Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2981 Discussions

WinRM Scripting and WS-MAN Translator

idata
Employee
‎06-13-2008 04:32 AM
1,793 Views

I have a couple of questions about using WinRM scripting with the WS-MAN translator (which I need to use because I have some Intel Centrino Pro laptops) and the types of authentication available

I am using MS SCCM SP1 to provision my client systems which consist of HP7800 systems (upgraded to AMT 3.2.1 firmware) and HP6910P systems (using AMT 2.6 firmware). I provision my systems using MS SCCM SP1 and use a Windows security group in the MS SCCM AMT settings to control which Windows users can access the Management Controller. This all works well

I want to write WinRM scripts to automate some configuration and management tasks for these clients. I used the examples provided with the WS-MAN source code package and these work nicely with my HP7800 systems. I started with simple GetVersionInfo.VBS example and Basic/Digest authentication which required me to manually add a user to my Management Controller using the AMT web interface, and then I graduated to Kerberos authentication which works with no requirement to touch the client after it has been provisioned because MS SCCM has configured Kerberos during the provisioning process

My question involves using the scripts with clients that need to use the WS-MAN translator. I tried using Basic authentication and this worked OK when I manually added an admin type user to my Management Controller using the AMT WebUI. But I do not want to have to manually add users to each of my laptop clients so I switched to Kerberos and now I get an access denied message from the script which got me to thinking how the WS-MAN translator could work with Kerberos

So my questions are :-

1. Can I configure the WS-MAN translator so that it can use Kerberos authentication with my Intel Centrino Pro clients so that after provisioning using MS SCCM I can use the scripts immediately, and how do I do this ?

2. If I cannot use Kerberos authentication with the WS-MAN translator, is there another way of using WinRM scripts with my laptops which does not require me to manually add in credentials to each client after provisioning has been performed by MS SCCM ?

Any help would be very useful

vProUser

0 Kudos

Link Copied

1 Reply
Steven_D_Intel1
Employee
‎07-15-2008 05:41 AM
772 Views

WS-MAN translator can use Kerberos authentication with clients immediately following provisioning by SCCM, by enabling Kerberos delegation

For testing purposes, check the Trust computer for delegation option in the General tab of the computer account (hosting the WSMAN translator) in Active Directory Users and Computers and reboot the computer hosting the WSMAN translator. Now the WSMAN translator can impersonate whoever is logged on and running WinRM scripts that use the translator to access Intel vPro platforms

For production purposes, might be worth investigating a more constrained approach for delegation rather than delegating to anything running under the computer account. Microsoft have a useful document titled "Troubleshooting Kerberos Delegation" which explains the available options

0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.