Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2835 Discussions

SCCM 2012 R2 - Unable to connect using Out of Band Management Console / KVMView

JWaxm
Beginner
‎03-19-2015 01:31 PM
1,429 Views

Hello,

I have been working on this for two weeks now, with some progress. I would really appreciate any suggestions.

Overview of setup:

SCCM 2012 R2 w/

Intel SCS 10.0.11.35 integrated

Intel SCS_SCCMAddon 2.1.6.3

and Intel vPro SCCM add on -v2

I setup the SCS integration using the following documentation:

https://sccmguru.wordpress.com/2013/12/20/integrating-configuration-manager-2012-r2-with-intel-scs-9-0-part-1/ Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 1 : Introduction | SCCM GURU

PKI Hierarchy

I have setup a Two-Tier PKI Hierarchy using the following documentation:

https://technet.microsoft.com/library/hh831348.aspx Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy

At this point, I am able to run the following 3 task sequences:

Intel SCS: Platform Discovery

Intel AMT: Discovery

Intel AMT: Configuration

Once this is complete, I see

AMT Status: Externally Provisioned &

AMT Version: 10.0.33

I am able to utilize the "power control" under Manage out of band.

I am unable to:

Use the Out of Band Management Console

Connect to the webui using https://fqdn:16993/ https://fqdn:16993

Use KVMView

To elaborate

Use the Out of Band Management Console

When I attempt to connect I see "System: Connecting" and then it changes to "System: Disconnected"

Under the AdminUILog I see the following:

[15, PID:20500][03/19/2015 14:02:17] :GetAMTPowerState fail with result:0x80072F8F

[12, PID:20500][03/19/2015 14:02:26] :GetAMTPowerState fail with result:0x80072F8F

[14, PID:20500][03/19/2015 14:02:36] :GetAMTPowerState fail with result:0x80072F8F

[15, PID:20500][03/19/2015 14:02:36] :OOBPrepareNormalBootOption: BypassPassword:False, LockKeyboard:False, EnableSOL:False. fail with result:0x80072F8F

[1, PID:20500][03/19/2015 14:02:37] :Microsoft.ConfigurationManagement.ManagementProvider.SmsException\r\nSystem error.\r\n at Microsoft.ConfigurationManagement.AdminConsole.OobConsole.Utilities.AmtWSMan.CheckResult(Int32 result)

at Microsoft.ConfigurationManagement.AdminConsole.OobConsole.Utilities.AmtWSMan.PrepareNormalBootOption(Boolean enableBypassPassword, Boolean enableLockKeyboard, Boolean enableSOL)

at Microsoft.ConfigurationManagement.AdminConsole.OobConsole.Utilities.AmtDevice.CleanUpAmtSettings(Object sender, DoWorkEventArgs e)

at System.ComponentModel.BackgroundWorker.OnDoWork(DoWorkEventArgs e)

at System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument)\r\nNo details are available for this error.\r\n

Connect to the webui using https://fqdn:16993/ https://fqdn:16993

I reach the webpage I can see my rootca has identified the webpage as the fqdn of the computer / amt device

However, when I attempt to login with my AD credentials, it fails repeatedly.

I have completed the registry fix for IE

Use KVMView

Initializing Viewer...

Using TLS security

Connecting to: fqdn

Using Kerberos authentication

AMT version is 10.0.33

Enabling KVM service access point

Applying KVM settings

The sender was not authorized to access the resource.

Intel.Management.Wsman.WsmanFault

Connecting to: fqdn

Using Proxy 127.0.0.1:57705

Disconnected

A few things I have noted:

1. I was only able to complete the 3 task sequences when I disabled CRL checking. However, when I check the CRL Distribution Point of the certificate, and plug in the URL, the .crl file opens right up. If I have CRL checking enabled, I receive the following error in the amtopmgr.log:

ERROR: Invoke(get) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 3/19/2015 9:17:24 AM 4904 (0x1328)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 3/19/2015 9:17:24 AM 4904 (0x1328)

Error: Failed to get AMT_SetupAndConfigurationService instance. SMS_AMT_OPERATION_MANAGER 3/19/2015 9:17:24 AM 4904 (0x1328)

DoWSManDiscovery failed with user name: admin. SMS_AMT_OPERATION_MANAGER 3/19/2015 9:17:24 AM 4904 (0x1328)

2. Although all 3 task sequences have completed, if I login to the MEBx in the bios

A. The admin password has NOT been set (although defined in my profile)

B. The current provisioning Mode says PKI, Provisioning Record says "Provision Record is not present"

C. I have pulled the cmos battery, reimaged the machine, & provisioned the computer dozens of times (after every change I made to ensure nothing was left behind)

D. I can see my CA issue a certificate each time I run the Intel AMT: Configuration task sequence

Thank you for any help you can provide,

Jay

0 Kudos

Link Copied

1 Reply
Anonymous
Not applicable
‎03-20-2015 02:11 AM
572 Views

Hi Jay,

Sounds like you've made some good progress and you have provisioned Intel AMT systems using SCS and remote configuration using certificates!

However integrating AMT into an SCCM environment does require some additional steps related to setting up Kerberos, certificates and ACL's correctly so please contact the Intel® Business Support portal (https://bizsupport.intel.com/ https://bizsupport.intel.com/) and register. You can then log a ticket and get access to Intel vPro experts who can get you up and running.

Regards

- Martin.

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.