Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Unable to connect to Provisioned machine with AMT cmdr

idata
Employee
2,047 Views

Hi,

I've been able to provision a few machines for vPro, but I'm not able to connect. I used a USB key to provision and am able to log on to the client's Mebx (CTRL+P). I created certs on site. We have our own cert creation site (gov). I manually entered the hash in the Mebx. I'm able to provision and re-provision machines without trouble, but just connect connect with the AMT commander to manage remotely. I'm using a domain account with admin priviledges on the server. We are not able to use the AD schema extensions.

Right now the log has an "Exception in set rng key worker: (0xCFFF06AC) SOAP Failure (22): Http error." referencing the machine I provisioned this morning.

Any help or suggestions are greatly appreciated.

Thanks!

0 Kudos
4 Replies
Matthew_R_Intel
Employee
361 Views

sbradham,

It is not completely clear to me what your configuration look likes so I need to ask some clarifying questions.... Using the USB stick does not necessarily provision the vPro client, it simplely puts the necessary identity and provisioning keys (like initially setting the MEBx / remote admin password, PSK PID/PPS keys, or custom cert hash if you are using your own CA) so that it can be provisioned. You still need the ISV software to provision the client (setup ACL, push down client certification, set power polices, etc). When you state that you are able to "provision and re-provision machines without trouble", can you elaborate in a little more detail on what exactly you are doing?

In terms of using AMT Commander to provision a vPro Client in enterprise mode... the following guides might help you out.

http://blip.tv/file/get/Intel_SW-UsingIntelAMTDirectorToPerformOnetouchSetupAndConfigura550.wmv?source=2 Using Intel AMT Director to perform one touch setup (v0.28)

http://blip.tv/file/get/Intel_SW-UsingIntelAMTDirectorToSetupIntelAMTWithRemoteConfigur149.wmv?source=2 Using Intel AMT Director to perform remote configuration (v0.28)

http://blip.tv/file/get/Intel_SW-UsingIntelAMTDirectorToSetupIntelAMTWithTLSSecurity735.wmv?source=2 Using Intel AMT Director to configure TLS (v0.28)

Matt Royer

0 Kudos
idata
Employee
361 Views

Miroyer,

Thanks! I'm reading through the links now.

By provision, I mean that in the AMT SCS console, under Intel AMT Systems, I can see the machines UUID displayed with a "UnProvisioned" status when I first use the USB key on the client, but after a few minutes or so, it shows as "Provisioned" even though "Authorized" is still False. The version is marked as 3.0.5 and it's using the profile I created on the server.

Please let me know if you need more info. This project hasn't completely clicked for me yet, so I'm not sure if I'm providing all the info you need.

Thanks!!

-Steve

0 Kudos
Matthew_R_Intel
Employee
361 Views

OK things are little more clear... so the Intel SCS and AMT commander weren't necessarily designed to work together; however, there are ways to make it work. AMT Command does have it's own enterprise provisioning capability (those video I linked before) so you don't necessarily need to provision them via the Intel SCS.

You can, however, have AMT commander connect to a vPro that has been provisioned by the Intel SCS... but, you need to make sure that you are connecting with a user (digest of Kerberos) that has access to the vPro Client. If you are provisioning via the Intel SCS, you need to make sure that you define authorized users within a profile and provision (or reprovision) that vPro Client with that profile selected. Unfortunately, to get Kerberos authentication to work with the current version of the Intel SCS, you will need to extend your AD scheme with the script provided. If you do not want to extend your scheme, you can define a digest user in the profile and connect with that or the MEBx/Admin password you defined in the profile. Have you setup your profiles yet in the SCS?

BTW, the Intel SCS is not traditional used in isolation, it is usually used in conjunction with an ISV like the SMS Add-on, HP Openview or Altiris; other ISV's like Microsoft SCCM or LANDesk have their own provisioning capability integrated, so they don't use the Intel SCS. Are you just familiarizing yourself with vPro provisioning or are you trying to provision in the SCS with a supporting ISV?

Matt Royer

0 Kudos
idata
Employee
361 Views

This is great info. I really appreciate it.

Some more info. We're on a large network and we have domain admin rights over our OU and it's sub containers for Computers, users, OPS\servers etc.. unfortunately, The big guys won't extend the schema. I created domain user account with domain admin rights to our OU and configured it in SCS > Users and Groups as an Enterprise Admin. I use this account to log on to the server when doing any configuring.

I'm going through the video's now. I suspect I have previously missed any configuration with the AMT Director. I'm stepping through it now.

I'm trying to get it up and running into production.

0 Kudos
Reply