Certificate: select the WS-Man Translator certificate created in previous step. Click Finished. Click OK to Restart the Translator Service.
    !http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1722/ConfigTrans5.JPG!

 

Configuring SCCM SP1 to use the Intel WS-MAN Translator

 

  1. Within System Center Configuration Manager Out of Band Management Properties > Provisioning setting Section > AMT Settings. Check the option for Enable support for Intel WS-MAN Translator. Once selected, click Apply.
    *!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1717/ConfigSCCM1.JPG!*

 

--Matt Royer

Tags: ws-man_translator, sccm_sp1, sccm, amt, vpro, matt_royer


Add a comment Leave a comment on this blog post.
Sep 2, 2008 11:28 AM William Gregoire William Gregoire    says:

Thanks for instructions!

 

I get an error when after inserting the password for the PFX file:

 

" the given key was not present in the dictionary "

 

The setup let´s me go ahead and finish the wizard...but I having connections issues with the SELFSIGNEDFIX.VBS script (used to solve the selfsigned certificate issue with SCCM SP1) and wonder is this could be the problem.

 

BTW, I also can´t access the website manually https://mysccmserver/wstrans/...

I can´t find it on IIS...
Reply
Sep 2, 2008 9:42 PM Matt Royer Matt Royer    says in response to William Gregoire:

In regards to the key, make sure when you export the certificate that you also export with the private key.

 

In terms of not being able to access https://mysccmserver/wstrans/...

1) I'm assuming you requested a web certificate to secure the site and configured the Intel WS-MAN Translator to use that certificate?

2) Are connecting to the website using the Full Qualified Domain Name (mysccmserver.domain.tld)?

3) The Intel WS-MAN Translator Service is running?

 

--Matt Royer
Reply
Sep 3, 2008 9:49 AM William Gregoire William Gregoire    says in response to Matt Royer:

Thanks for your help.

 

Yes, I´m exporting our Verisign certificate with Private key

 

I tried creating new PID/PPS keys with the USBUTILITY (skd), I didn´t do that before, but that doesn´t make any difference.

 

For the access to the HTTS://mysccmserver/wstrans/... I can browse the site

1)Yes, the website is using the cert I requested to my MS Enterpise CA (W2K8 BTW)

2)Yes, I´m using the FQDN of my SCCM server

3)Yes, the WS-Manager Translator service is started on the SCCM Server

 

I need help, these I need to provision many machines before two days...and only by Unprovisioning the machine on the BIOS I´m able to later provision them.
Reply
Sep 20, 2008 5:13 PM William York William York    says in response to William Gregoire:

I'm getting the same error. Any resolution to this problem that you found?
Reply
Sep 21, 2008 3:14 PM William Gregoire William Gregoire    says in response to William York:

No, this is still an open issue for me.

 

Regading the problem "the given key was not present in the dictionary" I was told o to use the option to export the certificate with the root keys, at the time to make the PFX file. I have had the chance to try it yet (since I´m away from the project). Would you try that and tell?
Reply
Sep 30, 2008 8:24 PM Matt Royer Matt Royer    says in response to William Gregoire:

The "the given key was not present in the dictionary" error when configuring the Intel WS-MAN Translator is usually related to the private key not being in the exported certificate. When you export the certificate, you need to ensure that you export the private key and also include the certificate chain.

 

--Matt Royer
Reply
Oct 1, 2008 2:46 AM William Gregoire William Gregoire    says in response to Matt Royer:

Thanks, that worked!
Reply
Oct 1, 2008 2:48 AM William Gregoire William Gregoire    says in response to William Gregoire:

I mean, the key is now correctly imported without error message, but selfsignedfix.vbs still does not connect.
Reply
Oct 8, 2008 3:41 PM Sandy Wood Sandy Wood    says:

Step 6 (in Configuring the WS-MAN Translator) says to "...select the WS-Man Translator certificate created in previous step" - I did this and got this message:

 

"An attempt was made to load a program with an incorrect format. (Exception from HRESULT: 0x8007000B)" after clicking finish on Select TLS/forwarding options

 

I can click OK and it will prompt me to restart the translator service. Can I assume everything is ok or is there a test to see if the service is correctly configured?
Reply
Oct 13, 2008 11:33 PM Matt Royer Matt Royer    says in response to Sandy Wood:

That was indeed odd. If you go to https://FQDN_OF_SCCM_SERVER/wstrans does the Intel WS-MAN Translator page load? That certificate is used to secure communicate to the WS-MAN Translator Web Service.

 

--Matt Royer
Reply

Actions

Popular Blog Posts

Incoming Links