1 Reply Latest reply on Sep 26, 2013 10:12 AM by JohnPuskar

    Cannot connect to SOL via Kerberos. Connecting with Digest works fine.

    JohnPuskar

      Hi! I have a dev network configured just for trying out vPro features and figuring out how we're going to implement vPro. Right now, every feature works great when I provision my machine with an SCS profile with no TLS and a digest user. However, when I enable Kerberos and try to connect to SOL I get the error "IMR_RES_AUTH_FAILED". Here's the detailed info:

       

      == Test Network Configuration ==

      2 domain controllers running server 2012 and DNS

      1 dhcp server running server 2012

      1 certificate authority /w IIS for AIA\CDP points running server 2012

      1 SCS server running server 2012 and sql server express 2012

       

      == Test Network Validation ==

      domain controllers - dcdiag and dnslint both pass successfully

      certificate authority - pkiview.msc shows everything as clean, and I can issue certificates and verify them with certutil.

       

      == Intel vPro Configuration ==

      I am using Intel SCS to provision my machines. SCS is using a self-signed provisioning certificate from my CA. The CA is a standalone enterprise CA which the server and test clients trust. I have imported the provisioning certificate into the RCS service via RCSUtil.exe and verified that the import worked correctly via RCSUtil.exe To provision a client, I use the configurator after manually adding the SHA1 thumbprint of the certificate authority's CA certificate to MEBx. Provisioning works great.

       

      == Client Information ==

      Dell Optiplex 990

      AMT Version 7.1.70

      BIOS Version A17 (latest)

       

      == Steps to Repro Problem ==

      1) Provision a vPro client with the configurator and a profile containing an active directory user but not other optional settings (no TLS, home domains, etc).

      2) Ensure that the SOL port redirection is enabled in MEBx.

      3) Launch the webUI to the client and confirm that it is working.

      4) Launch manageability commander v0.1.26 (latest) and connect to the client.

      5) Click the 'Remote Control' tab, then click 'Take Control'.

       

      Expected results: The SOL window will pop up. Rebooting into the BIOS will show you the SOL version of the BIOS.

      Actual results: An error occurs with the following text: "Unable to connect to serial-over-lan port (IMR_RES_AUTH_FAILED). Check that the redirection port is enabled and serial-over-lan feature is turned on."

       

      == Success Conditions ==

      If I provision the vPro client with a profile that contains a digest user, and connect to the client in Manageability commander with the digest user, everything works properly. It only fails with a Kerberos user. Also, it's important to note that the WebUI, KVM, and IDER work correctly with both a Kerberos and Digest user. I'm only having Kerberos trouble with SOL.

       

      == Diagnostics ==

      I've tried the following things:

      * Ensured that the AD user has all permissions in the SCS profile.

      * Ensured that the AD user does not have a token size too large.

      * Ensured that every certificate in the chain has a 2048 bit key and is SHA1.

      * Packed sniffed the traffic to ensure that the correct SPN is being requested successfully ( HTTP/<clientfqdn>:16992 )

      * Ensured that the AMT AD object is created, and that it has HTTP SPN's registered correctly, and that the windows computer object doesn't have competing SPN's.

      * Ensured that there are no duplicate SPN's on the domain.

       

      I'm at a loss! Does anyone have a lead as to why SOL would fail with a Kerberos user but not a digest user, when WebUI, KVM (via VNC+), and IDER (via VNC+) all work correctly? I can provide any other details if necessary.

       

      Thanks!