I am new to the area of OOB Management and am having some issues getting the SCCM Addon to work as described.
I have successfully installed the Addon and have enabled the Task sequences. Everything seems to work. Intel ME says it is configured SCCM sees the Controller, However the AMT Status of SCCM shows detected.
I have read in other locations that this indicates that SCCM cannot communicate with the controller.
After extensive reading the problem seems to be with kerberos. I have configured the Profile with AD integration and TLS. I believe the problem may be with the SPN that needs to be configured. However nowhere has much detail on that. Can anyone provide some guide or instructions on the kerberos config for the AMT ?
I have configured they AMT provisioning accounts. But what AD account is used for communication by SCCM ?
This is the error log I am seeing
amtopmgr.logStart Kerberos Discovery SMS_AMT_OPERATION_MANAGER 12/2/2014 4:43:43 PM 6116 (0x17E4)Flag iWSManFlagSkipRevocationCheck is not set. SMS_AMT_OPERATION_MANAGER 12/2/2014 4:43:43 PM 6116 (0x17E4)
Description: Logon failure: unknown user name or bad password. SMS_AMT_OPERATION_MANAGER 12/2/2014 4:43:43 PM 6116 (0x17E4)
Error: Failed to get AMT_SetupAndConfigurationService instance. SMS_AMT_OPERATION_MANAGER 12/2/2014 4:43:43 PM 6116 (0x17E4)DoKerberosWSManDiscovery failed. SMS_AMT_OPERATION_MANAGER 12/2/2014 4:43:43 PM 6116 (0x17E4)
Discovery to IP address 10.xxx.x.x succeed. AMT status is 1. SMS_AMT_OPERATION_MANAGER 12/2/2014 4:43:43 PM 6116 (0x17E4)
Thank You in advance for any help that can be provided.
You are right. Unfortunately, kerberos in this condition doesn't work out of the box.
First of all, you have to say to Windows allow send kerbetos tickets over a port non-80, and in order to do it, you must create these two registries entries (32bits and 64bits): http://support.microsoft.com/kb/908209 http://support.microsoft.com/kb/908209
Beside this configuration, also you must make sure that in your IE, you have your suffix DNS in Intranet Zone (Internet Options -> Security -> Local Intranet -> Sites), e.g. intel.com and also, in "Custom Level..." you must have this option checked:
I should be able to connect to you vPro machine using kerberos from IE in order to make sure that it's working, just pointing your IE to vPro machine, e.g. http://vpromachine.intel.com:16992 http://vpromachine.intel.com:16992 or https://vpromachine.intel.com:16993 https://vpromachine.intel.com:16993
My two cents!