6 Replies Latest reply on May 13, 2016 1:34 AM by Steve01

    Intel AMT Web Access Authentication

    Steve01

      Hi Guys,

       

      I am in the process of configuring Intel AMT through Intel SCS on the following systems:

       

      Dell OptiPlex7040

      Bios Version 1.2.8

      Intel AMT Version 11.0.0

       

      I have pushed out a profile configuring the Intel MEBX password, AD Integration with a number of Kerberos accounts as well as TLS certificate.

       

      I can KVM to the workstation using KVMView or Real VNC however I have an issue that I have so far been unable to get to the bottom of.

       

      The problem is I can not authenticate to the web interface (https://machinename:16993). I can also not discover the AMT system properly in SCCM (Status stays as "Detected" where I would expect this to change to "Externally Provisioned"). I believe this is also due to the fact that authentication is failing to the above address due to what I can see in SCCM's amtopmgr.log.

       

      I have tried the following things:

       

      1. Using Kerberos accounts (AMT Clock is in Sync)

      2. Using Digest account

      3. Trying a very simple password

      4. Trying different web browsers (Chrome and IE)

      5. Un-provisioning / Re-provisioning AMT

      6. Confirming TLS certificate properties including chain etc is ok.

      7. Resetting AMT to factory

       

      Nothing I seem to do will pass the web authentication.

       

      I would appreciate if anyone could offer any advice?

       

      Thanks in advance,

       

      Steve

        • 1. Re: Intel AMT Web Access Authentication
          Steve01

          Ok I was able to work it out myself in the end.

           

          For those playing at home I had to disable Integrated Windows Authentication in IE settings. This allowed me to login using the admin digest account.

           

          I am still yet to figure out how to get the AMT status to change to Externally Provisioned but will update this thread when I do in case it helps anyone else out.

          • 2. Re: Intel AMT Web Access Authentication
            asilverman

            Hi Steve01,

             

            This is great news that you were able to isolate the web interface problem, can you please give me some details on your SCCM version?

             

            Also, you may want to consider running the platform discovery task sequence on all of your AMT platforms before and after configuration, this will update the hardware inventory classes in your SCCM instance and hopefully populate your collections accordingly.

            • 3. Re: Intel AMT Web Access Authentication
              Steve01

              Hi Asilverman,

               

              SCCM Version is SCCM 2012 R2 SP1

               

              We are not using the full Intel SCS Addon. We have kept things fairly simple in that regard by just using the Configurator to send a hello packet to the Intel RCS which executes a PowerShell script to provision the appropriate Intel SCS Profile to the workstation.

               

              I have configured the Out-of-Band component in SCCM to have the correct Admin password for discovery purposes.

               

              My main issue now is with Kerberos authentication. I have successfully pushed the profile to the Workstation and most things are working as expected with my Active Directory account. I can KVM (only if my AD account is directly on the chip and not in a nested group) and connect using the Manageability Command Tool or the Intel vPro Platform Solution Manager.

               

              Unfortunately I cannot connect to the AMT Web Interface with Keberos using any AD account. I belive this is also stopping the appropriate OOB discovery through SCCM.

              • 4. Re: Intel AMT Web Access Authentication
                asilverman

                Hi Steve,

                 

                Please open a biz-support ticket through this website and we will get to the bottom of this issue, the website for opening a ticket is here: https://bizsupport.intel.com

                • 6. Re: Intel AMT Web Access Authentication
                  Steve01

                  I never heard from biz-support so I am adding my findings here:

                   

                  I discovered through a network trace that the port was not being sent with the SPN as per https://support.microsoft.com/en-us/kb/908209 even though I had configured the registry keys and rebooted.

                   

                  Results: (NOTE: Above registry keys were present on all systems)

                   

                  Remote server (Hosting Intel RCS) - Windows Server 2012 (non R2) with IE 10 - Web authenticawtion using kerberos unsuccessful (Trace shows port not sent despite registry keys being present)

                  Remote server - Windows Server 2012 R2 with IE 11 - Web authentication using kerberos successful

                  Local workstation (connecting to local AMT chip) - Windows 10 with IE 11 - Web authentication using kerberos successful

                   

                  I am not sure why the port is not being sent from that particular server but it could be the OS or IE version.

                   

                  Also as per my other thread make sure any groups you add are Global AD groups and NOT Domain Local groups.

                   

                  SCCM is now showing as "Externally Provisioned".