Setting Up SCS and Doing Remote Configuration

Kimboaticus · ‎04-16-2020

Ive been working on setting up SCS following the info in the SCS Deployment Guide and the SCS User guide. So there are some things that appear to conflict between the guides but I'd like to be sure. Regarding the certificate templates to setup on your CA, the configuration for the certificates are different. One says to duplicate the Web server template, and the other say to duplicate the User certificate. One has you add a couple of additional Cryptographic providers the other only asks you to add the Microsoft Strong Cryptographic Provider. One has you add two OIDs the other does not. Which way is the correct way?

Im a bit curious about how this template is used as well. As machines are added to the SCS, does it hand out a certificate to them based on that template?

I will likely have more questions as things move along because it would be really nice for there to be a step by step guide on how to implement this but I cant seem to find one so I am winging it a bit. Thanks for your attention.

Emeth_O_Intel · ‎04-16-2020

Hello,

Thank you for contacting Intel AMT Community Support.

Please allow me some time in order to verify the details provided.

As soon as possible, I will be contacting you back in order to proceed with the next step and provide you the most accurate information.

Best regards,

Emeth O.

Kimboaticus · ‎04-21-2020

Just following up on this. Any news?

Also, I just attempted to install the Provisioning Certificate I purchased from GoDaddy for the NetworkService to use. I am following the instructions in the Intel SCS Deployment Guide, using the RCSUtils.exe utility. THe certificate seemed to install ok but when I run RCSUtils.exe /Certificate View /RCSUser NetworkService /Log File ViewCert.log, I get the following in the log:

2020-04-21 1:40:21 PM: Intel(R) SCS Utils log, running user: CORPSERVICES\mikeadmin

2020-04-21 1:40:21 PM: -------------------------------------------------------------------------------

2020-04-21 1:40:22 PM: Waiting for the task scheduler to run the requested task using the Network Service account (can take up to 60 seconds).

2020-04-21 1:40:24 PM: Waiting for the task scheduler to run the requested task using the Network Service account (can take up to 60 seconds).

2020-04-21 1:40:24 PM: -------------------------------------------------------------------------------

2020-04-21 1:40:24 PM: Exit status for the running user CORPSERVICES\mikeadmin:

2020-04-21 1:40:24 PM: Failed to impersonate to the user - Element not found. (Exception from HRESULT: 0x80070490).

Any suggestions on how to deal with this?

Emeth_O_Intel · ‎04-23-2020

Hello Kimboaticus,

Both guides are technically correct. Either is appropriate but both will ultimately get you where you need to be but also agree that they are inconsistent with one another. This is something we've noted and will look into getting both guides consistent between the two.

There are many different options of different templates that can be used to base the TLS certificate off of. The easiest would be the webserver template as it will already have all the requirements AMT needs in place. As far as the cryptographic providers, the different providers give you access to different sha algorithms. Generally, select the Microsoft enhanced cryptographic provider.

The user guide does say duplicate the user template but you have to add server authentication

The referencing of two OID’s is because there is a list of OID’s for remote configuration certificates that reference the Certificate Authorities certificates for remote configuration. The second is for a more rarely used mutual authentication certificate.

Regarding the error when running RCSUtils.exe, I was unable to duplicate your issue and it is looking like a permissions issue. In the SCS User Guide, please ensure the mikeadmin account has the appropriate access. See section 3.8.2 in the user guide:

https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf

Best regards,

Emeth O.

Kimboaticus · ‎04-24-2020

Thanks for the info about the certificate templates. Regarding the RCSUtils.exe and permissions, I am logged into the server as an administrator and I am running the RCSUtils.exe file elevated. The section of the document you provided seemed to imply that was all I needed, unless I missed something?

Emeth_O_Intel · ‎04-27-2020

Hello Kimboaticus,

By any chance, is there something else I can help you with?

If so, please do not hesitate and let me know and I will be more than happy to assist you.

Best regards,

Emeth O.

Kimboaticus · ‎04-27-2020

Yes, I still am having issues with running the RCSUtils.exe to check that the certificate is being used by Network Service. I am logged into the server as an administrator and the RCSUtils.exe file is running elevated. It looks to me like that is all I need according to the document you referred to so I am not sure what to do next.

Emeth_O_Intel · ‎04-29-2020

Hello Kimboaticus,

Thank you for letting us know the information, I will double-check some details and as soon as possible I will be contacting you back in order to proceed with the next step.

Best regards,

Emeth O.

Emeth_O_Intel · ‎05-04-2020

Hello Kimboaticus,

The best way to make sure that the certificate is in the network service account certificate store is to use the following "psiexec" command:

Certificate store for local user command window

Get pstools

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

Create pstools off of c:\ and extract

Go to c:\pstools

Command: psexec -I -u "nt authority

etwork service" cmd

In new window type mmc and add the certificate to add to the store

Please use this method to validate that the remote configuration certificate is in the network service personal store and also view the certificate to make sure there are no errors.

Best regards,

Emeth O.

Intel Server Specialist.

Kimboaticus · ‎05-06-2020

Ok, that seems to work. One note for anyone else reading this, the command should be psexec -I -u "nt authority\network service" cmd

I was able to put together a test config and try to apply it to a system. I am not getting these errors:

Operation: Configuration

Date and Time: 2020-05-05 11:10:31 PM

Error Code: 3221246495

Severity: Failure

UUID:

Intel AMT FQDN:

Intel AMT IPv4:

Server Name:

Description: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable.

Failed while calling

WS-Management call

GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error

0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.

Valid certificate for PKI configuration not found.

Can you suggest what I need to fix? Thanks.

Emeth_O_Intel · ‎05-07-2020

Hello Kimboaticus,

I was reviewing your reply and I would like to know if you still need assistance in order to configure the SCS and doing the Remote Configuration?

Best regards,

Emeth O.

Kimboaticus · ‎05-07-2020

Yes, I am getting errors as shown in my previous post. I posted part of the log from a configuration attempt I made on a test machine.

Emeth_O_Intel · ‎05-08-2020

Hello Kimboaticus,

Ok, let me double-check some details in order to provide you the most accurate information for this scenario.

Best regards,

Emeth O.

Emeth_O_Intel · ‎05-11-2020

Hello Kimboaticus,

Reviewing the information provided, I would like to ask you which troubleshooting steps have you performed related to the network setting between the target client system and the RCS server in order to isolate any network issue related to it.

Please verify the network configuration and let me know the outcome.

Best regards,

Emeth O.

Kimboaticus · ‎05-12-2020

Well, the test client is able to communicate with the RCS server if that's what you mean. In fact, the log I posted is from the RCS so the client is talking to it. Not sure what else I would try. The log seems to be implying an SSL issue doesnt it?

Emeth_O_Intel · ‎05-13-2020

Hello Kimboaticus,

By any chance, do you have the WS-Management enable?

Please check in msservices the feature and confirm that it is enable.

Please let me know the outcome in order to proceed with the next step.

Best regards,

Emeth O.

Kimboaticus · ‎05-13-2020

Yes, the WS-Management service (WinRM) is running on the RCS server and the target machine.

Emeth_O_Intel · ‎05-14-2020

Hello Kimboaticus,

Regarding to the SSL error, which troubleshooting steps have you performed in order to isolate the issue?

Regards,

Emeth O.

Kimboaticus · ‎05-14-2020

I dont have any idea on what to troubleshoot with this so I havent taken any steps other than post the issue on here, hoping to get a solution.

Emeth_O_Intel · ‎05-18-2020

Hello Kimboaticus,

Due to the fact that we have noticed the error related to the SSL connection, I would like to provide you the following information in order to take a deep look into some configuration related to it and make sure that everything is set accordingly:

Please check the following third party link, where you can see more details about how to fix the SSL/TLS errors for instance:

SSL/TLS Handshake Failed: Server-Side Errors.
SSL/TLS Handshake Failed – Client errors.
Incorrect SSL/TLS Certificate.
And other useful details.

https://www.thesslstore.com/blog/tls-handshake-failed/

Please let me know if the information helps you in order to proceed with the next step.

Best regards,

Emeth O.

Emeth_O_Intel · ‎05-21-2020

Hello Kimboaticus,

I would like to know if you were able to verify the article that I share with you about the SSL/TLS troubleshooting steps?

If you have more questions, please do not hesitate and let me know and I will be more than happy to assist you.

Best regards,

Emeth O.

Intel Server Specialist.