Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

AMT provisioned machines becoming unauthorized

DWebb
Novice
2,789 Views

Hi,

I not sure if this is something that I should be asking here or on the HP support site. We have 48 HP EliteDesk 800 G2 DM 65W mini desktop machines. I provisioned them all with a very basic profile and they have been working and responding correctly to AMT commands. However after a time some of the machines became unauthorized and the only way to fix this was to reset the AMT in the BIOS to un-provisioned and then provision them again.

Does anybody have any idea why the machines are becoming unauthorized?

Thanks

8 Replies
Dariusz_W_Intel
Employee
1,265 Views

Your AMT management SW can't access Intel AMT - can't authorize due to :

  • AMT user password and/or user name is not valid or was changed via other means (by other person over ex AMT Legacy Web Ui, or too simple and hacked by brute force).
  • if AD integration was used - Kerberos AMT objects (with $iME suffix) may be manually modified, removed (by AD cleaning sctript/tool), moved to different OU, Kerberos password for this object expired, AMT internal time and AD time differ by more than 5min 00 sec. AMT FQDN does not match OS FQDN anymore - OS FQDN may be changed without reconfiguring AMT.

     

    If other management console is used required Registry keys for Kerberos over non standard port are not installed for Legacy WebUi use with MS Internet Explorer.
  • if TLS is used - AMT TLS cert expired or AMT FQDN does not match OS FQDN anymore - OS FQDN may be changed without reconfiguring AMT- so connection to OS FQDN is trying to use AMT FQDN (differnet) TLS cert that is not trused for this connection name.

Try to use system actual IP addres in the IE (not Edge) with Integrated AD authnetication beeing disabled - use defined AMT Digest Adminstrator (admin) password to connect.

 

If you will see certificate error - accept it and check cert CN vs AMT FQDN in AMT Legacy WebUi vs OS FQDN - get them in synch by reconfiguring AMT again.

rgds

Dariusz Wittek

 

Intel EMEA Biz Client Solution Architect
0 Kudos
DWebb
Novice
1,265 Views

Hi,

I've written a little powershell script to subscribe to events from the AMT. If someone changes an AMT user or password then an event should be generated and passed on. Is this correct?

Some of this hardware/firmware is flaky! I was trying to reinstall the drivers and the error platform not supported was being shown. The resolution was to remove the power supply and plug it in again. However most of the machines just become unauthorized and so far I've not seen any Security Alert messages.

The script is

[CmdletBinding()] param([Parameter(Mandatory=$True,Position=1)][string]$hostname) # write-host "host name is $hostname" $username="admin" $password="password" $lstn = "http://myhost:999" Add-Type -Path 'C:\Program Files\Intel Corporation\Intel(R) vPro(tm) Platform Solution Manager\Bin\HLAPI.dll' Add-Type -Path 'C:\Program Files\Intel Corporation\Intel(R) vPro(tm) Platform Solution Manager\Bin\IWSManClient.dll' $auth = [Intel.Manageability.ConnectionInfoEX+AuthMethod]::Digest $cs = New-Object Intel.Manageability.ConnectionInfoEX($hostname,$username,$password,$False,"",$auth,$null,$null,$null) Try { $amt = [Intel.Manageability.AMTInstanceFactory]::CreateEX($cs) } Catch { write-host "Cannot connect to $hostname : $_.Exception.Message" -ForegroundColor Red Break } $wsfilter = [Intel.Manageability.Events.FilterName]::All $sidtype = [Intel.Manageability.Events.SenderIDType]::FQDN # $sidtype = [Intel.Manageability.Events.SenderIDType]::CurrentAddress $sip = [Intel.Manageability.Events.SenderIDPlacing]::HTTPHeader $sub = New-Object Intel.Manageability.Events.Subscription($lstn,$wsfilter,$sidtype) $sub.SenderIDPlacing = $sip $subs = $amt.Events.WSEvents.EnumerateSubscriptions() If (@($subs).length -gt 1) { write-host "$hostname subscribed to" @($subs).length subscriptions -ForegroundColor Yellow $amt.Events.WSEvents.UnSubscribeAll() $subs = $amt.Events.WSEvents.EnumerateSubscriptions() } If (@($subs).length -eq 1) { write-host "$hostname already subscribed to"$subs[0].ListenerAddress -ForegroundColor Yellow } ElseIf (@($subs).length -lt 1) { write-host "$hostname subscribed to $lstn" -ForegroundColor Green $amt.Events.WSEvents.Subscribe($sub) }

The listening script is:

Add-Type -Path 'C:\Program Files\Intel Corporation\Intel(R) vPro(tm) Platform Solution Manager\Bin\HLAPI.dll' Add-Type -Path 'C:\Program Files\Intel Corporation\Intel(R) vPro(tm) Platform Solution Manager\Bin\IWSManClient.dll' $listener = New-Object HLAPI.Services.WSEventListener([IPAddress]::Any,'999') Register-ObjectEvent $listener OnNewEventArrived -SourceIdentifier $listener.OnNewEventArrived -Action { $Result = "" + $Event.SourceEventArgs.Sender + "; " ` + $Event.SourceEventArgs.EventData.AlertType + "; " ` + $Event.SourceEventArgs.EventData.IndicationFilterName + "; " ` + $Event.SourceEventArgs.EventData.IndicationTime.ToString("yyyy-MM-dd HH:mm:ss") + "; " ` + $Event.SourceEventArgs.EventData.MessageDescription write-host $Result $Result | Out-File .\messages.log -Append } $listener.StartListening()

The scripts seem to work.

0 Kudos
Dariusz_W_Intel
Employee
1,265 Views

Duncan,

if disconnecting power helps at least partially it may mean you have pretty old version of ME FW - there may be some bugs that are already fixed.

Please check OEM support download site for ME FW update packages.

0 Kudos
DWebb
Novice
1,265 Views

Hi Dariusz,

How old is pretty old?

HPs latest BIOS is 02.20 but cannot be downgraded, but I believe 11.0.0.1205 is the latest ME firmware.

I don't think that AMT is sending a SecurityAlerts when the admin password is changed - reckon it should be.

C:\config-amt>amt_version.py

chzrhpmd001 10.30.32.60 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd002 10.30.32.14 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd003 10.30.32.27 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd004 10.30.32.15 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd005 10.30.32.148 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd006 10.30.32.149 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd007 10.30.32.53 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd008 10.30.32.51 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd009 10.30.32.150 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd010 10.30.32.75 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd011 10.30.37.164 no ping response

chzrhpmd012 10.30.32.155 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd013 10.30.32.153 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd014 10.30.32.135 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd015 10.30.32.40 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd016 10.30.32.158 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd017 10.30.32.160 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd018 10.30.32.42 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd019 10.30.32.162 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd020 10.30.32.43 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd021 10.30.32.52 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd022 10.30.32.166 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd023 no ip address

chzrhpmd024 10.30.32.24 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd025 10.30.32.129 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd026 10.30.32.21 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd027 10.30.32.47 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd028 10.30.32.183 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd029 10.30.32.57 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd030 10.30.32.187 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd031 10.30.32.181 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd032 10.30.32.68 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd033 10.30.32.190 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd034 10.30.32.195 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd035 10.30.32.164 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd036 10.30.32.38 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd037 10.30.32.198 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd038 10.30.32.196 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd039 10.30.32.197 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd040 10.30.33.12 N21 Ver. 02.19 06/01/2016 11.0.0.1205

chzrhpmd041 10.30.32.30 N21 Ver. 02.19 06/01/2016 11.0.0.1205

Kind regards

Duncan

0 Kudos
DWebb
Novice
1,265 Views

Hi Dariusz,

The profile is really basic, no TLS and no AD integration, just user name and password over http. We have the 48 mini desktops in a secure room about 3m from the ground. People connect to these machines using thin clients and Citrix. It is possible that someone is messing around changing the passwords but I don't think so. These machines have been doing this from the start of configuring them and even before they have been deployed to the server room.

Other workstation models don't seem to be having the same problem but it is difficult to confirm as you only find out when needing to access them. I have written a script to check the 40+ machines in the secure room that we can still connect but not for other machines.

Is there anything else I can try like add a second admin user to see if it is just admin that is becoming de-authorized?

Thanks and kind regards

Duncan

0 Kudos
DWebb
Novice
1,265 Views

Hi,

Some more information.

I created an additional administrator on the AMT for the first set of machine. Today 18 machines changed state to unauthorized and this also affected the second administrator. I really don't believe that a person was logging into the AMT of 18 machines and changing the password of the admin account and deleting the second administrator.

I'm wondering two things:

1) How to automate adding a second user with the HLAPI (there seem to be very few examples of using the HLAPI and the reference documentation does not help)

2) Are there any events that are sent when someone logs onto or fails to log onto the AMT interface.

I'm seeing a few messages like:

CommunicationsAlert; Intel(r) AMT:AllEvents; The LAN has been connected.

and am wondering what is causing these (the machines are not being powered off or rebooted).

When a machine is rebooted I'm seeing a couple of messages like:

SecurityAlert; Intel(r) AMT:AllEvents; The computer system Managed System has detected a pre-boot user password violation.

A few seconds before the LAN connected message.

Any ideas?

Thanks and regards,

Duncan

0 Kudos
YOrlo1
Beginner
1,265 Views

Hello!

I have same problem. 8 of 9 provisioned machines become Unauthorized. I can manage only one.

All this PC in another city.

Motherboard: http://www.gigabyte.ru/products/page/mb/ga-q170m-d3hrev_10/overview/ Gigabyte Q170-DH3

Processor: http://ark.intel.com/products/88184/Intel-Core-i5-6500-Processor-6M-Cache-up-to-3_60-GHz Intel® Core™ i5-6500 Processor (6M Cache, up to 3.60 GHz) Specifications

Help me!

0 Kudos
SFeld1
Beginner
1,265 Views

Hello,

we have the same issue. HP 800 G2 Computers become Unauthorized which is really bad because we do a lot of remote Administration...

Any Ideas?

0 Kudos
Reply