Issue with Intel® EMA Root Certificate Creation

Hideo · ‎05-16-2024

Dear IntelEMA Support Team,

I am attempting to set up a distributed configuration with an IntelEMA main server and an IntelEMA subserver on Azure. The first IntelEMA main server is already installed, and I am currently in the process of installing a second IntelEMA server. However, I am encountering an error during the installation process. The steps I have taken and the error message are as follows:

On the IntelEMA subserver, I created a CSR (Certificate Signing Request) file.
On the IntelEMA main server, I used the CSR file to generate a CER (Certificate) file.
I continued with the installation of the additional IntelEMA subserver using the CER file from the main server.
During the installation of the IntelEMA subserver, the following error message was produced: “Error creating Intel® EMA Root certificate.” Upon reviewing the event log, I found the following entries that may indicate the cause:

2024-05-15 09:09:54.6563|INFO||7060|1|DisplayEvent - MeshServerInstaller.MainForm, EMAServerInstaller, Version=1.13.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - EVENT: Information, Start creating Intel® EMA settings certificate.
2024-05-15 09:10:00.0783|INFO||7060|1|DisplayEvent - MeshServerInstaller.MainForm, EMAServerInstaller, Version=1.13.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - EVENT: Information, Intel® EMA settings certificate created
2024-05-15 09:10:00.0939|INFO||7060|1|DisplayEvent - MeshServerInstaller.MainForm, EMAServerInstaller, Version=1.13.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - EVENT: Information, Using Settings Cert: MeshSettingsCertificate-03F231CB.
2024-05-15 09:10:00.1408|INFO||7060|1|DisplayEvent - MeshServerInstaller.MainForm, EMAServerInstaller, Version=1.13.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - EVENT: Information, AESGCM Master key created.
2024-05-15 09:10:00.2189|ERROR||7060|1|DisplayEvent - MeshServerInstaller.MainForm, EMAServerInstaller, Version=1.13.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - EVENT: Exception, Error creating Intel® EMA Root certificate.

Could you please advise on the potential causes of this error and any possible solutions?

Thank you for your assistance.

Best regards,

Hideo

MIGUEL_C_Intel · ‎05-16-2024

Hello, Hideo,

Do you mind sending the EMA Server logs from the first and second servers? You can send them in a private message if you want to protect your company information.

EMA logs from the Server machines:

Default Path:[System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs

Please send me the files without the date called:

EMAlog-Swarmserver.txt

EMAlog-Ajaxserver.txt

EMAlog-Recoveryserver.txt

EMAlog-Manageabilityserver.txt

In addition, please let me know the OS version on both server machines.

SQL version and its location

Are you using Windows AD or Azure AD (Entra)

I look forward to your reply.

Regards,

Miguel C.

Intel Customer Support Technician

Hideo · ‎05-16-2024

Hello,Miguel C.

Thank you for your prompt reply.
I would like to send you a log, but could you please let me know how to send a private message?

I look forward to your reply.

Regards,

Hideo.

MIGUEL_C_Intel · ‎05-17-2024

Hello, Hideo,

I sent you an email; please send me the Server logs and the information below:

Please let me know the OS version on both server machines.

SQL version and its location.

Are you using Windows AD or Azure AD (Entra)?

Regards,

Miguel C.

Intel Customer Support Technician

Hideo · ‎05-19-2024

Hello,Miguel C.

Thank you for your response.

I have one question.

I would like to send you the logs, but is there any other method besides attaching them in an email

(for example, an uploader that Intel might be using)?

I look forward to your reply.

Regards,

Hideo.

MIGUEL_C_Intel · ‎05-20-2024

Hello, Hideo,

The official options to upload files are via email or by using our web portal (you need to create an account and ticket). If you have an uploader, you can send us the link and password for access and download the files.

Please remember to send EMA logs from the Server machines. Send me the files without a date called:

Default Path: [System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs

EMAlog-Swarmserver.txt

EMAlog-Ajaxserver.txt

EMAlog-Recoveryserver.txt

EMAlog-Manageabilityserver.txt

OS version on both server machines.

SQL version and its location

Are you using Windows AD or Azure AD (Entra)

Regards,

Miguel C.

Intel Customer Support Technician

Hideo · ‎05-20-2024

Hello,Miguel C.

Thank you for your response.

Logs are attached, including both the most recent logs and those without dates. Please check them.

The installation of the IntelEMA subserver was terminated midway, so there are no logs. Therefore, I am only sending the logs of the IntelEMA main server.

Also, the answers to the questions are as follows:

OS version of both server machines:
IntelEMA main server: Windows Server 2022 Datacenter Azure Edition
IntelEMA subserver: Windows Server 2022 Datacenter Azure Edition

Version and location of SQL: SQL is built on Azure and uses AzureSQL.
However, it takes time to check the version due to our internal environment.
IntelEMA is installed on one of the IntelEMA main servers.
Therefore, we presume that we are using a version of SQL that IntelEMA supports.

Are you using Windows AD or Azure AD (Entra)?
No, we are not using it.

I look forward to your reply.

Regards,
Hideo.

MIGUEL_C_Intel · ‎05-21-2024

Hello, Hideo,

Thank you for sharing the EMA server logs and configuration details.

The SQL-built version on Azure is not supported yet; we need to install a full SQL version in Azure. Regarding Datacenter Azure Edition, I am confirming with the engineering team the compatibility. I will reply soon.

Regards,

Miguel C.

Intel Customer Support Technician

Hideo · ‎05-21-2024

Hello,Miguel C.

Thank you for your response.

"The SQL-built version on Azure is not supported yet; we need to install a full SQL version in Azure."

I received the above response, but on page 25 of the following official Intel document, there is a description of the SQL server on Azure. Does this mean that the SQL server on Azure is not supported?

https://www.intel.com/content/dam/www/central-libraries/jp/ja/documents/intel-ema-web-deployment-guide-fo-azue.pdf

If it is not compatible with IntelEMA, could you please tell me if there is a way to build SQL on Azure? If you have any reference materials, I would appreciate it if you could share the information.

I am still waiting for your reply on the following.

"Regarding Datacenter Azure Edition, I am confirming with the engineering team the compatibility. I will reply soon."

I look forward to your reply.

Regards,
Hideo.

MIGUEL_C_Intel · ‎05-22-2024

Hello, Hideo,

I verified the compatibility of Windows Server 2022 Datacenter Azure Edition, and it is fully supported by Intel® EMA.

Regarding the embedded SQL Azure version, it is not supported by the Intel® EMA on-premises software version yet. The document that you are referring to is intended for the Intel® Endpoint Management Assistant (Intel® EMA) Cloud Start Tool for Azure.

https://www.intel.com/content/www/us/en/download/19738/intel-endpoint-management-assistant-intel-ema-cloud-start-tool-for-azure.html

The supported SQL versions for Intel® EMA are available in Section 1.3.3 Database of the Intel EMA Server Installation Maintenance Guide Rev1 13.0.pdf

https://downloadmirror.intel.com/646990/Intel_EMA_Documents1.13.0.zip

Regards,

Miguel C.

Intel Customer Support Technician

Hideo · ‎05-22-2024

Hello,Miguel C.

Thank you for your response.

I would like to confirm one point. Currently, I am trying to build IntelEMA on Azure by referring to the following procedure:

▼intel-ema-web-deployment-guide-fo-azue.pdf

https://www.intel.com/content/dam/www/central-libraries/jp/ja/documents/intel-ema-web-deployment-guide-fo-azue.pdf

At present, I am proceeding with the construction work using the following installer:

▼Ema_Install_Package_1.13.0.0.exe

https://www.intel.co.jp/content/www/jp/ja/download/19449/intel-endpoint-management-assistant-intel-ema.html

Does the procedure I am referring to match the installer I am using for construction?

If not, could you please tell me the appropriate installer?

I look forward to your reply.

Regards,
Hideo.

MIGUEL_C_Intel · ‎05-23-2024

Hello, Hideo,

Last night, I worked with the development team, and they validated the compatibility between Intel® EMA and Azure SQL (embedded). I am sharing the installation steps for the database.

1. Create a resource group in Azure.

2. Create a SQL Server in the resource group with a globally unique name.

3. Configure the SQL Server firewall to allow access from the EMA subnet.

4. Associate the Network Security Group with the Azure Bastion Subnet.

5. Create an Azure SQL Server and enable access to it from the EMA subnet.

6. Install the Intel EMA software using the installation instructions provided.

Note: During the installation process, the SQL Database will be created dynamically. After the installation is complete, you can review the database settings and adjust them if desired.

Regarding your question, Is the intel-ema-web-deployment-guide-fo-azue.pdf contained in the Ema_Install_Package_1.13.0.0.exe refer to Intel® EMA installation; yes, you are correct. I apologize for my misunderstanding and for giving inaccurate information.

I suggest doing the following, please start from scratch the configuration.

Configure Windows Server 2022 Datacenter Azure Edition, AD, and IIS.

Install and configure Azure SQL with the above instructions.

Then, install Intel® EMA in one system only (choose the Distributed environment).

Try accessing the EMA web console with the Global Administrator account.

Before jumping to the next step (setting the second EMA server); send a new set of EMA server logs.

I will gladly continue supporting you.

Regards,

Miguel C.

Intel Customer Support Technician

Hideo · ‎05-23-2024

Hello,Miguel C.

Thank you for your response.

I would like to confirm three points.

The first point is about AD.

As mentioned below, is the installation of AD necessary for setting up the IntelEMA environment?

＞I suggest doing the following, please start from scratch the configuration.

＞Configure Windows Server 2022 Datacenter Azure Edition, AD, and IIS. Install and configure Azure SQL with the above instructions.

If AD is necessary, could you tell me why it is necessary? Also, if there are any official Intel documents for reference, could you share them?

The second point is about EntraID.

If AD is necessary, is it possible to use Azure's EntraID instead of AD to set up the IntelEMA environment?

The third point is about the EMA agent terminal.

If AD is necessary, does the EMA agent's terminal also need to join the domain?

I look forward to your reply.

Regards,
Hideo.

MIGUEL_C_Intel · ‎05-24-2024

Hello, Hideo,

I hope you are doing well.

Due to the issues presented, I suggest reinstalling EMA from scratch. I mentioned Windows Active Directory (AD) if you are using it or want to use it in the future. If you install EMA with Local Authentication, it is not possible to jump to Windows AD or Azure Entra. The supported option is jumping from Windows AD to Azure Entra only. I hope my answer resolves questions 1 and 2.

References from the Intel EMA Server Installation Maintenance Guide_Rev1_13_0.pdf included at https://downloadmirror.intel.com/646990/Intel_EMA_Documents1.13.0.zip

Open the PDF files with a browser.

Bullet 7 “Decide which form of authentication you plan to install Intel® EMA under: Azure AD authentication, Windows AD domain authentication mode (Kerberos), or normal account (username/password) mode, which is the default. If you plan to use domain authentication, we suggest using the FQDN of your machine for the hostname. You still need to make sure that other endpoints or other client web browsers can connect to the value you entered here. If you decide to use another value, follow IT practice to set up the Service Principle Name (SPN) after Intel® EMA is installed.”

Intel_EMA_Documentation_Rev1.13.0/Intel_EMA_Documents_Rev_1_13_0/Intel%20EMA%20ServerInstallation%20MaintenanceGuide_Rev1_13_0.pdf#page=9

1.3.4 Pre-installation Instructions for Microsoft Azure AD Environments

Intel_EMA_Documentation_Rev1.13.0/Intel_EMA_Documents_Rev_1_13_0/Intel%20EMA%20ServerInstallation%20MaintenanceGuide_Rev1_13_0.pdf#page=13

2.2.1.12 Modify Server Settings from Azure AD

Intel_EMA_Documentation_Rev1.13.0/Intel_EMA_Documents_Rev_1_13_0/Intel%20EMA%20ServerInstallation%20MaintenanceGuide_Rev1_13_0.pdf#page=44

2.4.4 Converting to Azure AD using the Command Line

Intel_EMA_Documentation_Rev1.13.0/Intel_EMA_Documents_Rev_1_13_0/Intel%20EMA%20ServerInstallation%20MaintenanceGuide_Rev1_13_0.pdf#page=60

Third question, if you configure EMA with Windows AD or Azure Entra; yes, the agents need to join the domain.

I look forward to hearing back from you.

Regards,

Miguel C.

Intel Customer Support Technician

Hideo · ‎05-27-2024

Hello,Miguel C.

Thank you for your response.

Due to the circumstances of our internal system environment, we cannot join the agent to a domain.

Is it possible to build IntelEMA in a redundant configuration without joining the agent to a domain?

We have already done the following:

Installed IntelEMA on Windows Server 2022 Datacenter Azure Edition (single configuration).
Installed the agent on a terminal without vPro, and were able to operate it from IntelEMA.

(At this time, the agent was not joined to a domain.)

Given the above, is it possible to build IntelEMA in a redundant configuration without joining the agent to a domain?

I look forward to your reply.

Regards,
Hideo.

MIGUEL_C_Intel · ‎05-27-2024

Hello, Hideo,

Sure, it is possible to create a distributable EMA configuration using local authentication (without Active Directory).

Please use for referencing the sections below:

1.4.9 IIS - Change IIS User Account

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-server-installation-and-maintenance-guide.pdf#page=20

2.2. Installing using the Setup Wized

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-server-installation-and-maintenance-guide.pdf#page=33

Regards,

Miguel C.

Intel Customer Support Technician

Hideo · ‎05-28-2024

Hello,Miguel C.

Thank you for your response.

I have organized the responses so far. With that in mind,

please tell me again the cause of the original question and the countermeasures.

*The log has been sent in my seventh reply.

The image below shows the overall configuration.

１．IntelEMA was installed on the IntelEMA main server (WindowsServer).

　　*SQL uses AzureSQL.
２．An error occurred when installing IntelEMA on the second IntelEMA main server (WindowsServer).

　　When creating a certificate file on the IntelEMA main server and proceeding with the installation of IntelEMA

　　on the IntelEMA main server, the following error is output, and the installation is stopped:
　　Error creating Intel® EMA Root certificate.

　　Could you tell me the cause of the above error and how to deal with it?

I look forward to your reply.

Regards,
Hideo.

Hideo · ‎05-28-2024

Hello,Miguel C.

I accidentally posted twice.I don't know how to turn it off.

Please ignore the following.

↓↓↓

Thank you for your response.

I have organized the responses so far. With that in mind, please tell me again the cause of the original question and the countermeasures. *The log has been sent in my seventh reply.

The image below shows the overall configuration.

1.IntelEMA was installed on the IntelEMA main server (WindowsServer).

*SQL uses AzureSQL.

2.An error occurred when installing IntelEMA on the second IntelEMA main server (WindowsServer).

When creating a certificate file on the IntelEMA main server and proceeding with the installation of IntelEMA

on the IntelEMA main server, the following error is output,

and the installation is stopped:

Error creating Intel® EMA Root certificate.

Could you tell me the cause of the above error and how to deal with it.

I look forward to your reply.

Regards,
Hideo.

MIGUEL_C_Intel · ‎05-28-2024

Hello, Hideo,

Thank you for sending a chart flow of your environment and a summary of the issue. Let me review the logs and documentation provided.

Regards,

Miguel C.

Intel Customer Support Technician

MIGUEL_C_Intel · ‎05-30-2024

Hello, Hideo,

I am reviewing the documentation provided. Please be patient.

Regards,
Miguel C.
Intel Customer Support Technician