Intel vPro – Configuration – Part 8 – Adding Kerberos

vPro Series of Posts


Now that you have provisioning down with Digest users, let’s add that unique Kerberos twist. Before you begin, I highly recommend watching the following video. It’s difficult. It’s technical. It’s also incredibly helpful to understand the underpinnings of Kerberos.

Brian Desmond: Kerberos Uncovered

Overview

  1. Configure SCS Profile for Kerberos
  2. Configure Admin Workstation IE and Network Settings
    1. IE Options
        1. Windows Integrated Authentication
        2. AMT Device to Local Intranet
        3. Automatic Logon security settings enabled
        4. Protected mode disabled for Local Intranet
        5. TLS 1.1 enabled
    2. OS Options
      1. Kerberos CNAME registry key imported
      2. Kerberos Port Number registry key imported
  3. Pre-flight checklist
    1. AMT Device AD Object Exists
    2. AMT Device SPN’s registered and correct
    3. No duplicate SPN’s
  4. Re-Configuring the AMT Device
  5. Try it out!
  6. Troubleshooting

Configure SCS Profile for Kerberos

  1. Open SCS Console and choose the ‘Profiles’ button on the top-left of the screen, then click ‘New Profile’.
  2. On the ‘Getting Started’ screen, enter ‘rconfig-dhcp-kerb’ for the name, and then click ‘Next’.
  3. On the ‘Optional Settings’ screen, select the following check boxes, and click ‘Next’.
    • Active Directory Integration
    • Access Control List (ACL)
  4. On the ‘AD Integration’ screen, click ‘…’ and select the OU where AMT objects will be stored. The SCS server must have full permissions on this OU. When finished, click ‘Next’.
  5. On the ‘Access Control List’ screen, click ‘Add’, and add an Active Directory user o group account.
  6. On the ‘User/Group Details’ screen, switch the “Access Type” to “Both”, and check all checkboxes except “Access Monitor’. Then, click OK to save.
  7. On the ‘System Settings’ screen, enter the MEBx password that you want to use for the target AMT system. It needs to match whatever you manually set the MEBx password to on the target system. We will go over manually setting the MEBx password in later posts. For now, choose a password.
  8. Still on the ‘System Settings’ screen, enter the same password in the box labeled ‘Use the following password for all systems:’.
  9. Click the ‘set’ button next to the label ‘Edit IP and settings’.
  10. On the ‘Network Settings’ screen, choose ‘Use the following as the FQDN’ and select ‘Primary DNS FQDN’ from the drop-down box.
  11. Under the IP frame, choose ‘Get the IP from the DHCP server’.
  12. Under the ‘DNS’ frame, choose ‘Update the DNS directly’.
  13. On the ‘Finish’ screen, click ‘Finish’.

Configure Admin Workstation IE and Network Settings

Out of the box, Windows and IE don’t like to play well with some particular aspects of the Intel AMT Kerberos implementation. The following will make everything work. All of this must be done on the administrator’s workstation — the computer which will be used to connect to the AMT device. None of these steps need to be completed on the target AMT system itself.

Internet Explorer Options

We will perform the following steps below:

  • Enable Windows Integrated Authentication
  • Add AMT Device to the Local Intranet zone
  • Enable Automatic Logon security settings
  • Disable protected mode for the Local Intranet zone
  • Enable TLS 1.1

Procedure for Updating Internet Explorer Options

  1. Login to your workstation as the user that you would like to use to connect to the AMT system.
  2. Open Internet Explorer.
  3. Click the gear icon in the top-right, then choose ‘Internet Options’
  4. Select the ‘Advanced’ tab.
  5. Scroll down to the ‘Security’ section.
  6. Make sure that the following boxes are checked:
    1. Windows Integrated Authentication
    2. TLS 1.0
    3. TLS 1.1
    4. TLS 1.2
  7. Select the ‘Security’ tab.
  8. Click the ‘Local Intranet’ zone.
  9. Click Sites -> Advanced
  10. Add the FQDN of the target device, prefixed with http://. Example: “http://user-pc-01.mydomain.com”. Then, click ‘Add’.
  11. Click ‘OK’ until you are back to the ‘Internet Options’ screen.
  12. Click the ‘Custom Level…’ button.
  13. Scroll down to the section ‘User Authentication’.
  14. Ensure that the radio button named ‘Automatic logon with current user name and password’ is selected, then click ‘OK’.
  15. Back at the ‘Internet Options’ screen, make sure that the check box named ‘Enabled Protected Mode’ is not checked.

Operating System Options

The Windows operating system needs tweaked to allow Kerberos tickets for an HTTP or HTTPS on a non-standard port. It also needs tweaked to allow Kerberos tickets for CNAME’s. Even though the references below at targetted at XP and Windows Server 2003, they still apply to all current windows and IE versions (including Windows 8 and Windows Server 2012).

References:

Procedure

Add the following registry entries:

Entry #1
Type: DWORD
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149\iexplore.exe
Value: 1

Entry #2
Type: DWORD
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149\iexplore.exe
Value: 1

Entry #3
Type: DWORD
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\iexplore.exe
Value: 1

Entry #4
Type: DWORD
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\iexplore.exe
Value: 1

Pre-flight Checklist

Next, let’s make sure that we don’t have any outstanding AD or SPN issues that will prevent Kerberos from working.

Confirm that AMT Device AD Object Exists

Open active directory and navigate to the OU that you specified for AMT devices in the SCS profile. Is your computer object there? If so, you’re set. If not, then it wasn’t created in our previous provisioning. This might be ok, but it’s probably better to go back a few blog posts and try everything again.

Confirm that the AMT Device SPN’s Registered and Correct

  1. Open Active Directory.
  2. Select ‘View’ from the top menu, then choose to enable ‘Advanced Features’.
  3. Browse to the OU which contains the AMT objects, as specified in your SCS profile.
  4. Right-click the AMT device which will be tested and choose ‘Properties’.
  5. Click the ‘Attribute Editor’ tab.
  6. Scroll down to the field named ‘ServicePrincipalNames’, and double-click it.
  7. Verify that the following SPN’s are registered:
    1. HTTP://fqdn:16992
    2. HTTP://fqdn:16993
    3. HTTP://fqdn:16994
    4. HTTP://fqdn:16995
    5. HTTP://fqdn:623
    6. HTTP://fqdn:664

If you do not see the SPN’s registered, I suggest deleting the AMT object and re-provisioning it.

No duplicate SPN’s

Open a command prompt as administrator and type the following command. It should return zero duplicate SPN’s.

setspn -x

If it shows duplicate SPN’s, it will be necessary to remove the duplicates with this command:

setspn –D <SPN> <Account>

I highly recommend that you google around and read up on the concept of SPN’s and duplicate SPN’s before doing this.

Re-Configuring the AMT Device

Woohoo! Again, the actual meat of the process.

  1. Login to the target AMT system.
  2. Open a command prompt and navigate to C:\Temp\vPro.
  3. Run the following command:
    acuconfig.exe /output console ConfigViaRCSOnly <SCS-Server-FQDN> <ProfileName>

You should see no errors.

Try it out!

First, try to open the WebUI at http://fqdn:16992. Use internet explorer, and make sure that you are logged in as a user which was given access in the SCS profile, and also has the internet explorer options configured properly (outlined above). Also, make sure that the target FQDN is in the ‘Intranet Zone’ in the IE options.

The WebUI should log in correctly. If you get a pop-up window asking for a username and password, then Kerberos has failed and the web page is attempting to use digest authentication.

You can also now use RealVNC+. Make sure to go into the options -> connections tab and check the box labeled ‘Use Single Sign-on’.

Also, you can use Manageability Commander. One issue with Manageability Commander is that it doesn’t support Kerberos SOL connections out of the box. To make Kerberos SOL connections work, it’s necessary to run the program with the following command-line switch: “-alttsp:0″.

Troubleshooting

Troubleshooting is actually pretty difficult, but there are three main things to try.

First, go back over all of the blog posts and double-check everything. This is a pain, and it seems like it won’t solve the problem, but it often does. I once misspelled the registry entry for the Kerberos port number workaround, and spent hours checking every other aspect of the configuration.

Second, if your problem is with Manageability Commander or Intel Platform Solutions Manager, you can configure Intel’s DLL files to dump a log. To do this, navigate to the application folder in Windows Explorer. Look for a file named ‘imrsdk.dll’ or ‘imrsdk_x64.dll’. Add a new file named ‘imrsdk.ini’ with the following code.

[COMMON]
Debug_Level=2

Make sure to restart your application. The Intel DLL will then drop a new file named log.txt into it’s folder, and may offer some good information.

Third, you can try the Wireshark approach. Install Wireshark on a computer with two network cards, and place it between your AMT device and its network connection. Then, bridge the connections on the Wireshark computer. You can use this computer to collect all TCP packets between the AMT device ,the domain controllers, and the SCS service. This might tell you if you have network-level problems. It may also be necessary to insert the Wireshark computer between your workstation and your workstation’s wired connection in order to see if the requested SPN is correct.

The next post will cover adding TLS to the mix!

Intel vPro – Configuration – Part 5 – Configure Active Directory

vPro Series of Posts


Whew, made it this far ‘eh? Awesome. Nice work! Before we get started on SCS profiles, we need to do a bit of work in Active Directory. Don’t worry, it won’t take long.

AD OU and Groups

When Kerberos authentication is used with the AMT devices, each AMT device is going to need an actual computer account in AD. The Intel SCS service manages this for you, but it needs to have a specific OU to create the computers in. SCS also needs permission to create computer accounts in that OU.

Procedure

  1. In AD Users and Computers, create an OU to store AMT Objects. I recommend the name “AMT Objects”.
  2. Grant your SCS Server computer account ‘full control’ on this new OU.
  3. In AD Users and Computers, create a new security group connecting to AMT objects. I recommend ‘AMT Admins’.
  4. Assign your user account to be a member of the new group.

That’s it! Next stop: SCS Profile world.

Intel vPro – Configuration – Part 1 – Architecture Overview

vPro Series of Posts


My last vPro post was a first-look at vPro and what it offers. This post will cover the vPro configuration possibilities, architecture, and requirements.

Architecture Overview

Basic Network Requirements

First of all, the AMT device will need a DNS name and an IP address. If you’re using Microsoft DNS servers in an Active Directory domain with DDNS enabled, then you’re good to go. AMT will use the DNS name and IP Address of the Windows Operating System installed on the AMT-enabled workstation. Otherwise, you’ll have to custom-tailor the provisioning process for your DNS\IP environment (more on that in later posts).

Server Requirements

To enable and configure AMT, you’ll need:

  1. A server to run the Intel Software Configuration Service (Intel SCS).
  2. SCS requires Microsoft SQL (express edition is fine).
  3. A PKI, if you want to run AMT in TLS encrypted mode. Also, the PKI must only use SHA1 certificates throughout the entire chain of trust. This means that you may not be able to use your current PKI. However, configuring a PKI well isn’t as hard as it sounds and will be detailed in later posts.
  4. The ability to create and delegate an OU in Active Directory, if you want to use Active Directory to handle permissions for connecting to the AMT object. Otherwise, you can use local AMT users (called “Digest Users”).

Provisioning Certificate

AMT comes disabled on systems by default. To enable AMT, you must ‘provision’ the systems. The Intel SCS service will help you do this, but you must have a ‘Provisioning Certificate’. This certificate can be either purchased from a third-party Certificate Authority, or self-signed by your PKI.

The certificate has specific requirements, so a self-signed certificate will require a custom certificate template. Also, when using a self-signed certificate, the provisioning process cannot be fully automated. Since the AMT device isn’t pre-programmed to trust your certificate authority, it’s necessary to either use USB provisioning or manually enter the root CA’s root certificate thumbprint into the AMT device via it’s BIOS interface. This is a pain.

My next few vPro posts will cover the configuration of a reference system with TLS, Kerberos, and a Self-Signed provisioning certificate. Thanks!

Scripting the Build of a Server 2008 R2 Test Domain

This information is probably a bit old, since Server 2012 is out. I haven’t played around with 2012 too much yet; ‘been focusing on SCCM instead. Server 2012 task sequences are the first thing I’m going to play with next week once we have SP1 installed though :).

Anyways, here we go. This post is about scripting the set-up of a test domain with the following services in the shortest number of steps possible. This post assumes that you want to separate routing out to it’s own VM.

  • Routing with NAT
  • DNS
  • DHCP
  • ADDS

Step 1 – Routing

Network Configuration

You need an IP boundary for your test domain. The easiest way to do this is to create a private network behind a NAT router. For this to work, you need a private network that is not connected to the internet. On a single host in VMWare ESX, this can be accomplished by creating a vSwitch with no physical adapters, then creating a VMWare Virtual Machine network inside the vSwitch.

Build the VM

Routing is a way of bridging two or more networks. Your virtual server needs to have two network interfaces: one on the private network, and one on a network that can access the internet. Build a VM and configure it this way.

Install and Configure Routing

The following procedure will configure the RRAS service to be a NAT’ing router.

  1. Start -> Run -> ‘control netconnections’
  2. Rename the interface connected to the internet so that it reads ‘Public Interface’.
  3. Rename the interface connected to the private network so that it reads ‘Private Network’
  4. Configure the Private Interface so that it uses the following IP information:
    IP: 192.168.1.1
    Netmask: 255.255.255.0
    Gateway: <none>
    DNS: <none>
  5. Open PowerShell as administrator, and run the following command.
    Import-Module ServerManager
    Add-WindowsFeature NPAS-RRAS, NPAS-Routing
  6. Save the following code as C:\Install_Files\config-rras-nat.txt :
    #========================
    # Interface configuration
    #========================
    pushd interface
    popd
    # End of interface configuration
    
    # ----------------------------------
    # IPHTTPS Configuration
    # ----------------------------------
    pushd interface httpstunnel
    reset
    popd
    # End of IPHTTPS configuration
    
    # ----------------------------------
    # IPv4 Configuration
    # ----------------------------------
    pushd interface ipv4
    reset
    set global icmpredirects=disabled
    popd
    # End of IPv4 configuration
    
    # ----------------------------------
    # IPv6 Configuration
    # ----------------------------------
    pushd interface ipv6
    reset
    popd
    # End of IPv6 configuration
    
    # ----------------------------------
    # ISATAP Configuration
    # ----------------------------------
    pushd interface isatap
    popd
    # End of ISATAP configuration
    
    # ----------------------------------
    # 6to4 Configuration
    # ----------------------------------
    pushd interface 6to4
    reset
    popd
    # End of 6to4 configuration
    
    # ----------------------------------
    # ISATAP Configuration
    # ----------------------------------
    pushd interface isatap
    popd
    # End of ISATAP configuration
    
    #========================
    # Port Proxy configuration
    #========================
    pushd interface portproxy
    reset
    popd
    # End of Port Proxy configuration
    
    # ----------------------------------
    # TCP Configuration
    # ----------------------------------
    pushd interface tcp
    reset
    set global rss=enabled chimney=automatic autotuninglevel=normal congestionprovider=ctcp ecncapability=disabled timestamps=disabled netdma=disabled dca=enabled
    popd
    # End of TCP configuration
    
    # ----------------------------------
    # Teredo Configuration
    # ----------------------------------
    pushd interface teredo
    set state type=client servername=teredo.ipv6.microsoft.com. servervirtualip=0.0.0.0
    popd
    # End of Teredo configuration
    
    # ----------------------------------
    # 6to4 Configuration
    # ----------------------------------
    pushd interface 6to4
    reset
    popd
    # End of 6to4 configuration
    
    # ------------------------------------
    # End of Bridge configuration
    # ------------------------------------
    pushd ipsecdosprotection
    reset
    popd
    
    # ----------------------------------------
    # Wired LAN Configuration
    # ----------------------------------------
    pushd lan
    popd
    # End of Wired LAN Configuration.
    
    # ==========================================================
    # Health Registration Authority configuration
    # ==========================================================
    pushd nap hra
    popd
    # End of NAP HRA configuration
    
    # ==========================================================
    # Network Access Protection client configuration
    # ==========================================================
    pushd nap client
    
    # ----------------------------------------------------------
    # Trusted server group configuration
    # ----------------------------------------------------------
    reset trustedservergroup
    
    # ----------------------------------------------------------
    # Cryptographic service provider (CSP) configuration
    # ----------------------------------------------------------
    set csp name = "Microsoft RSA SChannel Cryptographic Provider" keylength = "2048"
    
    # ----------------------------------------------------------
    # Hash algorithm configuration
    # ----------------------------------------------------------
    set hash oid = "1.3.14.3.2.29"
    
    # ----------------------------------------------------------
    # Enforcement configuration
    # ----------------------------------------------------------
    set enforcement id = "79617" admin = "disable" id = "79619" admin = "disable" id = "79621" admin = "disable" id = "79623" admin = "disable"
    
    # ----------------------------------------------------------
    # Tracing configuration
    # ----------------------------------------------------------
    set tracing state = "disable" level = "basic"
    
    # ----------------------------------------------------------
    # User interface configuration
    # ----------------------------------------------------------
    reset userinterface
    popd
    # End of NAP client configuration
    
    # -----------------------------------------
    # Remote Access Configuration
    # -----------------------------------------
    pushd ras
    set authmode mode = standard
    delete authtype type = PAP
    delete authtype type = MD5CHAP
    delete authtype type = MSCHAPv2
    delete authtype type = EAP
    delete authtype type = CERT
    add authtype type = MSCHAPv2
    add authtype type = EAP
    delete link type = SWC
    delete link type = LCP
    add link type = SWC
    add link type = LCP
    delete multilink type = MULTI
    add multilink type = MULTI
    set conf confstate = enabled
    set type ipv4rtrtype = lanonly ipv6rtrtype = none rastype = none
    set wanports device = "WAN Miniport (SSTP)" rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 5
    set wanports device = "WAN Miniport (PPTP)" rasinonly = disabled ddinout = enabled ddoutonly = disabled maxports = 5
    set wanports device = "WAN Miniport (PPPOE)" ddoutonly = enabled
    set wanports device = "WAN Miniport (L2TP)" rasinonly = disabled ddinout = enabled ddoutonly = disabled maxports = 5
    set wanports device = "WAN Miniport (IKEv2)" rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 5
    set user name = Administrator dialin = policy cbpolicy = none
    set user name = Guest dialin = policy cbpolicy = none
    set ikev2connection idletimeout = 5 nwoutagetime = 30
    set ikev2saexpiry saexpirytime = 480 sadatasizelimit = 100
    popd
    
    # End of Remote Access configuration.
    
    # -----------------------------------------
    # Remote Access Diagnostics Configuration
    # -----------------------------------------
    pushd ras diagnostics
    set rastracing component = * state = disabled
    set modemtracing state = disabled
    set cmtracing state = disabled
    set securityeventlog state = disabled
    set loglevel events = warn
    popd
    # End of Remote Access Diagnostics Configuration.
    
    # -----------------------------------------
    # Remote Access IP Configuration
    # -----------------------------------------
    pushd ras ip
    delete pool
    set negotiation mode = allow
    set access mode = all
    set addrreq mode = deny
    set broadcastnameresolution mode = enabled
    set addrassign method = auto
    set preferredadapter
    popd
    
    # End of Remote Access IP configuration.
    
    # -----------------------------------------
    # Remote Access IPv6 Configuration
    # -----------------------------------------
    pushd ras ipv6
    
    set negotiation mode = deny
    set access mode = all
    set routeradvertise mode = enabled
    set prefix prefix = ::
    popd
    # End of Remote Access IPv6 configuration.
    
    # -----------------------------------------
    # Remote Access AAAA Configuration
    # -----------------------------------------
    pushd ras aaaa
    set authentication provider = windows
    set accounting provider = windows
    delete authserver name = *
    delete acctserver name = *
    popd
    # End of Remote Access AAAA configuration.
    
    # Routing Configuration
    pushd routing
    reset
    popd
    # IP Configuration
    pushd routing ip
    reset
    set loglevel error
    add preferenceforprotocol proto=LOCAL preflevel=1
    add preferenceforprotocol proto=STATIC preflevel=3
    add preferenceforprotocol proto=NONDOD preflevel=5
    add preferenceforprotocol proto=AUTOSTATIC preflevel=7
    add preferenceforprotocol proto=NetMgmt preflevel=10
    add preferenceforprotocol proto=RIP preflevel=120
    add interface name="Private Network" state=enable
    set filter name="Private Network" fragcheck=disable
    add interface name="Public Interface" state=enable
    set filter name="Public Interface" fragcheck=disable
    add interface name="Internal" state=enable
    add interface name="Loopback" state=enable
    popd
    # End of IP configuration
    
    # ----------------------------------
    # DNS Proxy configuration
    # ----------------------------------
    pushd routing ip dnsproxy
    uninstall
    popd
    # End of DNS proxy configuration
    
    # ----------------------------------
    # IGMP Configuration
    # ----------------------------------
    pushd routing ip igmp
    uninstall
    install
    set global loglevel = ERROR
    # IGMP configuration for interface "Private Network"
    delete interface name="Private Network"
    add interface name="Private Network" igmpprototype=IGMPRTRV3 ifenabled=enable robustvar=2 startupquerycount=2 startupqueryinterval=31 genqueryinterval=125 genqueryresptime=10 lastmemquerycount=2 lastmemqueryinterval=1000 accnonrtralertpkts=YES
    # IGMP configuration for interface "Public Interface"
    delete interface name="Public Interface"
    add interface name="Public Interface" igmpprototype=IGMPPROXY ifenabled=enable
    popd
    # End of IGMP configuration
    
    # ----------------------------------
    # NAT configuration
    # ----------------------------------
    pushd routing ip nat
    uninstall
    install
    set global tcptimeoutmins=1440 udptimeoutmins=1 loglevel=ERROR
    #NAT Configuration For Interface Private Network
    add interface name="Private Network" mode=PRIVATE
    #NAT Configuration For Interface Public Interface
    add interface name="Public Interface" mode=FULL
    #NAT Configuration For Interface Internal
    add interface name="Internal" mode=PRIVATE
    popd
    
    # ----------------------------------
    # DHCP Relay Agent configuration
    # ----------------------------------
    pushd routing ip relay
    uninstall
    popd
    # End of DHCP Relay configuration
    
    # ----------------------------------
    # RIP configuration
    # ----------------------------------
    pushd routing ip rip
    uninstall
    popd
    # End of RIP configuration
    
    # ----------------------------------
    # Router Discovery Configuration
    # ----------------------------------
    pushd routing ip routerdiscovery
    uninstall
    add interface name="Private Network" disc=disable minint=7 maxint=10 life=30 level=0
    add interface name="Public Interface" disc=disable minint=7 maxint=10 life=30 level=0
    add interface name="Internal" disc=disable minint=7 maxint=10 life=30 level=0
    add interface name="Loopback" disc=disable minint=7 maxint=10 life=30 level=0
    popd
    
    # ----------------------------------
    # DHCP Allocator Configuration
    # ----------------------------------
    pushd routing ip autodhcp
    uninstall
    popd
    # End of DHCP Allocator Configuration
    
    # IPv6 Configuration
    pushd routing ipv6
    set filter name="Private Network" fragcheck=disable
    set filter name="Public Interface" fragcheck=disable
    popd
    # End of IPv6 configuration
    
    # ----------------------------------
    # DHCPv6 Relay Agent configuration
    # ----------------------------------
    pushd routing ipv6 relayv6
    uninstall
    popd
    # End of DHCPv6 Relay configuration
    
    # -----------------------------------------------------------------------
    # Remote Access Demand Dial Configuration
    # -----------------------------------------------------------------------
    pushd ro demanddial
    
    # -----------------------------------------
    # WinHTTP Proxy Configuration
    # -----------------------------------------
    pushd winhttp
    reset proxy
    popd
    
    # End of WinHTTP Proxy Configuration
    popd
    
    popd
    exit
  7. Run the following commands to configure RRAS.
    sc config remoteaccess start= auto
    netsh -f C:\Install_Files\config-rras-nat.txt
    net start remoteaccess
    netsh -f C:\Install_Files\config-rras-nat.txt

For some reason, I can’t figure out how to configure RRAS NAT’ting from the command line without having to import the configuration, then start the service, then import the same configuration again. If I skip the second import, then RRAS doesn’t actually pass traffic. I should really spend more time on this, but meh — it works.

Installing ADDS

Next, we’ll install a server to run ADDS, DHCP, and DNS. This should provide all the basic network services needed for clients to easily access the internet.

  1. Build a VM with a single network interface, connected to the Private Network.
  2. Configure the IP information as follows:
    IP: 192.168.1.10
    Netmask: 255.255.255.0
    Gateway: 192.168.1.1
    DNS: 192.168.1.10
  3. Open PowerShell and run the following commands:
    Import-Module ServerManager
    Add-WindowsFeature ADDS-Domain-Controller
  4. Save the following code to C:\Install_Files\ADDS-Unattend.txt. Reference: Server 2008 R2 dcpromo.
    [DCINSTALL]
    InstallDNS=yes
    NewDomain=forest
    NewDomainDNSName=devdomain.local
    DomainNetBiosName=devdomain
    SiteName=Default-First-Site-Name
    ReplicaOrNewDomain=domain
    ForestLevel=4
    DomainLevel=4
    DatabasePath="%systemroot%\NTDS"
    LogPath="%systemroot%\NTDS"
    SYSVOLPath="%systemroot%\SYSVOL"
    RebootOnCompletion=yes
    SafeModeAdminPassword=P@ssw0rd
    
  5. Run the following command from the command prompt, then wait for the PC to reboot. If it doesn’t seem like things are working, type “Echo %errorlevel%” and cross-reference the number returned with the table here: dcpromo exit codes.
    start /wait dcpromo /unattend:C:\Install_Files\ADDS-Unattend.txt
  6. Run the following commands to configure your DNS service to forward queries to upstream DNS servers. In the code below, I’m using the Google public DNS service. You may have to use the upstream DNS server of your ISP or organization instead. Ref: Server 2008 R2 dnscmd.
    dnscmd %computername% /resetforwarders 8.8.8.8 8.8.4.4 /timeout 3 /noslave
  7. Next, run the following commands from PowerShell to install the DHCP service:
    Import-Module ServerManager
    Add-WindowsFeature DHCP
  8. Run the following commands from the command prompt to configure DHCP. Reference: Installing DHCP in Server Core.
    sc config dhcpserver start= auto
    net start dhcpserver
    netsh dhcp add server %computername% 192.168.1.10
    netsh dhcp server 192.168.1.10 add scope 192.168.1.0 255.255.255.0 DevDomainScope
    netsh dhcp server 192.168.1.10 scope 192.168.1.0 add iprange 192.168.1.100 192.168.1.200
    netsh dhcp server 192.168.1.10 scope 192.168.1.0 set optionvalue 003 IPADDRESS 192.168.1.1
    netsh dhcp server 192.168.1.10 scope 192.168.1.0 set optionvalue 006 IPADDRESS 192.168.1.10
    netsh dhcp server 192.168.1.10 scope 192.168.1.0 set state 1

Now, any machines connected to your private network should get a DHCP address containing a working DNS server and gateway. You can test this by deploying a new windows VM and seeing if you can surf the internets.

Powershell – Adding all Computers from an OU into a Group

This is a pretty simple script. It searches an OU for all computer objects, and adds them to a group. I needed to restrict certificate auto-enrollment permissions on the SCCM Certificate Templates to all computers in an OU and sub-OU’s. It runs every 5mins on our SCCM server.

Download

It’s named ‘Add-OUComputersToGroup.ps1′ and is available on my Github repo here: Jpuskar’s Github Page.

Usage

Change the variables at the top.

$rootOU – the DN of the root where you want to start searching.
$tgtGroupCN – the group you want computer objects to be placed into.

Good luck!

SCCM Task Sequence – Disable Bitlocker in WinPE

I made a task sequence action that backs up a computer using robocopy before partitioning, only to find that the system is protected by BitLocker. Here’s how to automatically unlock Bitlocker drives in WinPE in a task sequence. This script will only work if you integrated the WinPE ADSI Plug-In into your boot image. For instructions, see this post: “SCCM – Adding Active Directory Support to WinPE 3.1“.

The Script

I didn’t write the script myself; I heavily modified a script that I can’t find the source for. If part of this is yours, please let me know! I know I found it on a blog somewhere…sorry :(. Make a new SCCM package named “Scripts – DecryptDBE”, and save this script as “Auto-DecryptBDE.vbs” in the package source directory.

sUsername = "REMOVED"
sPassword = "REMOVED"
sDCfqdn = "REMOVED--DomainController"

Function Write_Log(msg)
	Wscript.Echo msg
End Function

Function Get_RecoveryKeysFromDN(dn,sDCfqdn,sUsername,sPassword)
	Set objDSO = GetObject("LDAP:")
	strPathToComputer = "LDAP://" & sDCfqdn & "/" & dn

	Const ADS_SECURE_AUTHENTICATION = 1
	Const ADS_USE_SEALING = 64 '0x40
	Const ADS_USE_SIGNING = 128 '0x80

	'--------------------------------------------------------------------------------
	'Get all BitLocker recovery information from the Active Directory computer object
	'--------------------------------------------------------------------------------
	'Get all the recovery information child objects of the computer object
	Set objFveInfos = objDSO.OpenDSObject(strPathToComputer, sUsername, sPassword, _
		ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)
	objFveInfos.Filter = Array("msFVE-RecoveryInformation")

	'Iterate through each recovery information object and save any existing key packages
	Dim aKeys()
	Redim aKeys(0)
	i = 0
	bFoundKey = False
	For Each objFveInfo in objFveInfos
		bFoundKey = True
		If uBound(aKeys) < i Then
			Redim Preserve aKeys(i)
		End If
		strName = objFveInfo.Get("name")
		strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword")
		sNamePass = strName & "|" & strRecoveryPassword
		aKeys(i) = sNamePass
		i = i + 1
	Next

	If bFoundKey = True Then
		retval = aKeys
	Else
		retval = null
	End If

	Get_RecoveryKeysFromDN = retval
End Function

Function Find_ADRecoveryKey(sBDEPassword,sDCfqdn,sUsername,sPassword)
	'Search for all computer objects
	strBase = "<GC://" & sDCfqdn & ">"
	strFilter = "(&(objectCategory=computer))"
	strQuery = strBase & ";" & strFilter  & ";distinguishedName;subtree"

	''create connection
	Set oConnection = CreateObject("ADODB.Connection")
	oConnection.Provider = "ADsDSOObject"
	oConnection.Properties("User ID") = sUsername
	oConnection.Properties("Password") = sPassword
	oConnection.Properties("Encrypt Password") = True
	oConnection.Properties("ADSI Flag") = ADS_SERVER_BIND Or ADS_SECURE_AUTHENTICATION
	Set oCommand = CreateObject("ADODB.Command")
	oConnection.Open "Active Directory Provider"
	Set oCommand.ActiveConnection = oConnection
	oCommand.CommandText = strQuery
	oCommand.Properties("Page Size") = 100
	oCommand.Properties("Timeout") = 100
	oCommand.Properties("Cache Results") = False

  Set objRecordSet = oCommand.Execute
  If objRecordSet.EOF Then
    WScript.echo "The domain could not be contacted."
    WScript.Quit 1
  End If

  'For each computer object found look through it's keys for the one we want.
  bKeyFound = False
  Do Until objRecordSet.EOF
    dnFound = objRecordSet.Fields("distinguishedName")
    Dim aRecoveryKeys
    aRecoveryKeys = Get_RecoveryKeysFromDN(dnFound,sDCfqdn,sUsername,sPassword)

    If IsArray(aRecoveryKeys) = True Then
    	If Ubound(aRecoveryKeys) > 0 Then
	    	For Each sKey In aRecoveryKeys
					If instr(sKey,sBDEPassword) Then
						msg = "Matching key found under computer dn: """ & dnfound & """."
						write_log msg
						strTempString = Split(sKey,"|")
		    		sRecoveryKey = strTempString(1)
		    		bKeyFound = True
					End If
				Next
			End If

		End If

    If bKeyFound = True Then
    	Exit Do
    Else
			objRecordSet.MoveNext
		End If
  Loop
  ' Clean up.
  Set objConnection = Nothing
  Set objCommand = Nothing
  Set objRecordSet = Nothing

  If bKeyFound = True Then
  	retval = sRecoveryKey
  Else
  	retval = false
  End If

  Find_ADRecoveryKey = retval
End Function

Function Unlock_AllDrivesWithAD(sDCfqdn,sUsername,sPassword)
	On Error Resume Next
	'foreach encrypted drive
	Set oDrivesPasswords = CreateObject("Scripting.Dictionary")
	Set oWMIService = GetObject("winmgmts:\\.\root\CIMV2\Security\MicrosoftVolumeEncryption")
	Set oVolumes = oWMIService.InstancesOf("Win32_EncryptableVolume")

	For each volume In oVolumes
		bDecryptNeeded = False
		'check for encryption
		'ref: http://msdn.microsoft.com/en-us/library/windows/desktop/aa376434(v=vs.85).aspx
		volume.GetEncryptionMethod iBdeMethod
		volume.GetLockStatus iBDEStatus
		volume.GetKeyProtectors 0,VolumeKeyProtectorID
		sDriveLetter = volume.DriveLetter

		If iBDEStatus <> 0 Then
			msg = "Found locked volume. Drive letter: """ & sDriveLetter & """."
			Write_Log msg
			For Each objId in VolumeKeyProtectorID
				msg = "KeyProtector for drive letter """ & sDriveLetter & """: """ & objId & """."
				write_log msg
		  Next
				bDecryptNeeded = True
		End If

		If bDecryptNeeded = True Then
			'loop through all key protectors
			For Each BDEPassword in VolumeKeyProtectorID
				sADRecoveryKey = null
				'search AD for corresponding recovery keys
				sADRecoveryKey = Find_ADRecoveryKey(BDEPassword,sDCfqdn,sUsername,sPassword)
					'attempt unlock
				If sADRecoveryKey <> False Then
					msg = "Unlocking drive with AD key"
					write_log msg
					volume.UnlockWithNumericalPassword sADRecoveryKey
					volume.GetProtectionStatus iBDEStatus
					If iDBEstatus = 0 Then
						msg = "Drive unlocked."
						write_log msg
					Else
						msg = "Failed to unlock the drive."
						write_log msg
						Wscript.Quit(100)
					End If
				End If
			Next
		End If
	Next
End Function

Function Unlock_AllDrivesWithManualKey(sUsername,sPassword)
	On Error Resume Next
	'foreach encrypted drive
	Set oDrivesPasswords = CreateObject("Scripting.Dictionary")
	Set oWMIService = GetObject("winmgmts:\\.\root\CIMV2\Security\MicrosoftVolumeEncryption")
	Set oVolumes = oWMIService.InstancesOf("Win32_EncryptableVolume")

	For each volume In oVolumes
		bDecryptNeeded = False
		'check for encryption
		'ref: http://msdn.microsoft.com/en-us/library/windows/desktop/aa376434(v=vs.85).aspx
		volume.GetEncryptionMethod iBdeMethod
		volume.GetLockStatus iBDEStatus
		volume.GetKeyProtectors 0,VolumeKeyProtectorID
		sDriveLetter = volume.DriveLetter

		If iBDEStatus <> 0 Then
			msg = "Failed to unlock all volumes with AD recovery keys. Asking user for manual key input."
			Write_Log msg
			msg = "Found locked volume. Drive letter: """ & sDriveLetter & """."
			Write_Log msg
			For Each objId in VolumeKeyProtectorID
				msg = "KeyProtector for drive letter """ & sDriveLetter & """: """ & objId & """."
				write_log msg
		  Next
				bDecryptNeeded = True
		End If

		If bDecryptNeeded = True Then
			'loop through all key protectors
			bContinue = True
			For Each BDEPassword in VolumeKeyProtectorID
				If bContinue = False Then
					Exit For
				End If
				'Ask the user for one repeatedly until the drive unlocks or the user presses cancel.
				bContinue = True
				While bContinue = True
					msg = "No key was found in AD for volume " & sDriveLetter & " with public key " & BDEPassword & ". Please enter a password to unlock the drive. Type ""next"" to attempt skipping to the next BDEPassword (if available). Press cancel to quit."
					sUserKey = InputBox(msg)
					If sUserKey = Null Or sUserKey = "" Then
						Wscript.Quit(100)
					ElseIf LCase(sUserKey) = "next" Then
						bContinue = False
					Else
						volume.UnlockWithNumericalPassword sUserKey
						volume.GetLockStatus iBDEStatus
						If iBDEstatus = 0 Then
							msg = "Drive unlocked."
							write_log msg
							bContinue = False
						Else
							msg = "Failed to unlock the drive."
							msgbox msg
						End If
					End If
				Wend
			Next
		End If
	Next
End Function

Unlock_AllDrivesWithAD sDCfqdn,sUsername,sPassword
Unlock_AllDrivesWithManualKey sUsername,sPassword

A couple quick notes: it would be prudent for me (or you) to rewrite this script so that AD credentials were passed by argument instead of hard coded. Also, it’d be nice if it found the domain controllers via DNS SRV records instead of being hard-coded.

Task Sequence Work

Just make a “Run Command-Line” action in your task sequence with the following parameters.

Name: Decrypt Bitlocker Drives
Command: Auto-DecryptBDE.vbs
Package: Scripts - DecryptDBE

I wish you more awesome task sequences!

SCCM – Adding Active Directory Support to WinPE 3.1

Wouldn’t it be awesome if you could do AD queries from WinPE 3.1? I have the process written up deep in another blog post, and it’s come to my attention that it’s hard to find without a pointer.

Check out this post. Start with the section “ADSI Files” leading through “Upgrading to WinPE 3.1″.

Getting Started with SCCM 2007 and Windows 7 OSD (Part 1)

Thanks again!