Community
cancel
Showing results for 
Search instead for 
Did you mean: 
idata
Community Manager
1,479 Views

WebUI not accepting password

I have deployed SCCM SP2 with R3 and setup/configured OOB for AMT. I've successfully provisioned several computers and I'm trying to figure out how to get into the WebUI. In SCCM I've configured in OOB Management Settings/AMT Settings tab, a domain group and a domain user. I've tried a user within the group and no luck. I've tried the domain user and no luck. Any reason?

0 Kudos
7 Replies
AList1
Novice
86 Views

Hi,

There could be quite a few reasons. I have found some limitations on our end that caused us not to be able to access the WebUI. I note them below, the main takeaways are that if you are using Active Directory authentication, Kerberos ticket size is a major problem and making sure to use the FQDN to access the machine. Try the below steps and see if it helps, I actually had to create a test AD user to access the WebUI in a VM since my accounts have way too many groups for it to handle.

Address

http:// http://{Computer FQDN}:16992/

Notes

Due to the limitations of both Windows and AMT the following has to be taken into consideration for this to work.

  1. Must be accessed via Internet Explorer versions 6 through 8
  2. Registry key outlined in http://support.microsoft.com/kb/908209 KB908209 must be added (requires Logoff/on to work after addition and does not require hotfix only registry addition unless using IE 6 and old Service Pack)
  3. Must use FQDN, IP address or NetBIOS name will not work as Kerberos authentication will fail against the SPN (Service Principle Name)
  4. Integrated Windows Authentication should be turned on (though it may still prompt)
  5. Kerberos ticket size must be under 4KB (i.e. no user account with a large number of groups)

-Adam

idata
Community Manager
86 Views

The most common issue I see is the registry key entry that alistek mentioned in item two of his post. You need to configure to add the registry settings in order for Kerberos authentication to work between IE and AMT. Are you just seeing a problem with the WebUI? How is the Out of Band Management Console in SCCM working?

idata
Community Manager
86 Views

Guys, the registry mod worked. I guess I need to write a script to deploy to everyone. People at home will need this to wake up their machine after they VPN into the network during the late hours. I did find that in the 6.0 release of the demo enviroment, Intel has included a PowerShell GUI for similiar commands. How do you guys have the helpdesk manage power on's or reboots when trying to work on a workstation?

THANK YOU!

I'm going to put it here, just in case someone needs it.

About the OOB Management Console from SCCM, at best I would rate it a 3 on a 1-5 scale. It's sporadic in what I've seen and it seems the Serial connection to the BIOS is "ok" but nothing I would recommend.

http://support.microsoft.com/kb/908209 http://support.microsoft.com/kb/908209

After you install the hotfix, you must add the FEATURE_INCLUDE_PORT_IN_SPN_KB908209 registry key, and then set its DWORD value to iexplore.exe. To do this, follow these steps.

For 32-bit computers

  1. Click Start, click Run, type regedit, and then click OK.

     

  2. In the left pane, locate and then click the following registry subkey:

     

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl

  1. On the Edit menu, point to New, and then click Key.

     

  2. Type FEATURE_INCLUDE_PORT_IN_SPN_KB908209, and then press ENTER.

     

  3. On the Edit menu, point to New, and then click DWORD Value.

     

  4. Type iexplore.exe, and then press ENTER.

     

  5. On the Edit menu, click Modify.

     

  6. Type 1 in the Value data box, and then click OK.

     

  7. Exit Registry Editor.

     

For 64-bit computers

  1. Click Start, click Run, type regedit, and then click OK.

     

  2. In the left pane, locate and then click the following registry subkey:

     

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl

  1. On the Edit menu, point to New, and then click Key.

     

  2. Type FEATURE_INCLUDE_PORT_IN_SPN_KB908209, and then press ENTER.

     

  3. On the Edit menu, point to New, and then click DWORD Value.

     

  4. Type iexplore.exe, and then press ENTER.

     

  5. On the Edit menu, click Modify.

     

  6. Type 1 in the Value data box, and then click OK.

     

  7. Exit Registry Editor.

     

AList1
Novice
86 Views

Glad to hear that worked, I had just figured all that out about 2 days ago when I got frustrated with it not working. In regards to how we have our helpdesk, I have just gotten about 100 out of our 650 machines provisioned. It's appearing as if firmware updates are needed to fix it on our other machines so until then we don't have any integration. I have found that the most reliable way has been Powershell so far but you would need to write some custom integration I suppose.

-Adam

idata
Community Manager
86 Views

I'm thinking of just issueing rights through the SCCM AMT Components section to allow all users to use WEBUI. That way, they can turn on their machiens while at home when they need to RDP in. Also, the helpdesk can get the machine name and turn on, off or reboot the systems.

idata
Community Manager
86 Views

James,

One thing to keep in mind when it comes to SCCM and AMT permissions is that SCCM applies one ACL to all AMT systems, meaning that you'd give everyone in your company access to AMT on everyone's machine. That means anyone could turn anyone else's system on or off.

If you want to give specific users access to the computers assigned to them via the WebUI, you would have to do your own supplemental configuration and update each machine's ACL independently, after SCCM had provisioned the systems. While this is possible, it would require some work to automate it and keep it all straight. If you ever re-assign a system, or have to reprovision it in SCCM, you'd have to re-run this supplemental configuration.

What I would recommend is creating a separate web tool that would leverages the AMT PowerShell module and uses a hidden process account to actually send the power control commands to AMT. You could control access to which users have access to which PC's in this app, and also lock down which actual power commands they can send. For instance, you may only want to give them the ability to power on their systems, but not power them off since the AMT power off function is not a graceful shutdown for Windows, and could interrupt automated software updates you may have running off hours. This method would also save you from having to manage the supplemental configuration required for individual users to access only their assigned machines.

idata
Community Manager
86 Views

Dan, I agree with you 100%. However, the time I'm have left at this client is not allowing me the time to create this. But, I'm glad you noted that on this thread.

Thanks,

James

Reply