Im hoping you can help with another issue Im having.
I am provisioning systems with SCS 8.1. When I provision a system without TLS and can control the GUI of the client however when I provision a system with TLS I cannot. I can power on and off the workstation. I can also get to the web GUI however I cannot control the GUI.
Any ideas on how I can troubleshoot?
I have included screen shots and have tried to contol the systems with multiple products:
If using standard VNC clients for TLS connections, you will need to use Intels proxy server (in the SDK - are you using this proxy server?)
Also RFB only talks to 5900 port and that port does not support TLS protocol.
On the Authentication Checkbox - you should have been prompted for credentials.
So I understand putting in the RFB password, I am actually bypassing TLS? Even if Use TLS server authenticiation is selected?
When I untick Use currently logged on credentials it actually just gives me the attached screen. Failed to start viewer. It doesn't ask for any credentials.
Anyidea on how to troubleshoot?Are they any logs or anything that can point me in the right direction?
In regards to the VNC question. I don't think I am using a proxy server, I tried to use VNC server as another means to test.
Great work on the Blog. It explains so much. I think it was needed and it will be referred to a lot. I will lookin into and report back.
Thanks for all you help
Does this refer to theIntel Client SetupCertificate at all?
The only other thing I can think of is that I'm using Windows 2008 R2 Standard for my CA. I see comments that say you must use an enterprise version of the OS because you can't duplicate templates but it seems you can now in standard version.
I have this setup in a development environment. Would you be happy to jump in and have a look? It's happening in my development and production environment.
I can send you more details offline.Regards,
The Intel Client Setup Cert is used for remote configuration only.
There are two methods of certificates that can be used for vPro, 1) The Provisioning certificate: This is aquired through 3rd party vendor like Go Daddy or VeriSign. We call this method "remote configuration". To answer your question above, the Client Setup Certificate is a part of this cert.It gets installed into the provisioning Servers users certificate store. During provisioning this cert is matched against the hash on theAMT client system in the FW.2) The second one is a cert created from the enterprise Certificate Authority. We refer to this as the TLS cert used for secure communication when permforming AMT remote operations after the systemhas been configured.
Questions that I have...
1. Your post title says KVM not working with TLS. Is the AMT device provisioned? The system must be configured before using our KVM feature.
2. Did you create the certificate template from the CA?
3. Is the template in your SCS provisioning profile?
4. Have you tried a profile without TLS to make sure the environment is functioning? If it si functioning please try KVM without TLS. If this works then we can focus on the TLS from CA part.
Note the KVM is only supported on AMT 6.0 and above.
How does IPV6 affect this solution? The reason why I ask is because as soon as I turned off IPV6 the issue was fixed. As soon as the system registers an IPV6 address the KVM fails.
Thanks very much for all your help. I started working backwards and these were my steps. For anybody else looking for the answer:
Re-installed the CA on an Enterprise version of the OS. No difference
I provisioned the systems without TLS and could connect via IP address but not host name.
I turned of IPV6 and deleted the records and I could connect via Host Name.
I provisioned the system with TLS and could connect using a Digest username and password.
I provisioned the system with Ad integration and could connect using an AD username and account.Regards,
I've blogged about it and my experinence with VPro. You can check it out here:http://blair-muller.blogspot.com.au/2012/08/troubleshooting-kvm-control-of-vpro.htmlLooking forward to working out the IPV6 issue.
When a network supports Dynamic DNS (DDNS), Intel AMT will update the DNS server with its IP addresses. Intel AMT gets the DNS server IP either from DHCP or from a static setting. Intel AMT will update the DNS zone with both IPv4 andIPv6addresses. The Intel AMT DDNS feature only supports forward look-up non-secure DNS zones. The DDNS mechanism works when Intel AMT has a dedicated FQDN (both IPV4 andIPv6addresses) and also when it shares an FQDN with the host (IPv4 addressing only). Intel AMT does not support a configuration with shared FQDN + DDNS enabled +IPv6.
Starting with Release 6.0 the Intel AMT FQDN can be either shared (i.e., the same as the host FQDN) or dedicated. The Intel AMT FQDN consists of two fields: itshost nameand itsdomain name. When the FQDN is shared, both must be the same as the host. In a dedicated FQDN, at least one of the two fields must be different from the host.
No I cannot get to the host namewhen TLS is not configured. Only via its IP address
I get the feeling from that reference that IPV6 is not supported? I also see it in here. Setup and Configuration of Intel AMT > Configuration Settings > Network Administration > Detailed Description > DDNS SettingsRegards,