- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm a bit confused as to where the different passwords are being used in SCS 8.
Could someone please provide clarification on the items in RED?
Access Control List Tab
- Passwords here are used to grant access via a Management PC to be able to connect over AMT to the Client machine.
- Can use either Digest or Kerberos (via Windows AD OU's)
Remote Access Tab
- Management Presence Server Properties
- System Authentication
- This can be either Certificate Based or Password based.
- What is this authentication for? If it is password based don't we already cover that in the Access Control List using digest/kerberos?
System Settings Tab
- Network Settings
- MEBx password is used to enter the MEBx (BIOS level) locally on the client machine
- Specify the method to be used to create the Intel AMT admin user password
- I believe this password is used to provision the machine via ACUConfig?
- if this password is specified randomly, is there any AD integration where we can record that random password in Active Directory?
Thank you in advance!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remote Access Tab:
The Access Control List is for access to the machine using digest/kerberos. However, if you are using Intel Fast Call for Help a proxy Management Presense Server (MPS) is needed. The remote access tab is to specify access credentials to the MPS. Once a conenction is established to the MPS, the mangement console would connect to the system through the MPS using credentials defined in the ACL.
System Settings Tab:
There are three password types: MEBx, Intel® AMT administrator, and Intel® AMT user.
- MEBx - Entered at the BIOS\FW to access the management engine locally. This password must be changed when the management engine is first accessed. The MEBx password is used ONLY at the local client machine to enter the MEBx (ME BIOS eXtensions)
- Intel® AMT administrator password - Used to access the WebUI console and send\receive webservice calls for administrative changes\privileges. This account should ONLY be used by the ISV console or configuration service. The maintenance setting to change administrator passowrd refers to this account. (when the security realms are explained, this might make more sense).
- Intel® AMT user password - Accounts used for production access and functionality. These are the target Digest or Kerberos users seen within the Intel® SCS console. Multiple user accounts could exist, based on the preference and policy of a production environment. In enterprise mode, these accounts are defined and set by the Intel® AMT profile.
If the AMT Admin user password is specifed randomly, the password is stored in the SCS database.
To get the Admin password:
1. In the console click Monitoring and select the Systems tab.
2. Locate and select the system using the Views tab or the Search tab. Data for the selected system is shown in the bottom section of the window.
3. Right-click the system and select Get Configured Password. The View System's Password window opens.
4.To view the password, select Show password. The password is shown.
If you have active directory, I recommend using kerberos to manage your clients.
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remote Access Tab:
The Access Control List is for access to the machine using digest/kerberos. However, if you are using Intel Fast Call for Help a proxy Management Presense Server (MPS) is needed. The remote access tab is to specify access credentials to the MPS. Once a conenction is established to the MPS, the mangement console would connect to the system through the MPS using credentials defined in the ACL.
System Settings Tab:
There are three password types: MEBx, Intel® AMT administrator, and Intel® AMT user.
- MEBx - Entered at the BIOS\FW to access the management engine locally. This password must be changed when the management engine is first accessed. The MEBx password is used ONLY at the local client machine to enter the MEBx (ME BIOS eXtensions)
- Intel® AMT administrator password - Used to access the WebUI console and send\receive webservice calls for administrative changes\privileges. This account should ONLY be used by the ISV console or configuration service. The maintenance setting to change administrator passowrd refers to this account. (when the security realms are explained, this might make more sense).
- Intel® AMT user password - Accounts used for production access and functionality. These are the target Digest or Kerberos users seen within the Intel® SCS console. Multiple user accounts could exist, based on the preference and policy of a production environment. In enterprise mode, these accounts are defined and set by the Intel® AMT profile.
If the AMT Admin user password is specifed randomly, the password is stored in the SCS database.
To get the Admin password:
1. In the console click Monitoring and select the Systems tab.
2. Locate and select the system using the Views tab or the Search tab. Data for the selected system is shown in the bottom section of the window.
3. Right-click the system and select Get Configured Password. The View System's Password window opens.
4.To view the password, select Show password. The password is shown.
If you have active directory, I recommend using kerberos to manage your clients.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much. I appreciate the response! Great information.
Just to clarify a few things based off of a scenario:
Scenario:
1. In the Remote Access Tab / MPS Properties, I am using System Authentication is Password Based and specifying a username/password.
2. In the System Settings Tab, I have checked Create a random password for each system
My understanding:
- When I first configure the machine with ACUConfig.exe configviarcsonly, the /adminpassword parameter will use number 1 password (line item from above scenario)
- Once it is configured, it will change that admin password to a random password and store it in the SCS Montoring section.
- If I want to re-provision the machine or make a Delta Configuration, then I will need to use that new (random) password (line item 2 from above) when specifying the /adminpassword parameter within ACUConfig.exe
Is this correct?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page