Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2834 Discussions

Intel AMT Web Access Authentication

SClar7
Novice
‎05-09-2016 08:50 PM
2,773 Views
Solved Jump to solution

Hi Guys,

I am in the process of configuring Intel AMT through Intel SCS on the following systems:

Dell OptiPlex7040

Bios Version 1.2.8

Intel AMT Version 11.0.0

I have pushed out a profile configuring the Intel MEBX password, AD Integration with a number of Kerberos accounts as well as TLS certificate.

I can KVM to the workstation using KVMView or Real VNC however I have an issue that I have so far been unable to get to the bottom of.

The problem is I can not authenticate to the web interface (https://machinename:16993/ https://machinename:16993). I can also not discover the AMT system properly in SCCM (Status stays as "Detected" where I would expect this to change to "Externally Provisioned"). I believe this is also due to the fact that authentication is failing to the above address due to what I can see in SCCM's amtopmgr.log.

I have tried the following things:

1. Using Kerberos accounts (AMT Clock is in Sync)

2. Using Digest account

3. Trying a very simple password

4. Trying different web browsers (Chrome and IE)

5. Un-provisioning / Re-provisioning AMT

6. Confirming TLS certificate properties including chain etc is ok.

7. Resetting AMT to factory

Nothing I seem to do will pass the web authentication.

I would appreciate if anyone could offer any advice?

Thanks in advance,

Steve

0 Kudos
1 Solution
SClar7
Novice
‎05-13-2016 12:34 AM
1,379 Views
Solved Jump to solution

I never heard from biz-support so I am adding my findings here:

I discovered through a network trace that the port was not being sent with the SPN as per https://support.microsoft.com/en-us/kb/908209 https://support.microsoft.com/en-us/kb/908209 even though I had configured the registry keys and rebooted.

Results: (NOTE: Above registry keys were present on all systems)

Remote server (Hosting Intel RCS) - Windows Server 2012 (non R2) with IE 10 - Web authenticawtion using kerberos unsuccessful (Trace shows port not sent despite registry keys being present)

Remote server - Windows Server 2012 R2 with IE 11 - Web authentication using kerberos successful

Local workstation (connecting to local AMT chip) - Windows 10 with IE 11 - Web authentication using kerberos successful

I am not sure why the port is not being sent from that particular server but it could be the OS or IE version.

Also as per my other thread make sure any groups you add are Global AD groups and NOT Domain Local groups.

SCCM is now showing as "Externally Provisioned".

View solution in original post

0 Kudos
Copy link

Link Copied

6 Replies
SClar7
Novice
‎05-10-2016 05:57 PM
1,379 Views
Solved Jump to solution

Ok I was able to work it out myself in the end.

For those playing at home I had to disable Integrated Windows Authentication in IE settings. This allowed me to login using the admin digest account.

I am still yet to figure out how to get the AMT status to change to Externally Provisioned but will update this thread when I do in case it helps anyone else out.

0 Kudos
Copy link
Yehuda_S_Intel
Employee
‎05-10-2016 10:23 PM
1,379 Views
Solved Jump to solution
In response to SClar7

Hi Steve01,

This is great news that you were able to isolate the web interface problem, can you please give me some details on your SCCM version?

Also, you may want to consider running the platform discovery task sequence on all of your AMT platforms before and after configuration, this will update the hardware inventory classes in your SCCM instance and hopefully populate your collections accordingly.

In response to SClar7
0 Kudos
Copy link
SClar7
Novice
‎05-10-2016 10:38 PM
1,379 Views
Solved Jump to solution
In response to Yehuda_S_Intel

Hi Asilverman,

SCCM Version is SCCM 2012 R2 SP1

We are not using the full Intel SCS Addon. We have kept things fairly simple in that regard by just using the Configurator to send a hello packet to the Intel RCS which executes a PowerShell script to provision the appropriate Intel SCS Profile to the workstation.

I have configured the Out-of-Band component in SCCM to have the correct Admin password for discovery purposes.

My main issue now is with Kerberos authentication. I have successfully pushed the profile to the Workstation and most things are working as expected with my Active Directory account. I can KVM (only if my AD account is directly on the chip and not in a nested group) and connect using the Manageability Command Tool or the Intel vPro Platform Solution Manager.

Unfortunately I cannot connect to the AMT Web Interface with Keberos using any AD account. I belive this is also stopping the appropriate OOB discovery through SCCM.

In response to Yehuda_S_Intel
0 Kudos
Copy link
Yehuda_S_Intel
Employee
‎05-10-2016 11:40 PM
1,379 Views
Solved Jump to solution
In response to Yehuda_S_Intel

Hi Steve,

Please open a biz-support ticket through this website and we will get to the bottom of this issue, the website for opening a ticket is here: https://bizsupport.intel.com/ https://bizsupport.intel.com

In response to Yehuda_S_Intel
0 Kudos
Copy link
SClar7
Novice
‎05-11-2016 12:46 AM
1,379 Views
Solved Jump to solution

Done

0 Kudos
Copy link
SClar7
Novice
‎05-13-2016 12:34 AM
1,380 Views
Solved Jump to solution

I never heard from biz-support so I am adding my findings here:

I discovered through a network trace that the port was not being sent with the SPN as per https://support.microsoft.com/en-us/kb/908209 https://support.microsoft.com/en-us/kb/908209 even though I had configured the registry keys and rebooted.

Results: (NOTE: Above registry keys were present on all systems)

Remote server (Hosting Intel RCS) - Windows Server 2012 (non R2) with IE 10 - Web authenticawtion using kerberos unsuccessful (Trace shows port not sent despite registry keys being present)

Remote server - Windows Server 2012 R2 with IE 11 - Web authentication using kerberos successful

Local workstation (connecting to local AMT chip) - Windows 10 with IE 11 - Web authentication using kerberos successful

I am not sure why the port is not being sent from that particular server but it could be the OS or IE version.

Also as per my other thread make sure any groups you add are Global AD groups and NOT Domain Local groups.

SCCM is now showing as "Externally Provisioned".

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.