vPro Series of Posts
Now that you have provisioning down with Digest users, let’s add that unique Kerberos twist. Before you begin, I highly recommend watching the following video. It’s difficult. It’s technical. It’s also incredibly helpful to understand the underpinnings of Kerberos.
Brian Desmond: Kerberos Uncovered
- Configure SCS Profile for Kerberos
- Configure Admin Workstation IE and Network Settings
- IE Options
- Windows Integrated Authentication
- AMT Device to Local Intranet
- Automatic Logon security settings enabled
- Protected mode disabled for Local Intranet
- TLS 1.1 enabled
- OS Options
- Kerberos CNAME registry key imported
- Kerberos Port Number registry key imported
- Pre-flight checklist
- AMT Device AD Object Exists
- AMT Device SPN’s registered and correct
- No duplicate SPN’s
- Re-Configuring the AMT Device
- Try it out!
Configure SCS Profile for Kerberos
- Open SCS Console and choose the ‘Profiles’ button on the top-left of the screen, then click ‘New Profile’.
- On the ‘Getting Started’ screen, enter ‘rconfig-dhcp-kerb’ for the name, and then click ‘Next’.
- On the ‘Optional Settings’ screen, select the following check boxes, and click ‘Next’.
- Active Directory Integration
- Access Control List (ACL)
- On the ‘AD Integration’ screen, click ‘…’ and select the OU where AMT objects will be stored. The SCS server must have full permissions on this OU. When finished, click ‘Next’.
- On the ‘Access Control List’ screen, click ‘Add’, and add an Active Directory user o group account.
- On the ‘User/Group Details’ screen, switch the “Access Type” to “Both”, and check all checkboxes except “Access Monitor’. Then, click OK to save.
- On the ‘System Settings’ screen, enter the MEBx password that you want to use for the target AMT system. It needs to match whatever you manually set the MEBx password to on the target system. We will go over manually setting the MEBx password in later posts. For now, choose a password.
- Still on the ‘System Settings’ screen, enter the same password in the box labeled ‘Use the following password for all systems:’.
- Click the ‘set’ button next to the label ‘Edit IP and settings’.
- On the ‘Network Settings’ screen, choose ‘Use the following as the FQDN’ and select ‘Primary DNS FQDN’ from the drop-down box.
- Under the IP frame, choose ‘Get the IP from the DHCP server’.
- Under the ‘DNS’ frame, choose ‘Update the DNS directly’.
- On the ‘Finish’ screen, click ‘Finish’.
Configure Admin Workstation IE and Network Settings
Out of the box, Windows and IE don’t like to play well with some particular aspects of the Intel AMT Kerberos implementation. The following will make everything work. All of this must be done on the administrator’s workstation — the computer which will be used to connect to the AMT device. None of these steps need to be completed on the target AMT system itself.
Internet Explorer Options
We will perform the following steps below:
- Enable Windows Integrated Authentication
- Add AMT Device to the Local Intranet zone
- Enable Automatic Logon security settings
- Disable protected mode for the Local Intranet zone
- Enable TLS 1.1
Procedure for Updating Internet Explorer Options
- Login to your workstation as the user that you would like to use to connect to the AMT system.
- Open Internet Explorer.
- Click the gear icon in the top-right, then choose ‘Internet Options’
- Select the ‘Advanced’ tab.
- Scroll down to the ‘Security’ section.
- Make sure that the following boxes are checked:
- Windows Integrated Authentication
- TLS 1.0
- TLS 1.1
- TLS 1.2
- Select the ‘Security’ tab.
- Click the ‘Local Intranet’ zone.
- Click Sites -> Advanced
- Add the FQDN of the target device, prefixed with http://. Example: “http://user-pc-01.mydomain.com”. Then, click ‘Add’.
- Click ‘OK’ until you are back to the ‘Internet Options’ screen.
- Click the ‘Custom Level…’ button.
- Scroll down to the section ‘User Authentication’.
- Ensure that the radio button named ‘Automatic logon with current user name and password’ is selected, then click ‘OK’.
- Back at the ‘Internet Options’ screen, make sure that the check box named ‘Enabled Protected Mode’ is not checked.
Operating System Options
The Windows operating system needs tweaked to allow Kerberos tickets for an HTTP or HTTPS on a non-standard port. It also needs tweaked to allow Kerberos tickets for CNAME’s. Even though the references below at targetted at XP and Windows Server 2003, they still apply to all current windows and IE versions (including Windows 8 and Windows Server 2012).
Add the following registry entries:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149\iexplore.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149\iexplore.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\iexplore.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\iexplore.exe
Next, let’s make sure that we don’t have any outstanding AD or SPN issues that will prevent Kerberos from working.
Confirm that AMT Device AD Object Exists
Open active directory and navigate to the OU that you specified for AMT devices in the SCS profile. Is your computer object there? If so, you’re set. If not, then it wasn’t created in our previous provisioning. This might be ok, but it’s probably better to go back a few blog posts and try everything again.
Confirm that the AMT Device SPN’s Registered and Correct
- Open Active Directory.
- Select ‘View’ from the top menu, then choose to enable ‘Advanced Features’.
- Browse to the OU which contains the AMT objects, as specified in your SCS profile.
- Right-click the AMT device which will be tested and choose ‘Properties’.
- Click the ‘Attribute Editor’ tab.
- Scroll down to the field named ‘ServicePrincipalNames’, and double-click it.
- Verify that the following SPN’s are registered:
If you do not see the SPN’s registered, I suggest deleting the AMT object and re-provisioning it.
No duplicate SPN’s
Open a command prompt as administrator and type the following command. It should return zero duplicate SPN’s.
If it shows duplicate SPN’s, it will be necessary to remove the duplicates with this command:
setspn –D <SPN> <Account>
I highly recommend that you google around and read up on the concept of SPN’s and duplicate SPN’s before doing this.
Re-Configuring the AMT Device
Woohoo! Again, the actual meat of the process.
- Login to the target AMT system.
- Open a command prompt and navigate to C:\Temp\vPro.
- Run the following command:
acuconfig.exe /output console ConfigViaRCSOnly <SCS-Server-FQDN> <ProfileName>
You should see no errors.
Try it out!
First, try to open the WebUI at http://fqdn:16992. Use internet explorer, and make sure that you are logged in as a user which was given access in the SCS profile, and also has the internet explorer options configured properly (outlined above). Also, make sure that the target FQDN is in the ‘Intranet Zone’ in the IE options.
The WebUI should log in correctly. If you get a pop-up window asking for a username and password, then Kerberos has failed and the web page is attempting to use digest authentication.
You can also now use RealVNC+. Make sure to go into the options -> connections tab and check the box labeled ‘Use Single Sign-on’.
Also, you can use Manageability Commander. One issue with Manageability Commander is that it doesn’t support Kerberos SOL connections out of the box. To make Kerberos SOL connections work, it’s necessary to run the program with the following command-line switch: “-alttsp:0”.
Troubleshooting is actually pretty difficult, but there are three main things to try.
First, go back over all of the blog posts and double-check everything. This is a pain, and it seems like it won’t solve the problem, but it often does. I once misspelled the registry entry for the Kerberos port number workaround, and spent hours checking every other aspect of the configuration.
Second, if your problem is with Manageability Commander or Intel Platform Solutions Manager, you can configure Intel’s DLL files to dump a log. To do this, navigate to the application folder in Windows Explorer. Look for a file named ‘imrsdk.dll’ or ‘imrsdk_x64.dll’. Add a new file named ‘imrsdk.ini’ with the following code.
Make sure to restart your application. The Intel DLL will then drop a new file named log.txt into it’s folder, and may offer some good information.
Third, you can try the Wireshark approach. Install Wireshark on a computer with two network cards, and place it between your AMT device and its network connection. Then, bridge the connections on the Wireshark computer. You can use this computer to collect all TCP packets between the AMT device ,the domain controllers, and the SCS service. This might tell you if you have network-level problems. It may also be necessary to insert the Wireshark computer between your workstation and your workstation’s wired connection in order to see if the requested SPN is correct.
The next post will cover adding TLS to the mix!