Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

SCCM 2012 Kerberos Issue

RChar4
Beginner
1,625 Views

Hello All,

I am new to the area of OOB Management and am having some issues getting the SCCM Addon to work as described.

I have successfully installed the Addon and have enabled the Task sequences. Everything seems to work. Intel ME says it is configured SCCM sees the Controller, However the AMT Status of SCCM shows detected.

I have read in other locations that this indicates that SCCM cannot communicate with the controller.

After extensive reading the problem seems to be with kerberos. I have configured the Profile with AD integration and TLS. I believe the problem may be with the SPN that needs to be configured. However nowhere has much detail on that. Can anyone provide some guide or instructions on the kerberos config for the AMT ?

I have configured they AMT provisioning accounts. But what AD account is used for communication by SCCM ?

This is the error log I am seeing

amtopmgr.log

Start Kerberos Discovery SMS_AMT_OPERATION_MANAGER 12/2/2014 4:43:43 PM 6116 (0x17E4)Flag iWSManFlagSkipRevocationCheck is not set. SMS_AMT_OPERATION_MANAGER 12/2/2014 4:43:43 PM 6116 (0x17E4)

session params : https://AAA-xxx.xxx.edu:16993 https://AAA-xxx.xxx.edu:16993 , 484001 SMS_AMT_OPERATION_MANAGER 12/2/2014 4:43:43 PM 6116 (0x17E4)

ERROR: Invoke(get) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 12/2/2014 4:43:43 PM 6116 (0x17E4)

Description: Logon failure: unknown user name or bad password. SMS_AMT_OPERATION_MANAGER 12/2/2014 4:43:43 PM 6116 (0x17E4)

Error: Failed to get AMT_SetupAndConfigurationService instance. SMS_AMT_OPERATION_MANAGER 12/2/2014 4:43:43 PM 6116 (0x17E4)

DoKerberosWSManDiscovery failed. SMS_AMT_OPERATION_MANAGER 12/2/2014 4:43:43 PM 6116 (0x17E4)

Discovery to IP address 10.xxx.x.x succeed. AMT status is 1. SMS_AMT_OPERATION_MANAGER 12/2/2014 4:43:43 PM 6116 (0x17E4)

Thank You in advance for any help that can be provided.

-Robert

0 Kudos
1 Reply
Bruno_Domignues
Employee
441 Views

You are right. Unfortunately, kerberos in this condition doesn't work out of the box.

First of all, you have to say to Windows allow send kerbetos tickets over a port non-80, and in order to do it, you must create these two registries entries (32bits and 64bits): http://support.microsoft.com/kb/908209 http://support.microsoft.com/kb/908209

Beside this configuration, also you must make sure that in your IE, you have your suffix DNS in Intranet Zone (Internet Options -> Security -> Local Intranet -> Sites), e.g. intel.com and also, in "Custom Level..." you must have this option checked:

I should be able to connect to you vPro machine using kerberos from IE in order to make sure that it's working, just pointing your IE to vPro machine, e.g. http://vpromachine.intel.com:16992 http://vpromachine.intel.com:16992 or https://vpromachine.intel.com:16993 https://vpromachine.intel.com:16993

My two cents!

-Bruno Domingues

Reply