1 2 Previous Next 8 Replies Latest reply on Jul 24, 2013 9:32 AM by twoj@work

    Problem accessing AMT webgui

    twoj

      I am running into an issue where i am trying to log into the webgui of my vpro computers that have been configured through sccm. When i try accessing the web interface from my computer; https://computer.domain.com:16993

      i get the Intel Active Management Technology webpage and after clicking the 'log On...' button it brings me to the actual control webpage. One thing i have noticed is that on this computer the page is listed as 'Local intranet'.

      If i go on my SCCM server (or pretty much any other computer) and try the same thing, i get the initial page, but after clicking the log on button it displays 'Internet Explorer cannot display the webpage' plus it is showing as in the 'internet' zone.

      The certs used are installed the same on these computers (Root to Issuing CA to computer), and on the initial page the little lock symbol in IE confirms that the chain is trusted.

      Trying the same thing from firefox gives a bit more detail that the connection is untrusted;

      'computer.domain.com uses an invalid security certificate'

      'The certificate is not trusted because no issuer chain was provided'

      (Error code: sec_error_unknown_issuer)

       

      It seems (at least partially) that the issue is for some reason on my machine it is detecting the vpro machines as local and on other machines they are detected as internet, and i've added in the settings that domain.com plus computer.domain.com should be included in the 'Local intranet' zone but it seems on the problem computers that the initial webgui page comes in as 'Local intranet' and then when you click the 'Log on' button it then goes to the

      'Internet Explorer cannot display the webpage' which is listed as the Internet zone.

       

      I hope someone has some insights about what is going on

      Thanks

        • 1. Re: Problem accessing AMT webgui
          Joseph Oster

          First off the Local Intranet would be correct when accessing the WebUI locally. Remotely should be Internet Zone from within Internet Explorer.

           

          Since you were able to provision the system using SCCM, the certificates  shouldn't be an issue for your SCCM server.

           

          I would suggest checking your proxy settings within IE, if you are using a proxy server and you feel your settings are correct. I would suggest that you disable the proxy settings from within IE and see if that doesn't alleviate the problem.

           

          Le me know what you find out

          Joe

          • 2. Re: Problem accessing AMT webgui
            twoj

            When you say local i take it you mean on the actual machine? When i access the webgui of another computer from my notebook (persumably remotely) it appears in the initial page (with the log on button) and the subsequent page (the amt webgui interface) as Intranet. So from my notebook things work normally.

            When i go to my SCCM server or pretty much any other workstation the initial page is Intranet, but when you click on the 'Log on' button it displays 'Internet Explorer Cannot display the webpage' and is in the Internet zone.

             

            This is all internal, different vlans but i've tested with computers that work on the same vlan and they still either work or don't work from the various vlans, so it doesn't seem to be affected by the networking.

            We aren't using any proxing so that isn't a factor.

             

            It seems it is related to either internet settings or cert related.

            Other ideas?

            • 3. Re: Problem accessing AMT webgui
              Joseph Oster

              Your description of local vs remote is correct.

               

              Default for IE is using Integrated Windows Authentication. This is fine if you are trying to log into the WebUI using domain credentials, but I suspect you are using digest credentials of admin/<Password> if that is the case change your will need to alter your IE settings.

               

              Tools>Internet Options>Advanced tab... Scroll down to the security section and un-check the box for "Enable Integrated Windows Authentication"

               

              Let me know if that helps,

               

              Joe

              • 4. Re: Problem accessing AMT webgui
                twoj

                Just tried on the SCCM server - some progress

                I now get a 'Windows Security' window stating:

                The server computer.domain.com at

                Digest: {some hash number} requires a username and password

                 

                It has the username and password box where i have tried every possible account i can think of and none of them work. When it fails i get;

                Log on failed. Incorrect user name or password, or user account temporarily locked.

                 

                Another weird thing i just tried is logging into my notebook with the domain admin account and the connection fails while in my profile it works. So it seems like it is even profile related.

                • 5. Re: Problem accessing AMT webgui
                  Joseph Oster

                  Lets just talk about the server for the moment. It sounds like all you have is a password issue.

                   

                  By default the MEBx Digest username is "admin", the password is the one you provide within the SCS profile, that is being used to provision the client.

                   

                  Within the SCS profile, this password can be a specific string that you assign or can be set as a random string that the unit is to be provisioned with.

                   

                  If you have full access to SCS, just go to the profile, select edit and hit <next> until you get to the System Settings page, click the show password check box and it will reveal the static passwords.

                   

                  If the profile has the is set to supply random passwords and it was installed in Database mode. Open up SCS Select Monitoring>All Systems>"System under review">right click "Get configured password".

                   

                  If SCS was set up in a non database mode, the above option won't be available and if random passwords for provisioning was used then, you will not be able to use the WebUI, as the password will be in the SCCM DB and can't be viewed. In this instance just re-provision the system using a different profile with the static password set to a known static password string.

                   

                  I hope this helps

                  Joe

                  • 6. Re: Problem accessing AMT webgui
                    twoj

                    The Computer have all been provisioned through the 'Out of Band Management' component of SCCM, i have not used SCS at all. In the SCCM OOB configuration you specify the accounts you wish to include for access to AMT in the 'AMT user accounts' under the 'AMT settings' tab. I have 2 domain user accounts plus a domain group account and my username in the domain group. I have tried logging into the AMT with all the credentials of those accounts but they all result in the same issue as mentioned previously.

                     

                    What i find weird is that when i log into the AMT settings under 'User accounts' is that the list is empty. I assume that when i get to the AMT settings i have logged in with my domain credentials but i don't see anywhere where it states what user is logged on.

                     

                    For an experiment i just logged into my sccm server using my domain account and it gives me the same issue trying to log into the AMT webgui.

                     

                    Thanks for all your help so far!

                    • 7. Re: Problem accessing AMT webgui
                      cohei

                      Did you create registry key feature_include_pot_in_spn_kb908209 to eanble ssl connection other than port 443?

                      http://support.microsoft.com/kb/908209/en-us


                      • 8. Re: Problem accessing AMT webgui
                        twoj

                        Yes the registry entry was added - although it seems that is mostly IE6 related i've added the key anyways - however since it is a machine registry entry and the connection was already working in my profile but not in the domain admin profile then it was profile specific and not a machine specific issue.

                         

                        This really does seem to be an issue of credentials;

                        I added the domain admnistrator into the AD group that is added into the AMT user accounts when provissioned in SCCM, and when the Integrated Authentication is checked I can log into the AMT webgui, when i uncheck the integrated authentication when connect to another computer's webgui it presents me with the login window - however I've tried;

                        1) Administrator                   [Password]

                        2) domain\administrator       [Password]

                        3) administrator@domain    [Password]

                         

                        So why does the integrated authentication work but the same credentials entered in the login window don't see to work - is the login window only for digest authentication? Is there any way to see the AD groups that are set to work with kerberos for authentication?

                        • 9. Re: Problem accessing AMT webgui
                          twoj

                          This is still very wierd - Since I added the domain administrator account into the AD group with AMT login permissions, now the domain administrator can log in (with integrated authentication), as expected, and now also my SCCM admin domain account (SCCMAdmin) which previously wasn't working even when it was specifically added as one of the 3 accounts that SCCM is suppose to configure on provissioning.

                           

                          I still cannot login without using the integrated authentication - any idea why the same domain credentials work with authenticated credentials but don't work when entered in the login prompt for the webgui?

                           

                          Also i did a scan of a group of the machines (since for testing purposes i have been using a handful (3-4) of computers, the scan reports that i have about 10 computers that are not responding at all to any credentials. Even my credentials on my laptop that has has the most sucess for accessing the webgui isn't working.

                          Its like the kerberos authentication for AMT isn't working for some or all of the 3 accounts used in the provissioning at some times since i as pretty sure the SCCMAdmin account worked before and that computers that i no longer have access to the webgui were working before.

                          • 10. Re: Problem accessing AMT webgui
                            Joseph Oster

                            In summary your issue is with a few clients that communication to webUI is failing and you don't know the provisioned password from SCCM.

                             

                            Use SCCM to re-provision the client, and you should be able to use the current credentials

                            • 11. Re: Problem accessing AMT webgui
                              twoj

                              Sorry for the delays - Thanks again Joe

                              I did finally track down the password that was used to provision the AMT, I verified it by logging into the AMT on a few computers, ones that are working fine and the ones that are not displaying the WebGUI.

                              So in the AMT i can see the initial provisionning information. Here are the 2 things;

                               

                              1) For most computers the login to the WebGUI works with the integrated Authentication on. However if I disable it I get the window asking for the username & password. Now from what you told me, no domain credentials will work like this because it is just authenticating Digest users. Now from my understanding the default 'admin' user is the only digest account and given that i have the password to log into the AMT, so I have tried logging in with all the combinations i can think of;

                              admin / <AMT Password>

                              [Blank] / <AMT Password>

                              But none of them let me in, the only way i have been able to get in is if I create a digest user and log in with those credentials but I can't seem to get in with the default admin account.

                               

                              2) there are still some computers that I can get into the AMT settings on the actual machine, but the problem accessing the WebGUI is as stated before, i get the initial Log On WebGUI page but then it fails right away with the 'Internet Explorer cannot display the webpage'.

                               

                              Thanks

                              • 12. Re: Problem accessing AMT webgui
                                Joseph Oster

                                Lets check the actual AMT settings. Please use the Intel diagnostic tool on one of the clients that is failing, this tool is located here: Intel AMT Diagnostics Tool

                                 

                                Once you run this tool on your client, please send me a copy via Private Messaging, so I can review your profile settings. I will need a scan of both the client mentioned in #1 and from #2 from your previous post.

                                • 13. Re: Problem accessing AMT webgui
                                  twoj

                                  I just did a bit of a test - I took one of the machines that i can't access the WebGUI and did an AMT firmware update (6.0.2 -> 6.2.20). Before after clicking the 'Log On' button I would immediately get the 'Internet Explorer cannot display the webpage'. Now after the firmware update i get like the issue on some of my Notebooks where after clicking the 'Log On' i get a window asking for username & password credentials, again there are no credentials that i enter which work.

                                  Does the firware update erase the AMT provissioning?

                                  • 14. Re: Problem accessing AMT webgui
                                    Joseph Oster

                                    Can you get into the MEBx during boot up? Most systems use Ctrl+P to access to access the MEBx, use the password that you beleive is good for the digest user for the webUI. If you cannot get access, use the password of "admin". If that doesn't work, re-provision the client and try accessing the WebUI and or MEBx again.

                                    1 2 Previous Next