Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.

KVM not working with TLS

Blair_Muller
Beginner
2,094 Views

Hey everyone,

Im hoping you can help with another issue Im having.

I am provisioning systems with SCS 8.1. When I provision a system without TLS and can control the GUI of the client however when I provision a system with TLS I cannot. I can power on and off the workstation. I can also get to the web GUI however I cannot control the GUI.

Any ideas on how I can troubleshoot?

I have included screen shots and have tried to contol the systems with multiple products:

  • KVM View Intergration with SCCM doesnt show the desktop it stops at using proxy 127.0.0.1:65352
  • Management Commander Tool just sits at connect/abort connect
  • VNC Viewer Plus starts and gives the error The connection closed unexpectedly
  • I can log into the Web GUI and everything works with TLS
0 Kudos
20 Replies
Gael_H_Intel
Moderator
2,051 Views
It sounds like you haven't integrated your Certificates into the KVM feature via Real VNC. Can you use the KVM feature if you have not provisioned your system with TLS? Also, you aren't trying to start up the KVM Session on the local AMT Client, right?

Here are some resources that might help:
Look under the following folder: SDK Resources>KVM Application Developers Guide>Intel AMT SDK Support for KVM>Libraries>KVM Proxy Library
You could also try the Open Manageability DTK (very similar to the Commander.)
Also checkout the RealVNC viewer docs online:
If all this fails, could you run the SCS Discovery Tool and attach the XML file?
0 Kudos
Blair_Muller
Beginner
2,051 Views
Hi Gael,
Yes I can use the system if it is not provisioned with TLS.
I have also worked out that if I set theRFBPassword password I can control the system with TLS.
If I goto the Web GUI the AD intrgration is working.
I tried unchecking theUse currently logged on credentials option so it will prompt ,e for an account to connect with but it doesn't.
I put the information out therehttp://blair-muller.blogspot.com.au/and will update it when we have a solution but I think there is a underlying issue as I am told that thestandard port and RFBPassword options are for backwards compatibility with standard VNC clients. Youd typically only need to use those settings if you cant log in with an AMT digest or Kerberos authorized account.
0 Kudos
Blair_Muller
Beginner
2,051 Views
Attached are the Discovery results.
Outpost stated the TLS is disabled but that doesn't make sense.
0 Kudos
Gael_H_Intel
Moderator
2,051 Views
The RFB Password is not optional and it has to be exactly 8 characters (if going through port 5900). If you are accessing the KVM via the redirection ports then you do not need the RFB password.
0 Kudos
Gael_H_Intel
Moderator
2,051 Views
Hi - No, I don't need the SCS Discovery anymore. I'll have to do some digging regarding the authentication checkbox. I have never run the tool without having that checked. I assumed you would have to have Kerberos set up in order to do that.
0 Kudos
Blair_Muller
Beginner
2,051 Views
Thanks Gael. I did upload the results int eh previus post. Sorry about that.
Interesting enough it is happening to systems that are provisioned with SCS 8.1 and also for systems provisioned with SCCM.
Regards,
Blair
0 Kudos
Gael_H_Intel
Moderator
2,051 Views
Hello Blair - here is a little more information:

If using standard VNC clients for TLS connections, you will need to use Intels proxy server (in the SDK - are you using this proxy server?)

Also RFB only talks to 5900 port and that port does not support TLS protocol.

On the Authentication Checkbox - you should have been prompted for credentials.

0 Kudos
Blair_Muller
Beginner
2,051 Views
Thanks Gael,

So I understand putting in the RFB password, I am actually bypassing TLS? Even if Use TLS server authenticiation is selected?

When I untick Use currently logged on credentials it actually just gives me the attached screen. Failed to start viewer. It doesn't ask for any credentials.

Anyidea on how to troubleshoot?Are they any logs or anything that can point me in the right direction?

In regards to the VNC question. I don't think I am using a proxy server, I tried to use VNC server as another means to test.

0 Kudos
Gael_H_Intel
Moderator
2,051 Views
Hi Brian,
I too, wrote a blog for troubleshooting KVM and TLS issues. The more I started thinking about it the more confused I got so I put together a matrix that is in the blog. It covers which ports can be used, requirements for the viewers and for authentication.
I would say that if you are not being prompted for a password when the box is not checked, there may be a bug in KVM Viewer. You should try it with the KVM Control utility that is in the SDK and see if you have the same issue.
Take a look at the blog along with the suggested trouble shooting tips and let me know if it answers any of your questions?
Thanks
0 Kudos
Blair_Muller
Beginner
2,051 Views
Hey Gael,

Great work on the Blog. It explains so much. I think it was needed and it will be referred to a lot. I will lookin into and report back.

Thanks for all you help

0 Kudos
Blair_Muller
Beginner
2,051 Views

Hey Gael,

Does this refer to theIntel Client SetupCertificate at all?

The only other thing I can think of is that I'm using Windows 2008 R2 Standard for my CA. I see comments that say you must use an enterprise version of the OS because you can't duplicate templates but it seems you can now in standard version.

I have this setup in a development environment. Would you be happy to jump in and have a look? It's happening in my development and production environment.

I can send you more details offline.

Regards,
Blair
0 Kudos
Gael_H_Intel
Moderator
2,051 Views
Is this a question about provisioning? Or is it still the TLS/KVM question?
0 Kudos
mtpham
Beginner
2,051 Views

Hi Blair,

The Intel Client Setup Cert is used for remote configuration only.

There are two methods of certificates that can be used for vPro, 1) The Provisioning certificate: This is aquired through 3rd party vendor like Go Daddy or VeriSign. We call this method "remote configuration". To answer your question above, the Client Setup Certificate is a part of this cert.It gets installed into the provisioning Servers users certificate store. During provisioning this cert is matched against the hash on theAMT client system in the FW.2) The second one is a cert created from the enterprise Certificate Authority. We refer to this as the TLS cert used for secure communication when permforming AMT remote operations after the systemhas been configured.

Questions that I have...

1. Your post title says KVM not working with TLS. Is the AMT device provisioned? The system must be configured before using our KVM feature.
2. Did you create the certificate template from the CA?
3. Is the template in your SCS provisioning profile?
4. Have you tried a profile without TLS to make sure the environment is functioning? If it si functioning please try KVM without TLS. If this works then we can focus on the TLS from CA part.

Note the KVM is only supported on AMT 6.0 and above.

0 Kudos
Blair_Muller
Beginner
2,051 Views

Hi Guys,

How does IPV6 affect this solution? The reason why I ask is because as soon as I turned off IPV6 the issue was fixed. As soon as the system registers an IPV6 address the KVM fails.

Thanks very much for all your help. I started working backwards and these were my steps. For anybody else looking for the answer:

Re-installed the CA on an Enterprise version of the OS. No difference

I provisioned the systems without TLS and could connect via IP address but not host name.

I turned of IPV6 and deleted the records and I could connect via Host Name.

I provisioned the system with TLS and could connect using a Digest username and password.

I provisioned the system with Ad integration and could connect using an AD username and account.

Regards,
BLair
0 Kudos
Blair_Muller
Beginner
2,051 Views

Hi everyone,

I've blogged about it and my experinence with VPro. You can check it out here:http://blair-muller.blogspot.com.au/2012/08/troubleshooting-kvm-control-of-vpro.html

Looking forward to working out the IPV6 issue.
Regards,
Blair
0 Kudos
Gael_H_Intel
Moderator
2,051 Views
I'm glad it's (sort of) figured out. And I'm glad you are blogging about your experiences. I'm going to see if I can dig up what is going on with KVM and IPV6.
0 Kudos
Gael_H_Intel
Moderator
2,051 Views
I'm not sure I caught everything from your steps above:
Removing the TLS piece - can you connect with KVM with IPV6 (with the host name?)
There is an intersesting section in the docs - I don't know if you have found it -
Look under this section: Setup and Configuration of Intel AMT>Configuration Settings>Network Administration>Detailed Description>DDNS Settings

When a network supports Dynamic DNS (DDNS), Intel AMT will update the DNS server with its IP addresses. Intel AMT gets the DNS server IP either from DHCP or from a static setting. Intel AMT will update the DNS zone with both IPv4 andIPv6addresses. The Intel AMT DDNS feature only supports forward look-up non-secure DNS zones. The DDNS mechanism works when Intel AMT has a dedicated FQDN (both IPV4 andIPv6addresses) and also when it shares an FQDN with the host (IPv4 addressing only). Intel AMT does not support a configuration with shared FQDN + DDNS enabled +IPv6.

Starting with Release 6.0 the Intel AMT FQDN can be either shared (i.e., the same as the host FQDN) or dedicated. The Intel AMT FQDN consists of two fields: itshost nameand itsdomain name. When the FQDN is shared, both must be the same as the host. In a dedicated FQDN, at least one of the two fields must be different from the host.

The DDNS settings are part of the AMT_GeneralSettings object. SeeGet DDNS SettingsandSet/Get General Network Settings.

0 Kudos
Blair_Muller
Beginner
2,051 Views

Hey Gael,

No I cannot get to the host namewhen TLS is not configured. Only via its IP address

I get the feeling from that reference that IPV6 is not supported? I also see it in here. Setup and Configuration of Intel AMT > Configuration Settings > Network Administration > Detailed Description > DDNS Settings

Regards,
Blair
0 Kudos
Blair_Muller
Beginner
2,051 Views
Hi Everyone,
I've blogged about the solution, if you are running a IPv6 network
Regards,
Blair
0 Kudos
webzone_c_
Beginner
1,840 Views
This is acquired through 3rd party vendor like Go Daddy or Signer. We call this method "remote configuration". To answer your question above, the Client Setup Certificate is a part of this cert.It gets installed into the provisioning Servers users certificate store. During provisioning this cert is matched against the hash on the Amt client system in the FW.2) The second one is a cert created from the enterprise Certificate Authority. We refer to this as the T LS cert used for secure communication when performing AMT remote operations after the system has been configured. http://www.webzonecreation.com
0 Kudos
Reply