Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Active Directory Integration

IBrow
Beginner
1,877 Views

Any tips on why my AD integration may be failing, or where to start looking / debugging?

Background:

RCS server deployed in database mode.

AD OU set up and permissioned.

Enterprise CA set up and template created and permissioned.

Profile created on the RCS

acuconfig.exe ConfigViaRCSOnly succeeds and provisions machine. Certificate is created by the CA, Computer object is created in the OU.

Logging on to https://127.0.01:16693/ https://127.0.01:16693/ works using Admin and the "Get configured Password" from the RCS

Logging on to https://127.0.01:16693/ https://127.0.01:16693/ fails for Domain accounts.

Am I missing something here? I assume this should work.

Provisioning command:

acuconfig.exe /Verbose /Output Console ConfigViaRCSOnly rcsserver.mydomain.com StandardLan /AbortOnFailure /ADOU OU=AMT,OU=Others,DC=mydomain,DC=com /RCSBusyRetryCount 5

Profile details (domain names changed for obvious reasons)

Profile Name: StandardLAN

Profile Type: Intel AMT

Network Settings

 

FQDN will be the same as the Primary DNS FQDN

 

IP will be taken from DHCP

Active Directory Integration

 

Active Directory OU:OU=AMT,OU=Others,DC=mydomain,DC=com

 

Access Control List (ACL)

 

User 1: mydomain.com\AMTAdministrators

 

User Type: Active Directory

 

User has both remote and local access to the realms listed below

 

Realms: Redirection, PT Administration, Hardware Asset, Remote Control, Storage, Event Manager, Storage Administration, Agent Presence Local, Agent Presence Remote, Circuit Breaker, Network Time, General Info, Firmware Update, EIT, Local User Notification, Endpoint Access Control, Endpoint Access Control Administrator, Event Log Reader, User Access Control

 

 

Transport Layer Security (TLS)

 

Server authentication used for remote interface

 

Server Authentication Certificate Properties:

 

Certificate Authority: ca-cert-001.mydomain.com\MYDOMAIN-ISSUING-CA-001

 

Certificate Template: AMTWebServerCertificate

 

Common Names (CNs) in certificate: DNS Host Name (FQDN), Host Name, SAM Account Name, User Principal Name, UUID

Network Configuration

 

WiFi

 

Do not enable synchronization of Intel® AMT with host platform WiFi profiles

System Settings

 

Enabled Management Interfaces:

 

Web UI

 

Serial Over LAN

 

IDE Redirection

 

KVM

 

RFB password not defined

Power Management Settings: Always On (S0-S5), Timeout if idle: 3 minutes

 

The Intel® AMT clock will be synchronized with the operating system clock

 

Intel® AMT will not respond to ping requests

 

Fast Call for Help (within the enterprise network) is Enabled
0 Kudos
1 Solution
MichaelA_Intel
Moderator
611 Views

Halibut

Hi Halibut,

I'm going to assume you're using Internet Explorer. For kerberos authentication, there is a setting in IE that needs to be changed:

In the advanced tab of IE>internet options, there is a check box for "Enable Integrated Windows Authentication". Checked is kerberos, unchecked is digest.

You will also need to perform the following registry edits:

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209] "iexplore.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209] "iexplore.exe"=dword:00000001

Regards,

Michael

View solution in original post

0 Kudos
2 Replies
MichaelA_Intel
Moderator
612 Views

Halibut

Hi Halibut,

I'm going to assume you're using Internet Explorer. For kerberos authentication, there is a setting in IE that needs to be changed:

In the advanced tab of IE>internet options, there is a check box for "Enable Integrated Windows Authentication". Checked is kerberos, unchecked is digest.

You will also need to perform the following registry edits:

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209] "iexplore.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209] "iexplore.exe"=dword:00000001

Regards,

Michael

0 Kudos
IBrow
Beginner
611 Views

Gah!

Well that was a day of my life I wont get back. Than you very much Michael, it's working now, as it apparently had been all along. The keys in IE were all it needed.

I.

0 Kudos
Reply