Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
Announcements
All support for Intel NUC 7 - 13 systems has transitioned to ASUS. Read latest update.
2815 Discussions

Platform Manager 1.9.0.0 - Can't login not using Windows Authentication

neilbrin
New Contributor I
2,060 Views

We have adistributed server setup whereby we have 2 x Web servers with an AWS ALB placed in front of these hosts and WAF/Shield protecting the ALB

The 'Intel Web Server Idenitifer' resolve at a public facing IP as our Intel EMA website is publicly accesisble (but specific IP address whitelisted)

Our Intle EMA platform is running v1.9.0.0 and it's been switched over to AzureAD auth and this is working as expected. I can log on to the Intel EMA web console using both 'Azure SSO Credentials' and also 'Intel EMA Credentials' using Global Admin account


However, when I try and run Platform Manager and login directly from one of the Intel EMA Web servers I keep getting Invalid Username or Password

ie.
1. Server Information
Platform Manager Server Identifier:port -> localhost:8000
Intel EMA Web Server Identifier -> Ajax/Web Server FQDN eg. intelema.companyname.internal
Client Auth Certificate -> None

2. Connection Credentials
Use Windows Authentication -> Unchecked
Username -> username@domain (User Principal Name)

Results;
Invalid username/password


Could you please provide any information as to the network traffic and paths that this authentication process takes, as without a successful logon to Platform Manger I can't stop the Swarm, Ajax, Recovery and Manageability components as required according to the documentaton to complete the upgrade to v1.10.0.0? 

Failing that, is there a way to complete al the upgarde pre-requisites ie. stopping the required EMA components, so that I can perform an upgrade from 1.9.0.0 -> 1.10.0.0 without having to log on to Platform Manger and use this to stop the components?

0 Kudos
10 Replies
neilbrin
New Contributor I
2,054 Views

BTW - I've also tried to logon using Windows Authentication and receive the same error, so not sure if it's actually an authentication error or just a connectivity error

0 Kudos
Victor_G_Intel
Moderator
2,015 Views

Hello neilbrin,

 

Thank you so much for contacting Intel customer support,


Before moving forward with your questions please provide the information below:


  1. Were you able to run the platform manager before switching over to the AzureAD auth?
  2. For documentation purposes how many endpoints are currently in your deployment?
  3. Do you have more than one Global admin account? If yes, have you tried with the other account as well?
  4. Was this issue presented after you got your environment upgraded to EMA 1.9.0.0? If yes, have you tried these steps?


Best regards,


Victor G.

Intel Technical Support Technician  


0 Kudos
neilbrin
New Contributor I
1,965 Views

Victor,

Thanks for the quick reply to this issue

 

  1. Were you able to run the platform manager before switching over to the AzureAD auth?
    I'm not sure as we have changed a number of underlying configurations ie. we deployed a public facing Application Load Balancer (ALB)  so that we could integrate with our VMware WorkspaceOne (WS1) tenant. Due to this, it may be a comms issue from the management point (Platform Manager) to this ASLB out through our corporate firewall. It's one of the reasons why I would like to know the specifics of the Platform Manager connectivity ie. ports/protocols (other than tcp/8000)

  2. For documentation purposes how many endpoints are currently in your deployment?
    We only have two endpoints in our environment, as we are only early on in our testing/validation phase of our Intel EMA platform.

  3. Do you have more than one Global admin account? If yes, have you tried with the other account as well?
    We have two (2) Global Admin accounts and I have tried both and I can actually log on to the Intel EMA web portal via Azure AD with these two GA accounts.

  4. Was this issue presented after you got your environment upgraded to EMA 1.9.0.0? If yes, have you tried these steps?
    I am not sure, due to my reply in Q1. I believe we only introduced the ALB once we deployed v1.9.0.0, as once we had AzureAD auth working we wanted to then integrate with VMware WS1. I will test the LDAP/LDAPS connectivity from the Intel EMA web servers and report back with my findings

    regards,
    Neil...
0 Kudos
neilbrin
New Contributor I
1,950 Views

Victor,

 

I finally got around to testing LDAP/LDAPS connectivity from Intel EMA web servers. Maybe need a small KB on how to get LDP.exe tool on to Windows Servers (at least 2106 and above you need to add via;

Server Manager, Add Roles and Features, Features, Remote Server Administration Tools, Role Administration Tools, AD DSD and AD LDS Tools, AD DS Tools, AD DS Snap-Ins and Command-Line Tools. 

I tested both LDAP (tcp/389) and LDAPS (tcp/636) against all our Domain Controllers and was able to successfully connect to all on both LDAP/LDAPS

 

Do you know what other comms are required, as I'm assuming by putting in the FQDN of the 'Intel EMA Web Server Identifier', then there must be some type of comms/check to this endpoint when trying to launch Platform Manager???

 

 

0 Kudos
JoseH_Intel
Moderator
1,931 Views

Hello neilbrin,


Please allow us some time to research this.


Regards 


Jose A.

Intel Customer Support Technician


0 Kudos
JoseH_Intel
Moderator
1,899 Views

Hello neilbrin,

 

Could you please verify that when you open Platform Manager you are actually doing it with the Global Admin and not a service account? Please share images if possible.

So please tell what account is running EMA from Microsoft Services, likely some sort of dedicated service account?

 

Next, you will want to go into C:\Program Files (x86)\Intel\Platform Manager, press shift down and right click on PlatformManager.exe and "Run as Different user" and specify the Global Admin user you want to log in with. After it launches the service as Global Admin please try to login with that account.

 

Lastly, what happens if you try to log in with your Azure Root Admin Account? Starting in section 2.4.4 of the EMA install guide.

 

We will look forward to your feedback

 

Regards

 

Jose A.

Intel Customer Support Technician

 

0 Kudos
neilbrin
New Contributor I
1,821 Views

Jose,


Could you please verify that when you open Platform Manager you are actually doing it with the Global Admin and not a service account? Please share images if possible.
I am opening Platform Manager from the Start menu after I have actually logged on to the Intel EMA Web server using the Global Admin account. 

So please tell what account is running EMA from Microsoft Services, likely some sort of dedicated service account?

I am using the same user account that is dedicated as the Intel EMA Global Admin root account to run the Platform Manager service

Next, you will want to go into C:\Program Files (x86)\Intel\Platform Manager, press shift down and right click on PlatformManager.exe and "Run as Different user" and specify the Global Admin user you want to log in with. After it launches the service as Global Admin please try to login with that account.
I have also tried this account with the exact same result

 

Lastly, what happens if you try to log in with your Azure Root Admin Account? Starting in section 2.4.4 of the EMA install guide.
I have also tried this account with the exact same result

I have attempted with no success using the following scenarios;

  1. Logged on to Intel EMA web server using a designated generic user account which is the root Global Admin account and launching Platform Manager and using these same credentials to authenticate
    eg EMAGA@postdomain.test.au

  2. Logged on to Intel EMA web server using a designated generic user account which is the root Global Admin account and launching Platform Manager and using a defined user account (AD) that is a member of the Global Administrators group
    smith.john@postdomain.test.au

  3. Logged on to Intel EMA web server using a defined user account (AD) and launching Platform Manager and using these same credentials to attempt to authenticate

In all cases I keep receiving the error "Invalid username/password."

However I can log on to the Intel EMA Web console using the same account used in Test 1 & 2 and selecting the option 'Login With Intel EMA Credentials', so I know this account is valid and is a Global Admin 

 

0 Kudos
Victor_G_Intel
Moderator
1,807 Views

Hello neilbrin,


Thank you for posting on the Intel® communities.


Please let me review this information internally, and kindly wait for an update.


Once we have more information to share, we will post it on this thread.


Regards,


Victor G.

Intel Technical Support Technician 


0 Kudos
Victor_G_Intel
Moderator
1,774 Views

Hello neilbrin,

 

I hope this message finds you well.


In case you don’t have time to deal with the issue at hand with our engineering team tonight please let us know so we can arrange a call/meeting with you. We’ll be waiting for your response.


Best regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
neilbrin
New Contributor I
1,593 Views

Hi Victor,

We have a work around to our issue whereby we have changed our public facing Web/Ajax ALB to an internally facing NLB (Note: We also unsuccessfully tested with an externall facing NLB with same failed result). Once we did this then the Platform Manager connected and functioned as expected. So in short we initially configured our environment with an externally (public) facing ALB/NLB for our Web/Ajax endpoint eg. FQDN/URL; https://intelema.public.com.au  We then attempted to run Platform Manager directly on one of the Windows Server 2019 EMA Web Servers using the following;
Platform Manager Server Identifier:port; localhost:8000
Intel EMA Web Server Identifier; localhost
Client Auth Certificate; (None)

Then we attempted (unsuccessfully) to use both 'Intel EMA Credentials' and 'Azure AD CAuthentication'

However, Once we changed to an internal NLB, we could successfully connect, so there is definitely somthing that the Platform Manger tool does, that tries to communicate to these Web/Ajax endpoint, which is not documented. It would be good to have a specific traffic flow of the authentication attempt when using Platform Manager, as even when trying to use on the host where the Web/Ajax component is installed it seems to use other network traffic paths for authentication.


Regards,

Neil B

0 Kudos
Reply