Time Synchronization issue

GRile · ‎04-04-2017

So it seems that I have one final issue before I start deploying AMT across my campus. The test machines show the time as being 1 hour behind within AMT interface however inside the OS and BIOS it shows the correct time. I have the option "Synchronize Intel AMT clock with operating system" ticked within the profile used to configure the client. I found https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments/usingactivedirectorytomanageintelamtdevices.htm this but I'm not sure what I can do with this information. Is time synchronization a one-time only thing during initial configuration or should it synchronize on an on-going basis?

Thanks,

Graham

Dariusz_W_Intel · ‎04-04-2017

Graham,

Intel AMT uses Coordinated Universal Time (UTC) -(https://www.timeanddate.com/time/aboututc.html https://www.timeanddate.com/time/aboututc.html) depending on location of your system it may be ahead or behind of your time zone time.

From your description I guess you are somewhere in Europe

AMT clock is set during configuration to source that depends on your selection in AMT Profile System Settings - RCS server time or vPro PC local OS time (if you select appropriate option). It is always set to UTC format regardless of time synch source: RCS server or Local OS time.

see also AMT Time sync description in : https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=HTMLDocuments/WS-Management_Class_Reference/AMT_TimeSynchronizationService.htm Intel(R) AMT SDK Implementation and Reference Guide

As you pointed to reference - Intel AMT Kerberos authentication uses time stamping -AMT Kerberos Clock tolerance is 5 minutes (0h05m00s) if AMT UTC time differs from AD controller UTC time by more than 5 min (even 5m1s) - Kerberos Authentication will not work anymore. You will have to resynch AMT time to AD time using Digest authentication.

In Intel SCS user guide you will find descriptions of Maintenance task/jobs - one of their option it to resynch AMT time. There are other things you shall resynch - renew ME $iME AD computer object password (before it expires according to AD policy) or renew AMT TLS cert.

In SCS User Guide Intel advises to resynch AMT clock every 2 weeks.

I have configured multiple systems in my demo lab - I have noticed that after over 30 days AMT time differs by just few seconds, but your environment may behave bit differently.

rgds

Dariusz Wittek

Intel EMEA Biz Client Technical Sales Specialist

GRile · ‎04-05-2017

Hi Dariusz,

Thanks again for your help. I am located in UK (British Summer Time (BST) +0100 UTC). I have just provisioned another AMT client and still the AMT time shows 10:18 whilst the BIOS an OS show 11:18. I have the option "Synchronize Intel AMT clock with operating system" ticked within the profile used to configure the client.

I understand your point regarding the requirement to periodically run Maintenance task/jobs however are you suggesting that immediately following the initial AMT configuration I need to run an additional job to correctly set / synchronize the time?

Regards,

Graham

GRile · ‎04-11-2017

Hi Dariusz,

I just wondered if you had any more advice on this? Do you think it might be worth opening a support ticket as clearly the time does not sync during configuration.

Regards,

Graham?

Dariusz_W_Intel · ‎04-12-2017

Graham,

Intel AMT internal clock will always be in UTC time zone. BIOS & OS will be in time zone depending on physical location of the system, so except of ...Iceland -there will always be difference of AMT time vs. OS time -it is normal and no need to raise support ticket.

You are in BST which is UTC +1 - see http://www.timeanddate.com http://www.timeanddate.com

Computer systems (including AD controller) know both UTC time and their time zone (so = time zone specyfic time) and know how to use it properly - this includes MS AD Controller - Kerberos Ticket Granting Server. it will know that Kerberos ticket is time stamped with UTC time and will compare it to UTC time of Intel AMT - as long as each side actual UTC time does not differ more than 5 min 00 sec it will work.

Maintenance job I mentioned is to resynch AMT time back to UTC exact time -mostly seconds and minutes. You do not have to do time synch just after configuration - it is done as part of provisioning process already.

As I said Intel recommends to resynch AMT time to exact UTC time (ex. from MS AD controller via RCS) every 2 weeks.

My experience shows that over 30 + days time difference is only few sec so if you will resynch time less often you shall be fine.

rgds

Dariusz Wittek

Intel EMEA Biz Client Technical Sales Specialist

GRile · ‎04-12-2017

Hi Dariusz,

Please accept my apologies, I now understand that AMT clock will only ever be set to UTC.

As ever, thank you for your assistance.

Regards,

Graham