2 Replies Latest reply on Jul 14, 2017 1:59 AM by Halibut

    Active Directory Integration

    Halibut

      Any tips on why my AD integration may be failing, or where to start looking / debugging?

       

      Background:

      RCS server deployed in database mode.

      AD OU set up and permissioned.

      Enterprise CA set up and template created and permissioned.

      Profile created on the RCS

      acuconfig.exe ConfigViaRCSOnly succeeds and provisions machine. Certificate is created by the CA, Computer object is created in the OU.

      Logging on to https://127.0.01:16693/   works using Admin and the "Get configured Password" from the RCS

      Logging on to https://127.0.01:16693/   fails for Domain accounts.

       

      Am I missing something here? I assume this should work.

       

      Provisioning command:

      acuconfig.exe /Verbose /Output Console ConfigViaRCSOnly rcsserver.mydomain.com StandardLan /AbortOnFailure /ADOU OU=AMT,OU=Others,DC=mydomain,DC=com /RCSBusyRetryCount 5

       

      Profile details (domain names changed for obvious reasons)

      Profile Name: StandardLAN

      Profile Type: Intel AMT

      Network Settings
           FQDN will be the same as the Primary DNS FQDN
           IP will be taken from DHCP

      Active Directory Integration
           Active Directory OU:OU=AMT,OU=Others,DC=mydomain,DC=com
      Access Control List (ACL)      
           User 1: mydomain.com\AMTAdministrators
                User Type: Active Directory
                User has both remote and local access to the realms listed below
                Realms: Redirection, PT Administration, Hardware Asset, Remote Control, Storage, Event Manager, Storage Administration, Agent Presence Local, Agent Presence Remote, Circuit Breaker, Network Time, General Info, Firmware Update, EIT, Local User Notification, Endpoint Access Control, Endpoint Access Control Administrator, Event Log Reader, User Access Control
         
      Transport Layer Security (TLS)
           Server authentication used for remote interface
           Server Authentication Certificate Properties:      
                Certificate Authority: ca-cert-001.mydomain.com\MYDOMAIN-ISSUING-CA-001
                Certificate Template: AMTWebServerCertificate
                Common Names (CNs) in certificate: DNS Host Name (FQDN), Host Name, SAM Account Name, User Principal Name, UUID

      Network Configuration  
           WiFi
           Do not enable synchronization of Intel® AMT with host platform WiFi profiles

      System Settings 
           Enabled Management Interfaces:
           Web UI
           Serial Over LAN
           IDE Redirection
           KVM
                RFB password not defined

           Power Management Settings: Always On (S0-S5), Timeout if idle: 3 minutes
           The Intel® AMT clock will be synchronized with the operating system clock
           Intel® AMT will not respond to ping requests
           Fast Call for Help (within the enterprise network) is Enabled

        • 1. Re: Active Directory Integration
          michael_a_intel

          Halibut

           

          Hi Halibut,

           

          I'm going to assume you're using Internet Explorer.  For kerberos authentication, there is a setting in IE that needs to be changed:

           

          In the advanced tab of IE>internet options, there is a check box for "Enable Integrated Windows Authentication". Checked is kerberos, unchecked is digest.

           

          You will also need to perform the following registry edits:

          [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209] "iexplore.exe"=dword:00000001

          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209] "iexplore.exe"=dword:00000001

           

          Regards,

          Michael

          • 2. Re: Active Directory Integration
            Halibut

            Gah!

             

            Well that was a day of my life I wont get back. Than you very much Michael, it's working now, as it apparently had been all along. The keys in IE were all it needed.

             

            I.