Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

AMT Web UI - SCCM Provisioned

MFish7
Novice
2,021 Views

Hi all!

I am having difficulty obtaining access to the Web UI on an SCCM provisioned device. I can successfully reach the Web UI at https://FQDN:16993

When i try to login however, the AMT Accounts i specified in SCCM are not working. I found a post by Trevor at http://communities.intel.com/thread/3037 outlining a similar situation. I have tried logging into the web ui from the SCCM server without success. I have tried inputing the registry key required by the KB article but that did not work as well. I have confirmed that the Kerberos ticket IS issued however the ticket is issued to an SPN of HTTP/FQDN and not HTTP/FQDN:PORT. Is this correct?

example

HTTP/laptop.domain.com instead of HTTP/laptop.domain.com:16993

I have verified that the SPN's for the OOB object in AD (created during the provision process) contains SPN's for 16992,16993,16994,16995

I have included a network sniff below showing what is going on. Anybody experience this at all?

Kerberos TGS-REP

 

Record Mark: 1460 bytes

 

0... .... .... .... .... .... .... .... = Reserved: Not Set

 

.000 0000 0000 0000 0000 0101 1011 0100 = Record Length: 1460

 

Pvno: 5

 

MSG Type: TGS-REP (13)

 

Client Realm: DOMAIN.COM

 

Client Name (Principal): amtadmin

 

Name-type: Principal (1)

 

Name: amtadmin

 

Ticket

 

Tkt-vno: 5

 

Realm: DOMAIN.COM

 

Server Name (Service and Instance): HTTP/laptop.domain.com

 

Name-type: Service and Instance (2)

 

Name: HTTP

 

Name: laptop.domain.com

 

enc-part rc4-hmac

 

enc-part rc4-hmac
3 Replies
MFish7
Novice
535 Views

http://support.microsoft.com/kb/908209 This scarcely documented registry key IS REQUIRED however when i had input the key previously, i incorrectly setup a DWORD of iexplore instead of the correct value of iexplore.exe.

BTW im on a Windows 2008 server with Internet Explorer 7. You would think M$ would have adressed this issue by now

0 Kudos
idata
Employee
535 Views

Yeah, it's required for all versions of Internet Explorer, including IE8 on Windows 7.

Cheers,

Trevor Sullivan

idata
Employee
535 Views

Hi,

I am having the exact same issue... I have imported that reg key from the hotfix but it's made no difference (only using server 2008 / Win7 machines)

I can use the OOBConsole and power commands from the SCCM console without issue, but i cannot connect to the WebUI.

I tried the troubleshooting steps here (/thread/3037 http://communities.intel.com/thread/3037) but when I got to the packet capture stuff, I didn't know what to look for.

It's almost as if the user account I'm trying to log in with has not been configured on the AMT device....I have added users directly, not AD groups, to the "AMT User Accounts" section in the "AMT Settings" tab of the OOBManagement component in SCCM

Question: Are the user accounts you configure in the SCCM console for the OOBConsole access also used for WebUI access?

Thanks for your help,

Rus

0 Kudos
Reply