1 Reply Latest reply on Dec 2, 2014 7:34 PM by brunodom

    SCCM 2012 Kerberos Issue

    Robert.Charles

      Hello All,

       

      I am new to the area of OOB Management and am having some issues getting the SCCM Addon to work as described.

       

      I have successfully installed the Addon and have enabled the Task sequences. Everything seems to work. Intel ME says it is configured SCCM sees the Controller, However the AMT Status of SCCM shows detected.

      I have read in other locations that this indicates that SCCM cannot communicate with the controller.

       

      After extensive reading the problem seems to be with kerberos. I have configured the Profile with AD integration and TLS. I believe the problem may be with the SPN that needs to be configured. However nowhere has much detail on that. Can anyone provide some guide or instructions on the kerberos config for the AMT ?

       

      I have configured they AMT provisioning accounts. But what AD account is used for communication by SCCM ?

      This is the error log I am seeing

      amtopmgr.log

      Start Kerberos Discovery               SMS_AMT_OPERATION_MANAGER    12/2/2014 4:43:43 PM    6116 (0x17E4)
      Flag iWSManFlagSkipRevocationCheck is not set.                  SMS_AMT_OPERATION_MANAGER    12/2/2014 4:43:43 PM    6116 (0x17E4)

      session params : https://AAA-xxx.xxx.edu:16993   ,  484001     SMS_AMT_OPERATION_MANAGER    12/2/2014 4:43:43 PM    6116 (0x17E4)

      ERROR: Invoke(get) failed: 80020009argNum = 0                     SMS_AMT_OPERATION_MANAGER    12/2/2014 4:43:43 PM    6116 (0x17E4)

      Description: Logon failure: unknown user name or bad password.  SMS_AMT_OPERATION_MANAGER    12/2/2014 4:43:43 PM    6116 (0x17E4)

      Error: Failed to get AMT_SetupAndConfigurationService instance. SMS_AMT_OPERATION_MANAGER    12/2/2014 4:43:43 PM    6116 (0x17E4)

      DoKerberosWSManDiscovery failed.                                        SMS_AMT_OPERATION_MANAGER    12/2/2014 4:43:43 PM    6116 (0x17E4)

      Discovery to IP address 10.xxx.x.x succeed. AMT status is 1.     SMS_AMT_OPERATION_MANAGER    12/2/2014 4:43:43 PM    6116 (0x17E4)

       

      Thank You in advance for any help that can be provided.

      -Robert

        • 1. Re: SCCM 2012 Kerberos Issue
          brunodom

          You are right. Unfortunately, kerberos in this condition doesn't work out of the box.

          First of all, you have to say to Windows allow send kerbetos tickets over a port non-80, and in order to do it, you must create these two registries entries (32bits and 64bits): http://support.microsoft.com/kb/908209

          Beside this configuration, also you must make sure that in your IE, you have your suffix DNS in Intranet Zone (Internet Options -> Security -> Local Intranet -> Sites), e.g. intel.com and also, in "Custom Level..." you must have this option checked:

           

          customlevel.PNG

           

          I should be able to connect to you vPro machine using kerberos from IE in order to make sure that it's working, just pointing your IE to vPro machine, e.g. http://vpromachine.intel.com:16992 or https://vpromachine.intel.com:16993

           

          My two cents!

          -Bruno Domingues