Thank for a quick and thorough explanation.
↧
Re: PCI Simple Comm & PCI Serial Port - drivers
↧
Re: AMT Unauthorized
Hi,
I do have the same issues. Any news on this topic? I am using a Fujitsu Q170 mainboard with the latest BIOS. But I guess this is not important due to a KVM issue.
It seems to be related with AMT 11.0 (no issues with former versions).
Thanks
Regards
tkl
↧
↧
Cannot connect to RCS behind firewall
The server hosting the RCS has its firewall enabled. I cannot connect to it using SCS Console from client PC or from the SCCM server during SCCM Add-on installation. I know there is a small section in the manual that states:
--------------------------------
If you install the RCS on a computer that is protected by a firewall, you might receive error messages when you
try to connect to the RCS.
Solution:
You must make sure that the firewall is configured to enable the WMI to connect to the RCS. For more
information, refer to the Microsoft Developer Network:
http://msdn.microsoft.com/en-us/library/aa389286(VS.85).aspx
--------------------------------
However this doesn't help in any way. I click the link but the page talks about using VBScript? If I disable the firewall on the RCS server I can connect so it's obviously a firewall issue, the question is which port/s do I need to open? If I capture the traffic on my PC whilst trying to connect to the RCS server I see attempts to connect on port 135 except I have tried enabling the rule "Windows management Instrumentation (WMI-In)" on the server but no luck.
Any ideas?
Graham
↧
Re: AMT Unauthorized
Hello,
intel support said they are aware of this problem and provide update firmware to sellers in my case HP. they ask me to contact hp support to have it and can't give it to me directly( strange )
HP support will publish this update in april !
so we are still waiting.
in the meantime i found that update firmware or bios with the same version unlock the grace period. ( we did that when its append each 24 days ).
Maybe you will have more luck with fujitsu support.
↧
Re: AMT Unauthorized
Intel ME FW comes from Intel to all OEMs but it has to be validated by each OEM with their HW design and BIOS (and version) design.
There is potential risk that if you update Intel ME FW to version not validated by OEM - some features -especially those which require BIOS module support - SOL/IDE-R or USB-R, also partially KVM may not work properly anymore.\
In such case you will create "OEM unsupported" configuration - in case of issues you will be on your own as OEM may not support it.
If there is significant change/fix in ME FW due to features/performance Version Control Number in ME FW is increased, if it is security issue beeing fixed Security Control Number is increased. With Intel ME FW update process /Tool - you may update to FW with equal or higher SCN/VCN numbers but not to lower one (where there are known issues/bugs).
This is why Intel can't provide ME FW update directly to you as if you upgrade it to higher SCN/VCN and it will not work well with OEM BIOS (not validated config) - you won't be able to roll back to previous ME FW - existing ME FW will prevent it.
You have to escalate your issue to OEM to expedite their validation efforts (not granted it will help but let OEM feel and share your pain).
Dariusz Wittek
Intel EMEA Biz Client Technical Sales Specialist
↧
↧
Re: Cannot connect to RCS behind firewall
Graham,
you need WMI -in TCP port 135 to be opened to allow SCS console to connect - otherwise you will get Timeout error in SCS console.
Make sure that you use right RCS server IP or FQDN.
+
you need to enable AD user of SCS console in RCS WMI Name Space and DCOM permissions on RCS -otherwise you will get Access Denied error message in SCS Console.
the best way is to use RCSutils.exe tool with /Permissions Add command.
See SCS User Guide section called User Permissions Required to Access the RCS (3.8 for SCS 11.1)
rgds
Dariusz Wittek
Intel EMEA Biz Client Technical Sales Specialist
↧
Re: Cannot connect to RCS behind firewall
Thanks for your reply Dariusz,
I tried this but it doesn't seem to make any difference, I still cannot connect. However, before that I managed to discover, by process of elimination, the correct ports to open on the firewall. If I opened up tcp 135 (not the built-in rule for WMI-In) and also a port range of 50000-55000 I was able to connect from my PC and from the SCCM Add-in wizard. I would still prefer to do it the correct way. Can you advise? Should I open a support ticket?
Thanks, Graham
↧
Re: Cannot connect to RCS behind firewall
It is working now. I needed to enable the three rules:
- Windows Management Instrumentation (ASync-In)
- Windows Management Instrumentation (DCOM-In)
- Windows Management Instrumentation (WMI-In)
↧
Intel SCS Add-on Installation Error
I'm trying to install the SCS Add-on for ConfigMgr and I'm running into an error right after launching setup. The error is:
Failed to identify the SCCM installation.
I'm running in a standalone Primary Site running System Center Configuration Manager, Current Branch, build 1702. I have tried installing the SCS Add-on from my own workstation, which has the ConfigMgr console installed, the Site Server, and another test VM, all of which have the console installed and I've verified they connect to the site, work, etc.
The Site Server does not have a SMS Provider installed on it, rather 2 other servers have SMS Providers installed on them. Is the Intel SCS add-on installer looking for the WMI namespace on the Site Server, failing, and producing the error I'm seeing?
Is there any way I can get a hold of the files which are extracted / installed by the installer and manually install the add-on / console extension?
Edit: I should've included the contents of the SCCMAddon.log file. Here it is:
2017-03-28 16:56:58,965 - DEBUG: Starting
2017-03-28 16:56:58,971 - INFO : Starting Log
2017-03-28 16:56:58,972 - INFO : Version: 2.1.8.10
2017-03-28 16:56:59,036 - INFO : No previous settings found.
2017-03-28 16:56:59,160 - DEBUG: Entering SettingsViewModel.ctor
2017-03-28 16:57:01,265 - FATAL: Failed to identify the SCCM installation.
System.InvalidOperationException: Sequence contains no elements
at System.Linq.Enumerable.First[TSource](IEnumerable`1 source)
at SCCMConfig.DAL.SCCMProber.GetSCCMInstallationFolder64bit(Architecture& pArchi)
at SCCMConfig.DAL.SCCMProber.GetSCCMInstallationFolder(Architecture& pArchi)
at SCCMConfig.DAL.SCCMProber.Detect()
at SCCMConfig.Actions.ActionPerformer.Detect()
at Intel.SCS.ACIWizard.ViewModel.WelcomeViewModel.<Init>b__8()
Message was edited by: Scott Metzel
↧
↧
Re: Intel SCS Add-on Installation Error
hey there Scott,
I'm hoping that you wouldn't mind opening up a ticket at:
Under Software: Intel SCS
I'd take care of this for you, however, I don't have enough info to open the ticket, like your contact information, how many systems you're deploying, etc...
Looking forward to working with you.
Regards,
Michael
↧
Re: Intel SCS Add-on Installation Error
Thank you Michael. I filed a ticket a few minutes ago. If you need the ticket # posted here, please let me know. Otherwise it can be found by my name.
↧
Re: Intel SCS Add-on Installation Error
Hey there Scott,
Yes, got the ticket and will be responding soon through that system. Looking at it now.
Regards,
Michael
↧
Trouble logging into via web UI
Yesterday I provisioned my first AMT machine via SCCM Task Sequence & RCS. It truly was a beautiful moment after days / weeks of pain. I can connect via Commander using my AD creds (Kerberos & TLS) just fine but no matter what I try I cannot login via Web UI. I have tried IE, Chrome and Firefox. All display slightly different results. If I use IE I receive the username / password prompt but no matter what I enter I cannot login. I do not receive the username / password prompt in Chrome or Firefox.
I'm thinking it might have something to do with the client certificate. I followed section 9.2.5 of the SCS guide when defining the certificate template. Any ideas? Many thanks in advance.
↧
↧
HLAPI: Kerberos authentication with mutual TLS and currently logged on user (blank credentials)
Hi everyone,
I am trying to use the Intel AMT HLAPI to make a connection to an AMT device that has been provisioned to use Kerberos authentication and mutual TLS.
The machine I am connecting from has a valid certificate for mutual TLS, the subject is CN=<machine_fqdn>.
The connection works fine if I enter the username:
ci = new ConnectionInfoEX("<target_machine_fqdn>", "<domain\\username>", "<password>", true, "CN=<machine_fqdn>", ConnectionInfoEX.AuthMethod.Kerberos, null, null, null);
However, if I try to use the currently logged in user on the machine where I run this command from (I saw that this works by leaving the user and password blank):
ci = new ConnectionInfoEX("<target_machine_fqdn>", "", "", true, "CN=<machine_fqdn>", ConnectionInfoEX.AuthMethod.Kerberos, null, null, null);
if fails in GetVersionWSMan() in AMTInstanceManager line 922 after a few seconds (4-5). Exception is:
{Intel.Management.Wsman.WsmanConnectionException: Server unexpectedly disconnected ---> Intel.Management.Wsman.WsmanConnectionException: Server unexpectedly disconnected
at Intel.Management.Wsman.HttpTransport.GetResponse(String method)
at Intel.Management.Wsman.ClientRequest.Send(XmlDocument reqDoc, String soapCmd)
at Intel.Management.Wsman.ClientRequest.Send(XmlDocument reqDoc)
at Intel.Management.Wsman.WsmanConnection.RetryLoop(XmlDocument reqDoc, Exception& resultExp)
--- End of inner exception stack trace ---
at Intel.Management.Wsman.WsmanConnection.SendObjectRequest(String msgId, XmlDocument reqDoc, IManagedReference refObj, IManagedInstance input)
at Intel.Management.Wsman.WsmanConnection.SubmitRequest(XmlDocument reqDoc, IManagedReference refObj, IManagedInstance input)
at Intel.Management.Wsman.WsmanConnection.SubmitRequest(String requestString, IManagedReference refObj, IManagedInstance input)
at Intel.Management.Wsman.ManagedReference.Get()
at Intel.Manageability.Impl.AMTInstanceManager.GetVersionWSMan() in f:\AMT_SDK_11.6.0.7\Windows\High Level API\Src\Intel_Manageability_Library\HLAPI Lib\AMTInstance\AMTInstanceManager.cs:line 922
at Intel.Manageability.Impl.AMTInstanceManager.SetVersionInfo() in f:\AMT_SDK_11.6.0.7\Windows\High Level API\Src\Intel_Manageability_Library\HLAPI Lib\AMTInstance\AMTInstanceManager.cs:line 868}
System.Exception {Intel.Management.Wsman.WsmanConnectionException}
If I provision the machine to use only server TLS (not mutual), from the same machine I ran the code above, both connecting with username and password blank (so using the currently logged on user) and connecting by entering the user in ConnectionInfoEx works fine. The only difference from the commands above is that the certificate is an empty string "".
My only conclusions so far:
- It works with mutual TLS by entering the credentials manually, so the TLS mutual certificate is correct.
- It works with server TLS by leaving the credentials empty, it indeed uses the current user, so that is not the problem
- It works with entering the same user that's logged in manually, so it cannot be a permission issue
If anyone came across this, or has any idea how I could find the cause for the exception, I would be most grateful.
↧
Re: Trouble logging into via web UI
Hey there Graham,
Nice detail on the post. This is an issue we are aware of and has to do with some registry settings for IE (which would affect, Chrome, firefox,etc.)
Please follow this link:
I'd make the modifications for both the x32 and x64 this is really meant for the version of the browser you are running vs your OS. The patch, however should already be applied to newer versions just need to make the registry modifications. Also, will need to restart your browser.
Let me know if this fixes the issue.
Michael
↧
Re: Trouble logging into via web UI
Graham,
As Michael responded you need to enable Web Browser to use Kerberos authentication over non standard port (Intel AMT ports).
You need to do it for any version of MS Explorer anyway - see more details at Intel AMT SDK's implementation and reference guide -online version:
https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fusingactivedirectorytomanageintelamtdevices.htm
(BTW - check this site home - it provides very useful explanation of AMT technology).
So you need to add two registry entries -you can use following commands, make sure you have enabled "Enable Integrated Windows Authentication" (in Internet Options > Advanced) restart Web Browser and enjoy your Kerberos access.
rgds
Dariusz Wittek
Intel EMEA Biz Client Technical Sales Specialist
↧
HLAPI: Kerberos authentication - getting the realms of a user from a machine that is not in the domain
Hi everyone,
I am trying to connect to an AMT machine that is provisioned with Kerberos authentication (no TLS at this point), using the HLAPI. The connection is done from a machine that is not in the same domain as the users defined for Kerberos authentication.
The connection to the machine works fine:
amt = AMTInstanceFactory.CreateEX(ci);
After I connect, I need to get the realms of the user. If I attempt:
KerberosEntry kerberosUser = amt.Config.ACL.GetKerberosUser(ci.UserName);
List<Realm> realms = kerberosUser.Realms;
it fails with an exception with failure: Intel.Manageability.Exceptions.ACLFailures.UserNameDoesNotExists
This probably makes sense, since the HLAPI GetKerberosUser() function uses the system functions to get the SID of the given username:
string sid = (userNameOrSID.Contains("\\")) ? GetUserNameSID(userNameOrSID) : userNameOrSID;
and GetUserNameSID tries:
NTAccount account = new NTAccount(userName);
SecurityIdentifier sIdentifier = (SecurityIdentifier)account.Translate(typeof(SecurityIdentifier));
It cannot translate the username to an SID because the object does not exist in the Active Directory this machine is part of.
My question is: can somehow the SID of the user that was used for Kerberos authentication be obtained from the AMT machine (AMT instance), instead of trying to resolve it locally from the machine where the connection is initiated?
If I could run the GetKerberosUser function giving directly the SID as parameter, instead of username, it would probably succeed and get the realms correctly.
Any advice would be greatly appreciated. Thanks in advance.
↧
↧
Re: Trouble logging into via web UI
Thanks chaps,
Following your replies I found some other threads related to this - it seems quite a common problem. Anyway I found this thread where Dariusz has provided the Reg add commands. I entered these and confirmed that I have integrated auth enabled within IE advanced settings. I can now log on to Web UI using IE. However I still have the same error message in Chrome & Firefox. It is not the end of the world as we can use IE but I just wondered why this might be?
Many thanks for your continued help. Happy to say we are now mostly up and running with AMT.
Regards,
Graham
↧
Time Synchronization issue
So it seems that I have one final issue before I start deploying AMT across my campus. The test machines show the time as being 1 hour behind within AMT interface however inside the OS and BIOS it shows the correct time. I have the option "Synchronize Intel AMT clock with operating system" ticked within the profile used to configure the client. I found this but I'm not sure what I can do with this information. Is time synchronization a one-time only thing during initial configuration or should it synchronize on an on-going basis?
Thanks,
Graham
↧
Re: Time Synchronization issue
Graham,
Intel AMT uses Coordinated Universal Time (UTC) -(https://www.timeanddate.com/time/aboututc.html) depending on location of your system it may be ahead or behind of your time zone time.
From your description I guess you are somewhere in Europe
AMT clock is set during configuration to source that depends on your selection in AMT Profile System Settings - RCS server time or vPro PC local OS time (if you select appropriate option). It is always set to UTC format regardless of time synch source: RCS server or Local OS time.
see also AMT Time sync description in : Intel(R) AMT SDK Implementation and Reference Guide
As you pointed to reference - Intel AMT Kerberos authentication uses time stamping -AMT Kerberos Clock tolerance is 5 minutes (0h05m00s) if AMT UTC time differs from AD controller UTC time by more than 5 min (even 5m1s) - Kerberos Authentication will not work anymore. You will have to resynch AMT time to AD time using Digest authentication.
In Intel SCS user guide you will find descriptions of Maintenance task/jobs - one of their option it to resynch AMT time. There are other things you shall resynch - renew ME $iME AD computer object password (before it expires according to AD policy) or renew AMT TLS cert.
In SCS User Guide Intel advises to resynch AMT clock every 2 weeks.
I have configured multiple systems in my demo lab - I have noticed that after over 30 days AMT time differs by just few seconds, but your environment may behave bit differently.
rgds
Dariusz Wittek
Intel EMEA Biz Client Technical Sales Specialist
↧