8 Replies Latest reply on Jan 5, 2017 1:02 AM by stefan.feldweg

    AMT provisioned machines becoming unauthorized

    duncanwebb

      Hi,

       

      I not sure if this is something that I should be asking here or on the HP support site. We have 48 HP EliteDesk 800 G2 DM 65W mini desktop machines. I provisioned them all with a very basic profile and they have been working and responding correctly to AMT commands. However after a time some of the machines became unauthorized and the only way to fix this was to reset the AMT in the BIOS to un-provisioned and then provision them again.

       

      Does anybody have any idea why the machines are becoming unauthorized?

       

      Thanks

        • 1. Re: AMT provisioned machines becoming unauthorized
          dariusz.wittek@intel.com

          Your AMT management SW can't access Intel AMT - can't authorize due to :

          • AMT user password and/or user name is not valid or was changed via other means (by other person over ex AMT Legacy Web Ui, or too simple and hacked by brute force).
          • if AD integration was used - Kerberos AMT objects (with $iME suffix)  may be manually modified, removed (by AD cleaning sctript/tool), moved to different OU, Kerberos password for this object expired, AMT internal time and AD time differ by more than 5min 00 sec. AMT FQDN does not match OS FQDN anymore - OS FQDN may be changed without reconfiguring AMT.
            If other management console is used  required Registry keys for Kerberos over non standard port are not installed for Legacy WebUi use with MS Internet Explorer.
          • if TLS is used - AMT TLS cert expired or AMT FQDN does not match OS FQDN anymore - OS FQDN may be changed without reconfiguring AMT- so connection to OS FQDN is trying to use AMT FQDN (differnet) TLS cert that is not trused for this connection name.

          Try to use system actual IP addres in the IE (not Edge) with Integrated AD authnetication beeing disabled - use defined AMT Digest Adminstrator (admin) password to connect.
          If you will see certificate error - accept it  and check cert CN vs AMT FQDN in AMT Legacy WebUi vs OS FQDN - get them in synch by reconfiguring AMT again.

          rgds

          Dariusz Wittek
          Intel  EMEA Biz Client Solution Architect

          • 2. Re: AMT provisioned machines becoming unauthorized
            duncanwebb

            Hi Dariusz,

             

            The profile is really basic, no TLS and no AD integration, just user name and password over http. We have the 48 mini desktops in a secure room about 3m from the ground. People connect to these machines using thin clients and Citrix. It is possible that someone is messing around changing the passwords but I don't think so. These machines have been doing this from the start of configuring them and even before they have been deployed to the server room.

             

            Other workstation models don't seem to be having the same problem but it is difficult to confirm as you only find out when needing to access them. I have written a script to check the 40+ machines in the secure room that we can still connect but not for other machines.

             

            Is there anything else I can try like add a second admin user to see if it is just admin that is becoming de-authorized?

             

            Thanks and kind regards

            Duncan

            • 3. Re: AMT provisioned machines becoming unauthorized
              duncanwebb

              Hi,

               

              I've written a little powershell script to subscribe to events from the AMT. If someone changes an AMT user or password then an event should be generated and passed on. Is this correct?

               

              Some of this hardware/firmware is flaky! I was trying to reinstall the drivers and the error platform not supported was being shown. The resolution was to remove the power supply and plug it in again. However most of the machines just become unauthorized and so far I've not seen any Security Alert messages.

               

              The script is

              [CmdletBinding()] param([Parameter(Mandatory=$True,Position=1)][string]$hostname)  #write-host "host name is $hostname"  $username="admin" $password="password" $lstn = "http://myhost:999"  Add-Type -Path 'C:\Program Files\Intel Corporation\Intel(R) vPro(tm) Platform Solution Manager\Bin\HLAPI.dll' Add-Type -Path 'C:\Program Files\Intel Corporation\Intel(R) vPro(tm) Platform Solution Manager\Bin\IWSManClient.dll'  $auth = [Intel.Manageability.ConnectionInfoEX+AuthMethod]::Digest  $cs = New-Object Intel.Manageability.ConnectionInfoEX($hostname,$username,$password,$False,"",$auth,$null,$null,$null) Try {     $amt = [Intel.Manageability.AMTInstanceFactory]::CreateEX($cs) } Catch {     write-host "Cannot connect to $hostname : $_.Exception.Message" -ForegroundColor Red     Break }  $wsfilter = [Intel.Manageability.Events.FilterName]::All $sidtype = [Intel.Manageability.Events.SenderIDType]::FQDN #$sidtype = [Intel.Manageability.Events.SenderIDType]::CurrentAddress $sip = [Intel.Manageability.Events.SenderIDPlacing]::HTTPHeader $sub = New-Object Intel.Manageability.Events.Subscription($lstn,$wsfilter,$sidtype) $sub.SenderIDPlacing = $sip $subs = $amt.Events.WSEvents.EnumerateSubscriptions() If (@($subs).length -gt 1) {     write-host "$hostname subscribed to" @($subs).length subscriptions -ForegroundColor Yellow     $amt.Events.WSEvents.UnSubscribeAll()     $subs = $amt.Events.WSEvents.EnumerateSubscriptions() } If (@($subs).length -eq 1) {     write-host "$hostname already subscribed to"$subs[0].ListenerAddress -ForegroundColor Yellow } ElseIf (@($subs).length -lt 1) {     write-host "$hostname subscribed to $lstn" -ForegroundColor Green     $amt.Events.WSEvents.Subscribe($sub) }

              The listening script is:

              Add-Type -Path 'C:\Program Files\Intel Corporation\Intel(R) vPro(tm) Platform Solution Manager\Bin\HLAPI.dll' Add-Type -Path 'C:\Program Files\Intel Corporation\Intel(R) vPro(tm) Platform Solution Manager\Bin\IWSManClient.dll'  $listener = New-Object HLAPI.Services.WSEventListener([IPAddress]::Any,'999') Register-ObjectEvent $listener OnNewEventArrived -SourceIdentifier $listener.OnNewEventArrived -Action {     $Result = "" + $Event.SourceEventArgs.Sender + "; " `                  + $Event.SourceEventArgs.EventData.AlertType + "; " `                  + $Event.SourceEventArgs.EventData.IndicationFilterName + "; " `                  + $Event.SourceEventArgs.EventData.IndicationTime.ToString("yyyy-MM-dd HH:mm:ss") + "; " `                  + $Event.SourceEventArgs.EventData.MessageDescription     write-host $Result     $Result | Out-File .\messages.log -Append } $listener.StartListening()

              The scripts seem to work.

              • 4. Re: AMT provisioned machines becoming unauthorized
                dariusz.wittek@intel.com

                Duncan,

                 

                if disconnecting power helps at least partially it may mean you have pretty old version of ME FW - there may be some bugs that are already fixed.

                Please check OEM support download site for ME FW update packages.

                • 5. Re: AMT provisioned machines becoming unauthorized
                  duncanwebb

                  Hi Dariusz,

                   

                  How old is pretty old?

                   

                  HPs latest BIOS is 02.20 but cannot be downgraded, but I believe 11.0.0.1205 is the latest ME firmware.

                   

                  I don't think that AMT is sending a SecurityAlerts when the admin password is changed - reckon it should be.

                   

                  C:\config-amt>amt_version.py

                  chzrhpmd001 10.30.32.60  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd002 10.30.32.14  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd003 10.30.32.27  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd004 10.30.32.15  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd005 10.30.32.148 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd006 10.30.32.149 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd007 10.30.32.53  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd008 10.30.32.51  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd009 10.30.32.150 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd010 10.30.32.75  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd011 10.30.37.164 no ping response

                  chzrhpmd012 10.30.32.155 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd013 10.30.32.153 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd014 10.30.32.135 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd015 10.30.32.40  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd016 10.30.32.158 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd017 10.30.32.160 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd018 10.30.32.42  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd019 10.30.32.162 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd020 10.30.32.43  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd021 10.30.32.52  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd022 10.30.32.166 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd023              no ip address

                  chzrhpmd024 10.30.32.24  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd025 10.30.32.129 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd026 10.30.32.21  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd027 10.30.32.47  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd028 10.30.32.183 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd029 10.30.32.57  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd030 10.30.32.187 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd031 10.30.32.181 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd032 10.30.32.68  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd033 10.30.32.190 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd034 10.30.32.195 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd035 10.30.32.164 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd036 10.30.32.38  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd037 10.30.32.198 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd038 10.30.32.196 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd039 10.30.32.197 N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd040 10.30.33.12  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                  chzrhpmd041 10.30.32.30  N21 Ver. 02.19  06/01/2016 11.0.0.1205

                   

                  Kind regards

                  Duncan

                  • 6. Re: AMT provisioned machines becoming unauthorized
                    duncanwebb

                    Hi,

                     

                    Some more information.

                    I created an additional administrator on the AMT for the first set of machine. Today 18 machines changed state to unauthorized and this also affected the second administrator. I really don't believe that a person was logging into the AMT of 18 machines and changing the password of the admin account and deleting the second administrator.

                     

                    I'm wondering two things:

                    1) How to automate adding a second user with the HLAPI (there seem to be very few examples of using the HLAPI and the reference documentation does not help)

                    2) Are there any events that are sent when someone logs onto or fails to log onto the AMT interface.

                     

                    I'm seeing a few messages like:

                    CommunicationsAlert; Intel(r) AMT:AllEvents; The LAN  has been connected.

                    and am wondering what is causing these (the machines are not being powered off or rebooted).

                     

                    When a machine is rebooted I'm seeing a couple of messages like:

                    SecurityAlert; Intel(r) AMT:AllEvents; The computer system Managed System has detected a pre-boot user password violation.

                    A few seconds before the LAN connected message.

                     

                    Any ideas?

                     

                    Thanks and regards,

                    Duncan

                    • 7. Re: AMT provisioned machines becoming unauthorized
                      Macmep

                      Hello!

                       

                      I have same problem. 8 of 9 provisioned machines become Unauthorized. I can manage only one.

                       

                      All this PC in another city.

                       

                      Motherboard: Gigabyte Q170-DH3

                      Processor: Intel® Core™ i5-6500 Processor (6M Cache, up to 3.60 GHz) Specifications

                       

                      Help me!

                      • 8. Re: AMT provisioned machines becoming unauthorized
                        stefan.feldweg

                        Hello,

                         

                        we have the same issue. HP 800 G2 Computers become Unauthorized which is really bad because we do a lot of remote Administration...

                        Any Ideas?