Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Configuration job failing - A mandatory parameter is missing or empty (OSHostName).

ITerl
Beginner
2,905 Views

Hi,

I'm configuring Intel SCS console 9.1.2 to provision amt devices.

I provisioned our test systems in admin mode using ACU_Wizard in windows with xml profile exported from SCS.

Everything was ok (I can see the system in the SCS monitoring) except the Configuration Profile was not set.

I tried to create a job (operation configuration) with the same profile to push it to all systems but it fails with this error:

Operation: Reconfiguration

Date and Time: 20.11.2014. 13:29:12

Error Code: 3221225979

Severity: Failure

UUID: 5D06FE00-85CF-11E2-8634-B4B52FC958A5

Intel AMT FQDN: HRVcdPulaITE.calucem.local

Intel AMT IPv4: 10.243.3.33

Server Name: HRVvsPula040.calucem.local

Description: A mandatory parameter is missing or empty (OSHostName).

The given profile require OSHostName.

My profile have optional settings:

- AD integration enabled (Always use the OS host name checked)

- ACL enabled (ad group and 2 ad users (including myself) added to the list)

- TLS enabled (CA is our CA server with server certificate template AMTRemoteConfiguration, CN in certificate: Default CNs)

System settings

- Edit IP and FQDN settings:

- Use the following as FQDN: tried "primary dns fqdn" and AD FQDN

- The device and OS will have the same FQDN (checked)

- Source of the IP set to Get the IP from DHCP

- DNS set to Update the DNS directly or via DHCP option 81

I don't know if it's related to this but it looks like the kerberos auth is not working. When I try to connect to a test system using vnc client (encryption: TLS, connection mode: INTEL AMT KVM), it doesn't accept my domain account but asks me username and password for amt admin. If I enter it, I can connect successfully.

I also noticed that if I start the acuconfig on the amt system to force it to pick up my profile, it works (but kerberos is still not working). After that I can see the profile applied in the SCS for that specific system.

I'm using this command:

ACUConfig ConfigViaRSConly RSC_Server_IP Profile_Name

What am I doing wrong?

Regards,

Igor

0 Kudos
10 Replies
Bruno_Domignues
Employee
1,135 Views

Igor,

You must trigger the provision from client machine as you are doing with ACUConfig, because it's the way that you can capture machine parameters for provisioning, such as OS Host Name and IP address configurations.

You kerberos problem can be solved with some further configuration on server/console side:

- In IE, goes to Internet Options -> Security tab -> highlight "Local intranet" -> click on "Sites" -> Advanced -> include in this list your DNS suffix, e.g. http://*.intel.com http://*.intel.com and https://*.intel.com https://*.intel.com - in order that all machines in your domain can be recognized as Local Intranet;

- Still on security tab, click on "Custom level..." and under "User Authentication" section, mark "automatic logon with current user name and password";

- In Advanced tab, make sure that "Enable Integrated Windows Authentication" is checked.

Also, by default, Windows does not allow use kerberos ticket over a port that is not 80, so you have to create these two registry entries to allow:

http://support.microsoft.com/kb/908209 Internet Explorer 6 cannot use the Kerberos authentication protocol to connect to a Web site that uses a non-standard po… - one for 32bits and one for 64bits, create these 2 if you Windows 64bits.

Now you probably will be able to test kerberos using IE, you must call using FQDN name, e.g. http://vpromachine.intel.com:16992 http://vpromachine.intel.com:16992 or https://vpromachine.intel.com:16993 https://vpromachine.intel.com:16993

Best Regards!

-Bruno Domingues

0 Kudos
ITerl
Beginner
1,135 Views

Hi Bruno,

Thank you for your answer.

If I understood you correctly, if I have to modify the profile (ex. add another domain user to amt device access list), after modifying the profile, I have to trigger the provisioning from client machine?

I don't understand what's the purpose of the configuration jobs on SCS if that doesn't work and I have to trigger it from client machine .

Yes, I can do it regularly using group policy but it's not a nice solution

Regarding kerberos, I just found some topic on the internet regarding this problem and they said that vnc client (realvnc) doesn't work with ad groups (only users).

So I added my user to profile's access list, provisioned it using ACUConfig and purged the kerberos tickets on my box (klist purge).

After that it started to work. Now I can connect using kerberos

So it must be some issue with ad groups.

0 Kudos
Bruno_Domignues
Employee
1,135 Views

Igor,

You must use ACUConfig.exe for provisioning, after this point, you can use Jobs in RCS to update ACL, but the very first must be done by ACUConfig.

In fact, https://www.realvnc.com/products/viewerplus/ VNC Viewer Plus works perfectly with AD groups, I used it regularly and no complains.

Best Regards!

-Bruno Domingues

0 Kudos
ITerl
Beginner
1,135 Views

So if I understood you correctly, I must not use ACUwizard for first provisioning but acuconfig?

I'm also using vnc viewer plus version 1.2.7 but the ad group doesn't work for me. Only if I add my user directly to access list

0 Kudos
Bruno_Domignues
Employee
1,135 Views

Igor,

You can use ACUWizard or ACUConfig.exe for first provisioning, but you can provision using RCS Jobs.

Are you able to open IE and point to vPro machine and get login without been prompt for any user/password? IMHO, IE is the best troubleshooting tool for kerberos issues - AD groups is fine and should work.

Best Regards!

-Bruno Domingues

0 Kudos
ITerl
Beginner
1,135 Views

Bruno,

Provisioning using configuration job using RCS job still doesn't work. I'm getting the same error (OSHostname missing).

I'm doing the following:

1. System is fully unconfigured (bios -> amt -> unconfigure)

2. Our CA cert hash is inserted in mebx using usb key method

3. Windows is started and amt device is successfully configured using "acuconfig ConfigViaRcsOnly RCS_hostname Profile_name". I logged as domain admin user to run this.

After that I can see that system in SCS console. Its status is Configured and everything looks ok.

When I try to create a Job with the following parameters:

- Job name: test

- Filter: All Systems

- Start job: Manually

- Operation: Configuration

- Profile: Pula

It fails with the following information from Operation Logs:

Operation: Reconfiguration - (Start)

Date and Time: 24.11.2014. 10:20:21

Error Code: 0

Severity: Information

UUID: 9762CA80-F09A-11E2-B0F0-7446A08F3D78

Intel AMT FQDN: HRVcdPulaDUR2.calucem.local

Intel AMT IPv4: 10.243.3.80

Server Name: HRVvsPula040.calucem.local

Description: These parameters were given:

Profile Name: Pula

AMTVersion: 8.1.31

OSHostName:

StaticIP:

StaticSubnet:

StaticGateway:

StaticDNS:

StaticSecDNS:

ConfigurationMethod: 5

CurrentADOUPath: OU=IntelAMT,DC=calucem,DC=local

PID:

Operation: Reconfiguration

Date and Time: 24.11.2014. 10:20:22

Error Code: 3221225979

Severity: Failure

UUID: 9762CA80-F09A-11E2-B0F0-7446A08F3D78

Intel AMT FQDN: HRVcdPulaDUR2.calucem.local

Intel AMT IPv4: 10.243.3.80

Server Name: HRVvsPula040.calucem.local

Description: A mandatory parameter is missing or empty (OSHostName).

The given profile require OSHostName.

0 Kudos
Bruno_Domignues
Employee
1,135 Views

This may happen due some configuration that you are using in your profile. RCS cannot get information from host operating system and your job is failing exactly in this point, get Host OS Name, have you tried chance the profile to "delta" configuration instead of "full" configuration.

Best Regards!

-Bruno Domingues

0 Kudos
ITerl
Beginner
1,135 Views

Bruno,

I just got an aswer from Intel bussines support:

"Does your profile have "Always use the OS Host Name for the new AD Object" checked under Optional Settings: AD Integration?

Please try running the configuration job again after unchecking this option in the profile and let me know if you see the error."

After I unchecked that option, everything is working like a charm

Regarding the AD group access rights, it's still not working. I applied the IE settings you said and tried but when trying to connect with vnc viewer, it still asks username and password.

0 Kudos
Bruno_Domignues
Employee
1,135 Views

Igor,

Have you tried connect using IE directly into ME: http:// http://.your.domain:16992 ?

It should work in IE first and usually, doing it, give us better insight on what may be stopping you.

Best Regards!

0 Kudos
ITerl
Beginner
1,135 Views

Bruno,

Port 16992 is not open on my test machine (AMT version 8.1.31). Only 16993 is open.

So I opened https://hrvcdpuladur2.calucem.local:16993/ https://hrvcdpuladur2.calucem.local:16993 in IE.

When I click "Log On", Windows Security dialog pops out and it asks username and password (for my domain).

EDIT:

After adding the registry key related to kerberos on port other then 80, when I click "Log On" it works

0 Kudos
Reply