Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2915 Discussions

Passwords used in SCS

ccede
Beginner
2,090 Views

I'm a bit confused as to where the different passwords are being used in SCS 8.

Could someone please provide clarification on the items in RED?

Access Control List Tab

- Passwords here are used to grant access via a Management PC to be able to connect over AMT to the Client machine.

- Can use either Digest or Kerberos (via Windows AD OU's)

Remote Access Tab

- Management Presence Server Properties

- System Authentication

- This can be either Certificate Based or Password based.

- What is this authentication for? If it is password based don't we already cover that in the Access Control List using digest/kerberos?

System Settings Tab

- Network Settings

- MEBx password is used to enter the MEBx (BIOS level) locally on the client machine

- Specify the method to be used to create the Intel AMT admin user password

- I believe this password is used to provision the machine via ACUConfig?

- if this password is specified randomly, is there any AD integration where we can record that random password in Active Directory?

 

Thank you in advance!

0 Kudos
1 Solution
Christophe_P_Intel1
899 Views

Remote Access Tab:

The Access Control List is for access to the machine using digest/kerberos. However, if you are using Intel Fast Call for Help a proxy Management Presense Server (MPS) is needed. The remote access tab is to specify access credentials to the MPS. Once a conenction is established to the MPS, the mangement console would connect to the system through the MPS using credentials defined in the ACL.

System Settings Tab:

There are three password types: MEBx, Intel® AMT administrator, and Intel® AMT user.

  • MEBx - Entered at the BIOS\FW to access the management engine locally. This password must be changed when the management engine is first accessed. The MEBx password is used ONLY at the local client machine to enter the MEBx (ME BIOS eXtensions)

     

  • Intel® AMT administrator password - Used to access the WebUI console and send\receive webservice calls for administrative changes\privileges. This account should ONLY be used by the ISV console or configuration service. The maintenance setting to change administrator passowrd refers to this account. (when the security realms are explained, this might make more sense).

     

  • Intel® AMT user password - Accounts used for production access and functionality. These are the target Digest or Kerberos users seen within the Intel® SCS console. Multiple user accounts could exist, based on the preference and policy of a production environment. In enterprise mode, these accounts are defined and set by the Intel® AMT profile.

     

If the AMT Admin user password is specifed randomly, the password is stored in the SCS database.

To get the Admin password:

1. In the console click Monitoring and select the Systems tab.

2. Locate and select the system using the Views tab or the Search tab. Data for the selected system is shown in the bottom section of the window.

3. Right-click the system and select Get Configured Password. The View System's Password window opens.

4.To view the password, select Show password. The password is shown.

 

 

If you have active directory, I recommend using kerberos to manage your clients.

View solution in original post

0 Kudos
4 Replies
Christophe_P_Intel1
900 Views

Remote Access Tab:

The Access Control List is for access to the machine using digest/kerberos. However, if you are using Intel Fast Call for Help a proxy Management Presense Server (MPS) is needed. The remote access tab is to specify access credentials to the MPS. Once a conenction is established to the MPS, the mangement console would connect to the system through the MPS using credentials defined in the ACL.

System Settings Tab:

There are three password types: MEBx, Intel® AMT administrator, and Intel® AMT user.

  • MEBx - Entered at the BIOS\FW to access the management engine locally. This password must be changed when the management engine is first accessed. The MEBx password is used ONLY at the local client machine to enter the MEBx (ME BIOS eXtensions)

     

  • Intel® AMT administrator password - Used to access the WebUI console and send\receive webservice calls for administrative changes\privileges. This account should ONLY be used by the ISV console or configuration service. The maintenance setting to change administrator passowrd refers to this account. (when the security realms are explained, this might make more sense).

     

  • Intel® AMT user password - Accounts used for production access and functionality. These are the target Digest or Kerberos users seen within the Intel® SCS console. Multiple user accounts could exist, based on the preference and policy of a production environment. In enterprise mode, these accounts are defined and set by the Intel® AMT profile.

     

If the AMT Admin user password is specifed randomly, the password is stored in the SCS database.

To get the Admin password:

1. In the console click Monitoring and select the Systems tab.

2. Locate and select the system using the Views tab or the Search tab. Data for the selected system is shown in the bottom section of the window.

3. Right-click the system and select Get Configured Password. The View System's Password window opens.

4.To view the password, select Show password. The password is shown.

 

 

If you have active directory, I recommend using kerberos to manage your clients.

0 Kudos
idata
Employee
899 Views

Thank you so much. I appreciate the response! Great information.

Just to clarify a few things based off of a scenario:

Scenario:

1. In the Remote Access Tab / MPS Properties, I am using System Authentication is Password Based and specifying a username/password.

2. In the System Settings Tab, I have checked Create a random password for each system

My understanding:

- When I first configure the machine with ACUConfig.exe configviarcsonly, the /adminpassword parameter will use number 1 password (line item from above scenario)

- Once it is configured, it will change that admin password to a random password and store it in the SCS Montoring section.

- If I want to re-provision the machine or make a Delta Configuration, then I will need to use that new (random) password (line item 2 from above) when specifying the /adminpassword parameter within ACUConfig.exe

Is this correct?

 

Thanks!
0 Kudos
Christophe_P_Intel1
899 Views
The Remote Access Tab / MPS properties credentals are the credentials used to communciate with the MPS proxy server. The AMT client uses these credentials to create a connection to the MPS (see page 86 of the SCS user guide). Once the conenction is made to the MPS, then the IT console can use the AMT credentials to communicate with the AMT client through the MPS. When using ACUConfig, the AMT password is defined in System Settings - and since you have Create a random password for each system checked, that is what will happen. These credentials may be used to change the AMT configuration later.

0 Kudos
ccede
Beginner
899 Views

Thank you for the clarification!

0 Kudos
Reply