Ive been working on setting up SCS following the info in the SCS Deployment Guide and the SCS User guide. So there are some things that appear to conflict between the guides but I'd like to be sure. Regarding the certificate templates to setup on your CA, the configuration for the certificates are different. One says to duplicate the Web server template, and the other say to duplicate the User certificate. One has you add a couple of additional Cryptographic providers the other only asks you to add the Microsoft Strong Cryptographic Provider. One has you add two OIDs the other does not. Which way is the correct way?
Im a bit curious about how this template is used as well. As machines are added to the SCS, does it hand out a certificate to them based on that template?
I will likely have more questions as things move along because it would be really nice for there to be a step by step guide on how to implement this but I cant seem to find one so I am winging it a bit. Thanks for your attention.
Thank you for contacting Intel AMT Community Support.
Please allow me some time in order to verify the details provided.
As soon as possible, I will be contacting you back in order to proceed with the next step and provide you the most accurate information.
Just following up on this. Any news?
Also, I just attempted to install the Provisioning Certificate I purchased from GoDaddy for the NetworkService to use. I am following the instructions in the Intel SCS Deployment Guide, using the RCSUtils.exe utility. THe certificate seemed to install ok but when I run RCSUtils.exe /Certificate View /RCSUser NetworkService /Log File ViewCert.log, I get the following in the log:
2020-04-21 1:40:21 PM: Intel(R) SCS Utils log, running user: CORPSERVICES\mikeadmin
2020-04-21 1:40:21 PM: -------------------------------------------------------------------------------
2020-04-21 1:40:22 PM: Waiting for the task scheduler to run the requested task using the Network Service account (can take up to 60 seconds).
2020-04-21 1:40:24 PM: Waiting for the task scheduler to run the requested task using the Network Service account (can take up to 60 seconds).
2020-04-21 1:40:24 PM: -------------------------------------------------------------------------------
2020-04-21 1:40:24 PM: Exit status for the running user CORPSERVICES\mikeadmin:
2020-04-21 1:40:24 PM: Failed to impersonate to the user - Element not found. (Exception from HRESULT: 0x80070490).
Any suggestions on how to deal with this?
Both guides are technically correct. Either is appropriate but both will ultimately get you where you need to be but also agree that they are inconsistent with one another. This is something we've noted and will look into getting both guides consistent between the two.
There are many different options of different templates that can be used to base the TLS certificate off of. The easiest would be the webserver template as it will already have all the requirements AMT needs in place. As far as the cryptographic providers, the different providers give you access to different sha algorithms. Generally, select the Microsoft enhanced cryptographic provider.
The user guide does say duplicate the user template but you have to add server authentication
The referencing of two OID’s is because there is a list of OID’s for remote configuration certificates that reference the Certificate Authorities certificates for remote configuration. The second is for a more rarely used mutual authentication certificate.
Regarding the error when running RCSUtils.exe, I was unable to duplicate your issue and it is looking like a permissions issue. In the SCS User Guide, please ensure the mikeadmin account has the appropriate access. See section 3.8.2 in the user guide:
Thanks for the info about the certificate templates. Regarding the RCSUtils.exe and permissions, I am logged into the server as an administrator and I am running the RCSUtils.exe file elevated. The section of the document you provided seemed to imply that was all I needed, unless I missed something?
By any chance, is there something else I can help you with?
If so, please do not hesitate and let me know and I will be more than happy to assist you.
Yes, I still am having issues with running the RCSUtils.exe to check that the certificate is being used by Network Service. I am logged into the server as an administrator and the RCSUtils.exe file is running elevated. It looks to me like that is all I need according to the document you referred to so I am not sure what to do next.
Thank you for letting us know the information, I will double-check some details and as soon as possible I will be contacting you back in order to proceed with the next step.
The best way to make sure that the certificate is in the network service account certificate store is to use the following "psiexec" command:
Certificate store for local user command window
Create pstools off of c:\ and extract
Go to c:\pstools
Command: psexec -I -u "nt authority
etwork service" cmd
In new window type mmc and add the certificate to add to the store
Please use this method to validate that the remote configuration certificate is in the network service personal store and also view the certificate to make sure there are no errors.
Intel Server Specialist.
Ok, that seems to work. One note for anyone else reading this, the command should be psexec -I -u "nt authority\network service" cmd
I was able to put together a test config and try to apply it to a system. I am not getting these errors:
Date and Time: 2020-05-05 11:10:31 PM
Error Code: 3221246495
Intel AMT FQDN:
Intel AMT IPv4:
Description: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable.
Failed while calling
GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error
0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.
Valid certificate for PKI configuration not found.
Can you suggest what I need to fix? Thanks.
I was reviewing your reply and I would like to know if you still need assistance in order to configure the SCS and doing the Remote Configuration?
Reviewing the information provided, I would like to ask you which troubleshooting steps have you performed related to the network setting between the target client system and the RCS server in order to isolate any network issue related to it.
Please verify the network configuration and let me know the outcome.
Well, the test client is able to communicate with the RCS server if that's what you mean. In fact, the log I posted is from the RCS so the client is talking to it. Not sure what else I would try. The log seems to be implying an SSL issue doesnt it?
By any chance, do you have the WS-Management enable?
Please check in msservices the feature and confirm that it is enable.
Please let me know the outcome in order to proceed with the next step.
Due to the fact that we have noticed the error related to the SSL connection, I would like to provide you the following information in order to take a deep look into some configuration related to it and make sure that everything is set accordingly:
Please check the following third party link, where you can see more details about how to fix the SSL/TLS errors for instance:
- SSL/TLS Handshake Failed: Server-Side Errors.
- SSL/TLS Handshake Failed – Client errors.
- Incorrect SSL/TLS Certificate.
- And other useful details.
Please let me know if the information helps you in order to proceed with the next step.
I would like to know if you were able to verify the article that I share with you about the SSL/TLS troubleshooting steps?
If you have more questions, please do not hesitate and let me know and I will be more than happy to assist you.
Intel Server Specialist.