Quantcast
Channel: Intel Communities: Message List - Intel® vPro™ Platform
Viewing all 1770 articles
Browse latest View live

HLAPI: Digest authentication with mutual TLS

$
0
0

Hi everyone,

 

I am trying to use the Intel AMT HLAPI to make a connection to an AMT 11.0 device that has been provisioned to use Digest authentication and mutual TLS.

The machine I am connecting from has a valid certificate for mutual TLS, the subject is CN=<machine_fqdn>.

 

I am using the Sample HLAPI project from Intel, and have also access to the HLAPI in debug.

I defined the connection as follows:

ci = new ConnectionInfoEX("<target_machine_fqdn>", "<digest_username>", "<password>", true, "CN=<machine_fqdn>", ConnectionInfoEX.AuthMethod.Digest, null, null, null);

 

 

It works fine if I connect to an AMT 6.1 machine provisioned from the same SCS with the same settings.

However, if I try to connect the same way to the AMT 11 machine (just change the target machine FQDN in the above ConnectioInfoEx), it fails in GetVersionWSMan() in AMTInstanceManager line 922. Exception is:

 

{Intel.Management.Wsman.WsmanConnectionException: Server unexpectedly disconnected ---> Intel.Management.Wsman.WsmanConnectionException: Server unexpectedly disconnected

   at Intel.Management.Wsman.HttpTransport.GetResponse(String method)

   at Intel.Management.Wsman.ClientRequest.Send(XmlDocument reqDoc, String soapCmd)

   at Intel.Management.Wsman.ClientRequest.Send(XmlDocument reqDoc)

   at Intel.Management.Wsman.WsmanConnection.RetryLoop(XmlDocument reqDoc, Exception& resultExp)

   --- End of inner exception stack trace ---

   at Intel.Management.Wsman.WsmanConnection.SendObjectRequest(String msgId, XmlDocument reqDoc, IManagedReference refObj, IManagedInstance input)

   at Intel.Management.Wsman.WsmanConnection.SubmitRequest(XmlDocument reqDoc, IManagedReference refObj, IManagedInstance input)

   at Intel.Management.Wsman.WsmanConnection.SubmitRequest(String requestString, IManagedReference refObj, IManagedInstance input)

   at Intel.Management.Wsman.ManagedReference.Get()

   at Intel.Manageability.Impl.AMTInstanceManager.GetVersionWSMan() in f:\AMT_SDK_11.6.0.7\Windows\High Level API\Src\Intel_Manageability_Library\HLAPI Lib\AMTInstance\AMTInstanceManager.cs:line 922

   at Intel.Manageability.Impl.AMTInstanceManager.SetVersionInfo() in f:\AMT_SDK_11.6.0.7\Windows\High Level API\Src\Intel_Manageability_Library\HLAPI Lib\AMTInstance\AMTInstanceManager.cs:line 868}

System.Exception {Intel.Management.Wsman.WsmanConnectionException}

 

Does anyone have any idea how I could find out the cause of this issue? Thanks in advance.


Re: Time Synchronization issue

$
0
0

Hi Dariusz,

 

Thanks again for your help.  I am located in UK (British Summer Time (BST) +0100 UTC).  I have just provisioned another AMT client and still the AMT time shows 10:18 whilst the BIOS an OS show 11:18.  I have the option "Synchronize Intel AMT clock with operating system" ticked within the profile used to configure the client.

 

I understand your point regarding the requirement to periodically run Maintenance task/jobs however are you suggesting that immediately following the initial AMT configuration I need to run an additional job to correctly set / synchronize the time?

 

Regards,

Graham

Re: Identity Protection Technology with Microsoft PKI

Re: Strange issue with Intel AMT remomote control using VNC and the Manageability Commander Tool

$
0
0

Hi,

  1. Intel AMT does not have to be accessed from other Intel VPro/AMT system. Management console can be any system (or server) running OS that can run your management tools.
  2. If you can access Intel AMT WebUI via browser it means you have provisioned AMT but maybe have not:
    • Enabled AMT redirection port (see Redirection Port in Remote Control TAB)
    • KVM redirection feature - see same tab, Remote Desktop  settings - KVM shall be enabled over Redirection Port or/and Standard RFB port 5900.
      Please note Standard RFB port requires to set also exactly 8 characters long strong (4 of 4) password.
    • Redirection feature realms in AMT ACL - if you use AMT digest Administrator account (admin) it is granted by design but if other account it has to have Redirection realm
    • your network firewall(s) blocks TCP 16995 port (AMT TLS Redirection port) - check if you can remotely access ex BIOS setup from AMT Commander SOL Terminal console - it if works -AMT Redirection port is opened and accessible.
    • last but not least - if your target/managed systems have discrete or dual/switchable Graphics - Intel AMT KVM works only with/when Intel processor graphics being active.

Dariusz Wittek
Intel  EMEA Biz Client Solution Architect

Re: AMT configured station not remotely accessible

$
0
0

Tomas,

please provide more details on your Intel Core vPro system HW.

 

 

I assume you are trying to acces sit over Wired LAN - not Wireless ? and your network assign IP addresses using DHCP?
It may have two LAN interfaces while Intel AMT will work only on Intel® 82579LM one.
There is little chance that you may have MEBx BIOS module in your BIOS while AMT may be disabled in ME FW by OEM (permanently).

 

Please download full Intel SCS download package from Download Intel® Setup and Configuration Software (Intel® SCS) 11.0  and run SCS discovery tool on your system to capture AMT details into xml file.
Having AMT discovery xml file there will be possibility to tell more about AMT FW settings.

 

rgds

 

Dariusz Wittek
Intel  EMEA Biz Client Solution Architect

 

 

 

PS. you can also contact me directly

Re: Intel AMT: Configuration task sequence failing

$
0
0

Hi,

 

your system is already configured in Admin Control mode - see in the log "Current Control Mode: 2 (Admin)"
Probably it was configured manually (via MEBx interface, or USB local configuration).
and you are attempting to change (re-configure) AMT configuration using Host Based Configuration method from settings in XML file.
In Admin Control Mode changes to AMT settings require authentication to AMT with digest or Kerberos credentials of  AMT administrator account.

 

If Client Control Mode (with mandatory User Consent Code usage) is your aim - I suggest to fully unprovision AMT from BIOS or by disconnecting CMOS RTC battery or from MEBx (if you know MEBx Password configured previously).
Then re-run task sequence and it shall work fine.

 

But if your aim is to keep Admin Control Mode and just reload other AMT settings you have to either:

  • make account running ACUConfig.exe (with SCCM task sequence it is Computer Account)  the AMT Kerberos administrator first (not possible with manual/USB configuration used to get into Admin Control mode)
  • modify Configure.bat to add Current AMT digest  administrator password by adding /AdminPassword<current AMT admin password> at the end of ACUConfig command.
    Current AMT admin password in case of manual MEBx/USB configuration is new MEBx password that has been configured via MEBx or  creating USB setup.bin file.
    For improved security I also suggest to define new AMT digest administrator password in XML profile file -MEBx/USB defined one will be replaced with this password.
    I suggest to create duplicate of Configure.bat and duplicate of task sequence.

Anyway having RCS service runinng and doing all configuration is much more elegant way to manage AMT settings.

 

rgds

Dariusz Wittek
Intel  EMEA Biz Client Solution Architect

Re: HLAPI: Digest authentication with mutual TLS

$
0
0

Update:

I realized that I had forgotten to add the hash of the Root CA certificate in the MEBx hash list on the AMT 11 device, so I did that as well.

I noticed all the default hashes entered there are sha256, my certificate is sha1. Could that have anything to do with my issue?

On the AMT 6 machine (the one that works), also the default hashes are from sha1 certificates.

 

After adding the hast, still no change:

- it doesn't work from the HLAPI sample project

- it also doesn't work from the vProPlatformSolutionManager.exe application (found under AMT_SDK_11.6.0.7\Windows\Intel vPro Platform Solution Manager\Source Code\Bin)

 

However, through the web access, https://<target_AMT_machine_fqdn>:16993, it works. I get a prompt to choose the certificate (only my Mutual TLS certificate shows up in the list, the same one I used in the HLAPI sample project and the Intel sample app), I select it, then I get prompted to login, I enter the digest user (the same one I tried in the HLAPI project and the Intel sample app), and it connects.

I removed the hast from MEBx, re-provisioned the system with digest with mutual TLS (so I am back to the state from yesterday), and the web access still works!

 

So now my question is: why is it necessary to add the has of the root CA to the MEBx hash list? What should not work if it's not added? Because without the hash, I tried both digest with TLS, which worked from all 3 methods (HLAPI, Intel sample app and web access), and mutual TLS, which at least works on web access.

Re: HLAPI: Digest authentication with mutual TLS

$
0
0

Anitallica

We've been looking over your post.  Would like to request that you open a ticket so that we can get your contact information here:

 

Contact Support

Select AMT and open service request and fill out details.


Re: HLAPI: Digest authentication with mutual TLS

$
0
0

Thanks for the reply, I opened a case now. Will give an update if the issue gets solved.

Re: Time Synchronization issue

$
0
0

Hi Dariusz,

 

I just wondered if you had any more advice on this?  Do you think it might be worth opening a support ticket as clearly the time does not sync during configuration.

 

Regards,

Graham?

Re: Time Synchronization issue

$
0
0

Graham,

 

Intel AMT internal clock will always be in UTC time zone. BIOS & OS will be in time zone depending on physical location of the system, so except of ...Iceland -there will always be difference of AMT time vs. OS time -it is normal and no need to raise support ticket.
You are in BST which is UTC +1 - see http://www.timeanddate.com

 

Computer systems (including AD controller) know both UTC time and their time zone (so = time zone specyfic time) and know how to use it properly - this includes MS AD Controller - Kerberos Ticket Granting Server. it will know that Kerberos ticket is time stamped with UTC time and will compare it to UTC time of Intel AMT - as long as each side actual UTC time does not differ more than 5 min 00 sec it will work.

 

Maintenance job I mentioned is to resynch AMT time back to UTC exact time -mostly seconds and minutes.  You do not have to do time synch just after configuration - it is done as part of provisioning process already.

 

As I said Intel recommends to resynch AMT time to exact UTC time (ex. from MS AD controller via RCS) every 2 weeks.

My experience shows that over 30 + days time difference is only few sec so if you will resynch time less often you shall be fine.

 

rgds

 

Dariusz Wittek

Intel  EMEA Biz Client Technical Sales Specialist

HLAPI: bug when making 2 consecutive connections

$
0
0

Hi everyone,

 

I've been working with the HLAPI library, and came across the following issue:

when connecting to an AMT11 machine with digest authentication and server TLS, if the 1st connection uses the correct credentials, the 2nd connection works even if the credentials are wrong.

 

See below sample code:

 

            IAMTInstance amt;

            IAMTInstance amt2;

            try

            {

              ConnectionInfoEX ci = new ConnectionInfoEX("ro-nrc-vpro.anita.local", "admin", "Abcd1234!", true, // correct user and password

                                             "", ConnectionInfoEX.AuthMethod.Digest, null, null, null);

                amt = AMTInstanceFactory.CreateEX(ci);

                if (amt != null)

                  Console.WriteLine("First connection ok");

 

                amt.Dispose();

                amt = null;

 

                ConnectionInfoEX ci2 = new ConnectionInfoEX("ro-nrc-vpro.anita.local", "lkk", "fg", true,     // incorrect user and password

                                               "", ConnectionInfoEX.AuthMethod.Digest, null, null, null);

                amt2 = AMTInstanceFactory.CreateEX(ci2);          // this also succeeds!!

 

                if (amt2 != null)

                  Console.WriteLine("Second connection ok");

 

                amt2.Dispose();

                amt2 = null;

 

            }

 

Any ideas?

 

Note: I could only  reproduce the issue with digest and server TLS, doesn't happen if server TLS is not enabled, and I did not try yet with Kerberos or with mutual TLS.

 

Note 2: if I stay in a break point long enough before the amt2 = AMTInstanceFactory.CreateEX(ci2) command (this "long enough" varies from attempt to attempt), the CreateEX fails, like expected. So it seems to have something to do with cleaning up the old connection..

vPro/MEBX Config for Private Computer

$
0
0

Hi All,

 

I have a computer that has an i7 with vPro / MEBX on it, and I wanted to know how it should be configured for use as a private home business computer.

 

The user guide, while helpful, still leaves me unclear on how I should set it up for maximum security. 

 

Any guidance is much appreciated.

 

Thanks,

 

John

Re: Time Synchronization issue

$
0
0

Hi Dariusz,

 

Please accept my apologies, I now understand that AMT clock will only ever be set to UTC.

 

As ever, thank you for your assistance.

 

Regards,

Graham

Novell ZENworks fails to provision the AMT device in Enterprise mode

$
0
0

Novell ZENworks has feature to provision the intel devices using AMT technologies in enterprise mode. This feature was working perfectly fine with Java 6. This feature is broken now. Currently ZENworks uses JDK 1.8.051 and we are trying to provision AMT device (amt verison 6.2).

 

ZENworks sends the provision command at port 16993 in response device exchanges the certificates. Attached are wireshark traces for the communication. At the end device closes the connection with fatal alert unsupported certificate.

 

We are not sure which kind of certificate device is expecting.

 

ZENworks connects the device twice. Once for provisioning and second time for gathering the asset information from the device. Sometimes first calls succeeds and we see the provisioning record too on the AMT device (see the attachment IMG_20170413_112035563.jpg)

 

Can some body suggest what is the problem here?

 

Thanks,

Ashish S.

Developer at Novell


Re: Intel SCS Add-on Installation Error

$
0
0

ScottMetzel

Hey there Scott,

 

Just to close on this, we had a session with you where, we manually created the SCCM collections, created the task sequences for the different sequences and then created the package that all the task sequences used.  The reason why the automated process wasn't working as it seemed the installer was looking for something specific that it was not finding, hence the manual configuration.

SCS web service

$
0
0

Hi everyone,

 

I have seen, in a software that can manage AMT machines, a reference to a "SCS Web service" URL that could be used to retrieve a list of AMT devices that the SCS is aware of.. does anyone know if this feature (still) exists, and if yes, how it can be configured? I didn't find anything resembling this in the Intel documentation, or in my SCS installation.

 

All I found from the Intel documentation was a reference to an AMTConfServer.exe, which I don't have.. I installed the SCS 11.1 from a SCS_download_package_11.1.0.75 downloaded from Intel, installed it from the RCS folder, and under Program Files I have a folder Intel containing Console, License, and Service. No AMTConfServer. What am I missing?

 

Thanks in advance!

Re: HLAPI: Kerberos authentication - getting the realms of a user from a machine that is not in the domain

$
0
0

Hi Anitallica,

 

It seems to me like what you are attempting to do is somewhat against the proper usage of kerberos authentication. Let MC be the machine from which you are trying to make the connection and AMT the machine you are trying to connect to. Is it the case that MC and AMT are in different domains that are related in the domain hierarchy or do they belong to completely disjoint domains?

In the case of having the domains belong to the same hierarchy ( meaning they are sibling domans or parent/childs of eachother) you can probably use the C# ActiveDirectory modules to resolve the SID.

 

To answer your question about querying AMT for the user, this will only be possible if you have an other means of authenticating with AMT, for example Digest credentials or a different kerberos user that does belong to the domain (and have access to the Security Administration , General Info Realms) , in which scenario you can Invoke AMT_AuthorizationService.EnumerateUserAclEntries in order to get the ACL entries in AMT.

 

Hope this answers your question

Ariel Silverman

 

 

 

Anitallica

Re: SCS web service

$
0
0

Anitallica

Hello Anitallica,

 

A few years ago, we had a utility called AMTConfServer.exe, however, it was replaced with RCSServer.exe.  To retrieve a list of AMT devices that SCS is aware of, SCS needs to be installed in database mode and you're running as a user that has rights to the Intel_RCS_Systems namespace, you can query WMI for this information directly using Powershell:

 

Get-WmiObject -computername = "RCSFQDN" -Namespace Root\Intel_RCS_Systems -ClassRCS_AMT | where {$_.AMTFqdn -like "*.DOMAINSUFFIX"} | Format-Table AMTFqdn, AMTVersion

 

(Alternatively, easier to see) Get-WmiObject -computername = "RCSFQDN" -Namespace Root\Intel_RCS_Systems -Class RCS_AMT | where {$_.AMTFqdn -like "*.DOMAINSUFFIX"} | Format-Table AMTFqdn, AMTVersion

 

Please let us know if this helps.

Re: HLAPI: Kerberos authentication - getting the realms of a user from a machine that is not in the domain

$
0
0

Hi Ariel,

 

Thanks for the reply!

The machine I am connecting from may just as well be in a workgroup, so not at all connected with the domain.The login with Kerberos works, apparently it's the AMT target machine that verifies the provided Kerberos user, so I don't need to find an alternative method for logging in.. I am just not sure how I would invoke AMT_AuthorizationService.EnumerateUserAclEntries. I assume this is part of the low lever API, it's not accessible in the HLAPI, is that correct? If yes, how would I, from my IAMTInstance object, use the AMT_AuthorizationService?

 

Thanks.

Viewing all 1770 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>