<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic HLAPI: Digest authentication with mutual TLS in Intel vPro® Platform</title>
    <link>https://community.intel.com/t5/Intel-vPro-Platform/HLAPI-Digest-authentication-with-mutual-TLS/m-p/281539#M3255</link>
    <description>&lt;P&gt;Hi everyone,&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I am trying to use the Intel AMT HLAPI to make a connection to an AMT 11.0 device that has been provisioned to use &lt;B&gt;Digest authentication&lt;/B&gt; and &lt;B&gt;mutual TLS&lt;/B&gt;.&lt;/P&gt;&lt;P&gt;The machine I am connecting from has a valid certificate for mutual TLS, the subject is CN=.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I am using the Sample HLAPI project from Intel, and have also access to the HLAPI in debug.&lt;/P&gt;&lt;P&gt;I defined the connection as follows:&lt;/P&gt;&lt;P&gt; &lt;B&gt;ci = new ConnectionInfoEX("&lt;/B&gt;&lt;I&gt;&lt;B&gt;&lt;/B&gt;&lt;/I&gt;&lt;B&gt;", "&lt;/B&gt;&lt;I&gt;&lt;B&gt;&lt;/B&gt;&lt;/I&gt;&lt;B&gt;", "&lt;/B&gt;&lt;I&gt;&lt;B&gt;&lt;/B&gt;&lt;/I&gt;&lt;B&gt;", true, "CN=&lt;/B&gt;&lt;I&gt;&lt;B&gt;&lt;/B&gt;&lt;/I&gt;&lt;B&gt;", ConnectionInfoEX.AuthMethod.Digest, null, null, null);&lt;/B&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;B&gt;It works fine if I connect to an AMT 6.1 machine provisioned from the same SCS with the same settings.&lt;/B&gt;&lt;/P&gt;&lt;P&gt;However, if I try to connect the same way to the AMT 11 machine (just change the target machine FQDN in the above ConnectioInfoEx), it fails in GetVersionWSMan() in AMTInstanceManager line 922. Exception is:&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;{Intel.Management.Wsman.WsmanConnectionException: &lt;B&gt;Server unexpectedly disconnected&lt;/B&gt; ---&amp;gt; Intel.Management.Wsman.WsmanConnectionException: Server unexpectedly disconnected&lt;/P&gt;&lt;P&gt;   at Intel.Management.Wsman.HttpTransport.GetResponse(String method)&lt;/P&gt;&lt;P&gt;   at Intel.Management.Wsman.ClientRequest.Send(XmlDocument reqDoc, String soapCmd)&lt;/P&gt;&lt;P&gt;   at Intel.Management.Wsman.ClientRequest.Send(XmlDocument reqDoc)&lt;/P&gt;&lt;P&gt;   at Intel.Management.Wsman.WsmanConnection.RetryLoop(XmlDocument reqDoc, Exception&amp;amp; resultExp)&lt;/P&gt;&lt;P&gt;   --- End of inner exception stack trace ---&lt;/P&gt;&lt;P&gt;   at Intel.Management.Wsman.WsmanConnection.SendObjectRequest(String msgId, XmlDocument reqDoc, IManagedReference refObj, IManagedInstance input)&lt;/P&gt;&lt;P&gt;   at Intel.Management.Wsman.WsmanConnection.SubmitRequest(XmlDocument reqDoc, IManagedReference refObj, IManagedInstance input)&lt;/P&gt;&lt;P&gt;   at Intel.Management.Wsman.WsmanConnection.SubmitRequest(String requestString, IManagedReference refObj, IManagedInstance input)&lt;/P&gt;&lt;P&gt;   at Intel.Management.Wsman.ManagedReference.Get()&lt;/P&gt;&lt;P&gt;   at Intel.Manageability.Impl.AMTInstanceManager.GetVersionWSMan() in &lt;A&gt;f:\AMT_SDK_11.6.0.7\Windows\High&lt;/A&gt; Level API\Src\Intel_Manageability_Library\HLAPI Lib\AMTInstance\AMTInstanceManager.cs:line 922&lt;/P&gt;&lt;P&gt;   at Intel.Manageability.Impl.AMTInstanceManager.SetVersionInfo() in &lt;A&gt;f:\AMT_SDK_11.6.0.7\Windows\High&lt;/A&gt; Level API\Src\Intel_Manageability_Library\HLAPI Lib\AMTInstance\AMTInstanceManager.cs:line 868}&lt;/P&gt;&lt;P&gt;System.Exception {Intel.Management.Wsman.WsmanConnectionException}&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Does anyone have any idea how I could find out the cause of this issue? Thanks in advance.&lt;/P&gt;</description>
    <pubDate>Wed, 05 Apr 2017 13:34:35 GMT</pubDate>
    <dc:creator>idata</dc:creator>
    <dc:date>2017-04-05T13:34:35Z</dc:date>
    <item>
      <title>HLAPI: Digest authentication with mutual TLS</title>
      <link>https://community.intel.com/t5/Intel-vPro-Platform/HLAPI-Digest-authentication-with-mutual-TLS/m-p/281539#M3255</link>
      <description>&lt;P&gt;Hi everyone,&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I am trying to use the Intel AMT HLAPI to make a connection to an AMT 11.0 device that has been provisioned to use &lt;B&gt;Digest authentication&lt;/B&gt; and &lt;B&gt;mutual TLS&lt;/B&gt;.&lt;/P&gt;&lt;P&gt;The machine I am connecting from has a valid certificate for mutual TLS, the subject is CN=.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I am using the Sample HLAPI project from Intel, and have also access to the HLAPI in debug.&lt;/P&gt;&lt;P&gt;I defined the connection as follows:&lt;/P&gt;&lt;P&gt; &lt;B&gt;ci = new ConnectionInfoEX("&lt;/B&gt;&lt;I&gt;&lt;B&gt;&lt;/B&gt;&lt;/I&gt;&lt;B&gt;", "&lt;/B&gt;&lt;I&gt;&lt;B&gt;&lt;/B&gt;&lt;/I&gt;&lt;B&gt;", "&lt;/B&gt;&lt;I&gt;&lt;B&gt;&lt;/B&gt;&lt;/I&gt;&lt;B&gt;", true, "CN=&lt;/B&gt;&lt;I&gt;&lt;B&gt;&lt;/B&gt;&lt;/I&gt;&lt;B&gt;", ConnectionInfoEX.AuthMethod.Digest, null, null, null);&lt;/B&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;B&gt;It works fine if I connect to an AMT 6.1 machine provisioned from the same SCS with the same settings.&lt;/B&gt;&lt;/P&gt;&lt;P&gt;However, if I try to connect the same way to the AMT 11 machine (just change the target machine FQDN in the above ConnectioInfoEx), it fails in GetVersionWSMan() in AMTInstanceManager line 922. Exception is:&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;{Intel.Management.Wsman.WsmanConnectionException: &lt;B&gt;Server unexpectedly disconnected&lt;/B&gt; ---&amp;gt; Intel.Management.Wsman.WsmanConnectionException: Server unexpectedly disconnected&lt;/P&gt;&lt;P&gt;   at Intel.Management.Wsman.HttpTransport.GetResponse(String method)&lt;/P&gt;&lt;P&gt;   at Intel.Management.Wsman.ClientRequest.Send(XmlDocument reqDoc, String soapCmd)&lt;/P&gt;&lt;P&gt;   at Intel.Management.Wsman.ClientRequest.Send(XmlDocument reqDoc)&lt;/P&gt;&lt;P&gt;   at Intel.Management.Wsman.WsmanConnection.RetryLoop(XmlDocument reqDoc, Exception&amp;amp; resultExp)&lt;/P&gt;&lt;P&gt;   --- End of inner exception stack trace ---&lt;/P&gt;&lt;P&gt;   at Intel.Management.Wsman.WsmanConnection.SendObjectRequest(String msgId, XmlDocument reqDoc, IManagedReference refObj, IManagedInstance input)&lt;/P&gt;&lt;P&gt;   at Intel.Management.Wsman.WsmanConnection.SubmitRequest(XmlDocument reqDoc, IManagedReference refObj, IManagedInstance input)&lt;/P&gt;&lt;P&gt;   at Intel.Management.Wsman.WsmanConnection.SubmitRequest(String requestString, IManagedReference refObj, IManagedInstance input)&lt;/P&gt;&lt;P&gt;   at Intel.Management.Wsman.ManagedReference.Get()&lt;/P&gt;&lt;P&gt;   at Intel.Manageability.Impl.AMTInstanceManager.GetVersionWSMan() in &lt;A&gt;f:\AMT_SDK_11.6.0.7\Windows\High&lt;/A&gt; Level API\Src\Intel_Manageability_Library\HLAPI Lib\AMTInstance\AMTInstanceManager.cs:line 922&lt;/P&gt;&lt;P&gt;   at Intel.Manageability.Impl.AMTInstanceManager.SetVersionInfo() in &lt;A&gt;f:\AMT_SDK_11.6.0.7\Windows\High&lt;/A&gt; Level API\Src\Intel_Manageability_Library\HLAPI Lib\AMTInstance\AMTInstanceManager.cs:line 868}&lt;/P&gt;&lt;P&gt;System.Exception {Intel.Management.Wsman.WsmanConnectionException}&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Does anyone have any idea how I could find out the cause of this issue? Thanks in advance.&lt;/P&gt;</description>
      <pubDate>Wed, 05 Apr 2017 13:34:35 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-vPro-Platform/HLAPI-Digest-authentication-with-mutual-TLS/m-p/281539#M3255</guid>
      <dc:creator>idata</dc:creator>
      <dc:date>2017-04-05T13:34:35Z</dc:date>
    </item>
    <item>
      <title>Re: HLAPI: Digest authentication with mutual TLS</title>
      <link>https://community.intel.com/t5/Intel-vPro-Platform/HLAPI-Digest-authentication-with-mutual-TLS/m-p/281540#M3256</link>
      <description>&lt;P&gt;Update:&lt;/P&gt;&lt;P&gt;I realized that I had forgotten to add the hash of the Root CA certificate in the MEBx hash list on the AMT 11 device, so I did that as well.&lt;/P&gt;&lt;P&gt;I noticed all the default hashes entered there are sha256, my certificate is sha1. Could that have anything to do with my issue?&lt;/P&gt;&lt;P&gt;On the AMT 6 machine (the one that works), also the default hashes are from sha1 certificates.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;After adding the hast, still no change:&lt;/P&gt;&lt;P&gt;- it doesn't work from the HLAPI sample project&lt;/P&gt;&lt;P&gt;- it also doesn't work from the vProPlatformSolutionManager.exe application (found under AMT_SDK_11.6.0.7\Windows\Intel vPro Platform Solution Manager\Source Code\Bin)&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;However, through the web access, &lt;B&gt; &lt;A href="https://:16993"&gt;https://:16993&lt;/A&gt;&lt;/B&gt;, it works. I get a prompt to choose the certificate (only my Mutual TLS certificate shows up in the list, the same one I used in the HLAPI sample project and the Intel sample app), I select it, then I get prompted to login, I enter the digest user (the same one I tried in the HLAPI project and the Intel sample app), and it connects.&lt;/P&gt;&lt;P&gt;I removed the hast from MEBx, re-provisioned the system with digest with mutual TLS (so I am back to the state from yesterday), and the web access still works!&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;So now my question is: &lt;B&gt;why is it necessary to add the has of the root CA to the MEBx hash list&lt;/B&gt;? What should not work if it's not added? Because without the hash, I tried both digest with TLS, which worked from all 3 methods (HLAPI, Intel sample app and web access), and mutual TLS, which at least works on web access.&lt;/P&gt;</description>
      <pubDate>Thu, 06 Apr 2017 14:57:08 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-vPro-Platform/HLAPI-Digest-authentication-with-mutual-TLS/m-p/281540#M3256</guid>
      <dc:creator>idata</dc:creator>
      <dc:date>2017-04-06T14:57:08Z</dc:date>
    </item>
    <item>
      <title>Re: HLAPI: Digest authentication with mutual TLS</title>
      <link>https://community.intel.com/t5/Intel-vPro-Platform/HLAPI-Digest-authentication-with-mutual-TLS/m-p/281541#M3257</link>
      <description>&lt;P&gt;Anitallica&lt;/P&gt;&lt;P&gt;We've been looking over your post.  Would like to request that you open a ticket so that we can get your contact information here:&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;A href="http://www.intel.com/content/www/us/en/support/contact-support.html"&gt;http://www.intel.com/content/www/us/en/support/contact-support.html&lt;/A&gt; Contact Support &lt;A href="https://sfederation.intel.com/federation/Init_Salesforce_ISVC.asp?RelayState=/supportrequest?lang=en-US"&gt;https://sfederation.intel.com/federation/Init_Salesforce_ISVC.asp?RelayState=/supportrequest?lang=en-US&lt;/A&gt; &lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Select AMT and open service request and fill out details.&lt;/P&gt;</description>
      <pubDate>Thu, 06 Apr 2017 15:42:06 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-vPro-Platform/HLAPI-Digest-authentication-with-mutual-TLS/m-p/281541#M3257</guid>
      <dc:creator>MichaelA_Intel</dc:creator>
      <dc:date>2017-04-06T15:42:06Z</dc:date>
    </item>
    <item>
      <title>Re: HLAPI: Digest authentication with mutual TLS</title>
      <link>https://community.intel.com/t5/Intel-vPro-Platform/HLAPI-Digest-authentication-with-mutual-TLS/m-p/281542#M3258</link>
      <description>&lt;P&gt;Thanks for the reply, I opened a case now. Will give an update if the issue gets solved.&lt;/P&gt;</description>
      <pubDate>Fri, 07 Apr 2017 07:33:39 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-vPro-Platform/HLAPI-Digest-authentication-with-mutual-TLS/m-p/281542#M3258</guid>
      <dc:creator>idata</dc:creator>
      <dc:date>2017-04-07T07:33:39Z</dc:date>
    </item>
  </channel>
</rss>

