5 Replies Latest reply on Nov 16, 2009 10:02 AM by

    Help with Installation of Setup and Configuration Service

      Hello,

       

      I am having quite a bit of difficulty in setting up Intel Setup and Configuration Service (v5.1.0.50) on our new Provisioning server.

       

      The server specifications are:

      Windows 2003 Standard Edition (32-bit) SP2

      Internet Information Services 6.0

      .NET Framework 2.0 SP2

      Windows Installer 4.5

      SQL Express SP3 2005 (for testing purposes, will be full SQL 2005 in production)

           -Mixed mode is enabled but using AD authentication using the AD service account.

      Firewall is turned off

       

      Note: The Certificate Authority will be on a seperate server.

       

      Domain:

      Active Directory (AD) 2008 Functional Level without the AD Schema extensions applied.

       

      Installation steps taken so far:

      We have created an AD service account that is configured as a Domain Admin with Delegation Control on the root of AD for full control over (create and delete) Computer objects in AD.  In addition, this account is under the local Administrators group on the server.

       

      We do not have the DNS record for ProvisionServer setup yet nor the Certificate Authority for TLS and the Root Certificate.

       

      I have verified that in IIS both the AMTSCS & AMTSCS_RCFG exist and "Force Secure Connection" is off and running ASP.Net version 2.0.50727.  In addition, the AD Service account has full permissions on the SOAP API and SOAP RCFG API directories.  Windows Authentication is checked for both virtual directories and Anonymous Authentication is checked for the Default Web Site.  Under Web Service Extensions:

           ASP.NET v2.0.50727, mod_gsoap on AMTSCS, mod_gsoap on AMTSCS_RCFG are all allowed.

       

      Under Application Pools:

           AMTSCS Remote Configuration contains SOAP_RCFG and DefaultAppPool contains SOAP.

       

      All sites are currently running.

       

      The AD Service account has been added as a login user to the SQL Express 2005 server and given sysadmin permissions over the IntelAMT database which was created without a problem during installation.

       

      I verified that the AD Service account was added to the Local Security Policy User Rights section and given "Log on as a service" rights.  I have also verified that there are no Group Policies applying to the system that would disable this right (using Resultant Set of Policies).

       

      Since there was a known issue with the AMTConfig service not adding the user to tthe Local Security Policy after installation I re-entered the password in the Log on As box under the service and verified that it saved.  In addition, the AD Service account has full permissions on the Windows Service directory where the AMTConfig service executable resides.

       

      I installed the Intel AMT Console for checking and attempting to connect to either:

       

      http://localhost/amtscs

      http://testserver/amtscs

      http://testserver.ad.domain.edu/amtscs

       

      All result in the following error on the Console:

          Unable to connect to {server} (Reason: Response is not well-formed XML)

       

      In addition, upon restarting the AMTConfig service (or upon initial startup) I receive the following Error and Warning in the Application Event Log:

           Error:

      Message: User "ADTEST\svc_scsaccount" does not have the privileges required to execute the SCS Server.  Startup aborted.
      Source: AMTConfServer
      Event ID: 1

           Warning:

      Message: The connection with the server Database has been lost.
      Source: AMTConfServer
      Event ID: 1

       

      If I navigate to the site using my Administrator login or the AD Service account (http://localhost/amtscs, or http://testserver.domain.edu/amtscs) I get a 403 Forbidden error.

       

      Any thoughts?

       

      As a side note if anybody knows the answer to this question please let me know:

                Our environment consists of an LDAP server that controls DHCP (with Option 15) that serves out an address to a newly connected machine as:

                    testmachine.domain.edu

                Once the machine connects to the AD Domain the DNS suffix changes to:

                     testmachine.ad.domain.edu

                Our ProvisionServer will have the name such as:

                     testserver.ad.domain.edu

                     Note: This will have a DNS CNAME record of ProvisionServer.domain.edu (note there is no "ad" in the suffix)

       

      The question I have is if we purchase a VeriSign G1 or G3 certificate for ProvisionServer.domain.edu will a machine that connects to the network for the first time and has vPro send Hello packets to ProvisionServer establish trust between the server and the machine even though the suffixes are slightly different?

       

      -Adam