Intel vPro – Configuration – Part 10 – SCCM Integration

vPro Series of Posts


Now that we have a standalone vPro reference installation, let’s integrate it into SCCM!

Here, I’m going to turn things over to Brian Muller. His blog post on SCCM 2012 integration is excellent.

Integrating SCCM 2012 with SCS 8.1

Here is the general overview. Consider it a preview of what you’re in for (stolen from his post).

  1. Adding the Out of Band Role Management Role to your SCCM server
  2. Extending the Hardware Inventory for SCCM 2012
  3. Modifying the SCS profile for SCCM 2012
  4. Creating the collections required for the discovery and configuration of your clients
  5. Creating the Discovery and Configurations packages
  6. Creating the Task Sequences required for the discovery and configuration of your clients
  7. Creating the Deployments (SCCM 2007 – Advertisements)
  8. Creating the Status Filter rules to automatically update the Intel collections
  9. Queries to help you troubleshoot

Next up, some custom PowerShell scripting to make things a bit easier.

Advertisements

Intel vPro – Configuration – Part 9 – Adding TLS

vPro Series of Posts


TLS: The Final Frontier. Here’s how it goes!

Overview

  1. Configuring a SCS Profile for TLS
  2. Reconfigure the AMT Device
  3. Try it out!
  4. Troubleshooting Options

Configuring a SCS Profile for TLS

  1. Open SCS Console and choose the ‘Profiles’ button on the top-left of the screen, then click ‘New Profile’.
  2. On the ‘Getting Started’ screen, enter ‘rconfig-dhcp-kerb-tls’ for the name, and then click ‘Next’.
  3. On the ‘Optional Settings’ screen, select the following check boxes, and click ‘Next’.
    • Active Directory Integration
    • Access Control List (ACL)
    • Transport Layer Security (TLS)
  4. On the ‘AD Integration’ screen, click ‘…’ and select the OU where AMT objects will be stored. The SCS server must have full permissions on this OU. When finished, click ‘Next’.
  5. On the ‘Access Control List’ screen, click ‘Add’, and add an Active Directory user o group account.
  6. On the ‘User/Group Details’ screen, switch the “Access Type” to “Both”, and check all checkboxes except “Access Monitor’. Then, click OK to save.
  7. On the ‘Transport Layer Security’ screen, choose your vPro SHA1 CA from the CA drop-down box, then choose the certificate template named “AMTTLSCertificates”, then click ‘Next’.
  8. On the ‘System Settings’ screen, enter the MEBx password that you want to use for the target AMT system. It needs to match whatever you manually set the MEBx password to on the target system. We will go over manually setting the MEBx password in later posts. For now, choose a password.
  9. Still on the ‘System Settings’ screen, enter the same password in the box labeled ‘Use the following password for all systems:’.
  10. Click the ‘set’ button next to the label ‘Edit IP and settings’.
  11. On the ‘Network Settings’ screen, choose ‘Use the following as the FQDN’ and select ‘Primary DNS FQDN’ from the drop-down box.
  12. Under the IP frame, choose ‘Get the IP from the DHCP server’.
  13. Under the ‘DNS’ frame, choose ‘Update the DNS directly’.
  14. On the ‘Finish’ screen, click ‘Finish’.

Reconfigure the AMT Device

The process for this is the same as the process in the previous blog post.

  1. Login to the target AMT system.
  2. Open a command prompt and navigate to C:\Temp\vPro.
  3. Run the following command:
    acuconfig.exe /output console ConfigViaRCSOnly <SCS-Server-FQDN> <ProfileName>

You should see no errors.

Try it out!

First, try the WebUI in IE at https://amt-system.yourdomain.com:16993. Note that the protocol is ‘https’ and the port number is 16993. Next, try VNC+. Choose ‘TLS’ from the drop-down box labeled ‘Encryption’. Lastly, try Manageability Commander.

Troubleshooting Options

  1. If provisioning fails, you can try adding the /verbose switch to acuconfig. This might give you more information.
  2. For Manageability Commander, you can choose ‘help’ -> ‘show debug info’. This can be very useful.
  3. For any applications using the Intel DLLs, you can enable debug mode like in the last blog post’s troubleshooting section.

And there you have it! vPro with Kerberos and TLS. The next blog post will focus on polishing everything a bit and adding some automation.

Intel vPro – Configuration – Part 8 – Adding Kerberos

vPro Series of Posts


Now that you have provisioning down with Digest users, let’s add that unique Kerberos twist. Before you begin, I highly recommend watching the following video. It’s difficult. It’s technical. It’s also incredibly helpful to understand the underpinnings of Kerberos.

Brian Desmond: Kerberos Uncovered

Overview

  1. Configure SCS Profile for Kerberos
  2. Configure Admin Workstation IE and Network Settings
    1. IE Options
        1. Windows Integrated Authentication
        2. AMT Device to Local Intranet
        3. Automatic Logon security settings enabled
        4. Protected mode disabled for Local Intranet
        5. TLS 1.1 enabled
    2. OS Options
      1. Kerberos CNAME registry key imported
      2. Kerberos Port Number registry key imported
  3. Pre-flight checklist
    1. AMT Device AD Object Exists
    2. AMT Device SPN’s registered and correct
    3. No duplicate SPN’s
  4. Re-Configuring the AMT Device
  5. Try it out!
  6. Troubleshooting

Configure SCS Profile for Kerberos

  1. Open SCS Console and choose the ‘Profiles’ button on the top-left of the screen, then click ‘New Profile’.
  2. On the ‘Getting Started’ screen, enter ‘rconfig-dhcp-kerb’ for the name, and then click ‘Next’.
  3. On the ‘Optional Settings’ screen, select the following check boxes, and click ‘Next’.
    • Active Directory Integration
    • Access Control List (ACL)
  4. On the ‘AD Integration’ screen, click ‘…’ and select the OU where AMT objects will be stored. The SCS server must have full permissions on this OU. When finished, click ‘Next’.
  5. On the ‘Access Control List’ screen, click ‘Add’, and add an Active Directory user o group account.
  6. On the ‘User/Group Details’ screen, switch the “Access Type” to “Both”, and check all checkboxes except “Access Monitor’. Then, click OK to save.
  7. On the ‘System Settings’ screen, enter the MEBx password that you want to use for the target AMT system. It needs to match whatever you manually set the MEBx password to on the target system. We will go over manually setting the MEBx password in later posts. For now, choose a password.
  8. Still on the ‘System Settings’ screen, enter the same password in the box labeled ‘Use the following password for all systems:’.
  9. Click the ‘set’ button next to the label ‘Edit IP and settings’.
  10. On the ‘Network Settings’ screen, choose ‘Use the following as the FQDN’ and select ‘Primary DNS FQDN’ from the drop-down box.
  11. Under the IP frame, choose ‘Get the IP from the DHCP server’.
  12. Under the ‘DNS’ frame, choose ‘Update the DNS directly’.
  13. On the ‘Finish’ screen, click ‘Finish’.

Configure Admin Workstation IE and Network Settings

Out of the box, Windows and IE don’t like to play well with some particular aspects of the Intel AMT Kerberos implementation. The following will make everything work. All of this must be done on the administrator’s workstation — the computer which will be used to connect to the AMT device. None of these steps need to be completed on the target AMT system itself.

Internet Explorer Options

We will perform the following steps below:

  • Enable Windows Integrated Authentication
  • Add AMT Device to the Local Intranet zone
  • Enable Automatic Logon security settings
  • Disable protected mode for the Local Intranet zone
  • Enable TLS 1.1

Procedure for Updating Internet Explorer Options

  1. Login to your workstation as the user that you would like to use to connect to the AMT system.
  2. Open Internet Explorer.
  3. Click the gear icon in the top-right, then choose ‘Internet Options’
  4. Select the ‘Advanced’ tab.
  5. Scroll down to the ‘Security’ section.
  6. Make sure that the following boxes are checked:
    1. Windows Integrated Authentication
    2. TLS 1.0
    3. TLS 1.1
    4. TLS 1.2
  7. Select the ‘Security’ tab.
  8. Click the ‘Local Intranet’ zone.
  9. Click Sites -> Advanced
  10. Add the FQDN of the target device, prefixed with http://. Example: “http://user-pc-01.mydomain.com&#8221;. Then, click ‘Add’.
  11. Click ‘OK’ until you are back to the ‘Internet Options’ screen.
  12. Click the ‘Custom Level…’ button.
  13. Scroll down to the section ‘User Authentication’.
  14. Ensure that the radio button named ‘Automatic logon with current user name and password’ is selected, then click ‘OK’.
  15. Back at the ‘Internet Options’ screen, make sure that the check box named ‘Enabled Protected Mode’ is not checked.

Operating System Options

The Windows operating system needs tweaked to allow Kerberos tickets for an HTTP or HTTPS on a non-standard port. It also needs tweaked to allow Kerberos tickets for CNAME’s. Even though the references below at targetted at XP and Windows Server 2003, they still apply to all current windows and IE versions (including Windows 8 and Windows Server 2012).

References:

Procedure

Add the following registry entries:

Entry #1
Type: DWORD
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149\iexplore.exe
Value: 1

Entry #2
Type: DWORD
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149\iexplore.exe
Value: 1

Entry #3
Type: DWORD
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\iexplore.exe
Value: 1

Entry #4
Type: DWORD
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\iexplore.exe
Value: 1

Pre-flight Checklist

Next, let’s make sure that we don’t have any outstanding AD or SPN issues that will prevent Kerberos from working.

Confirm that AMT Device AD Object Exists

Open active directory and navigate to the OU that you specified for AMT devices in the SCS profile. Is your computer object there? If so, you’re set. If not, then it wasn’t created in our previous provisioning. This might be ok, but it’s probably better to go back a few blog posts and try everything again.

Confirm that the AMT Device SPN’s Registered and Correct

  1. Open Active Directory.
  2. Select ‘View’ from the top menu, then choose to enable ‘Advanced Features’.
  3. Browse to the OU which contains the AMT objects, as specified in your SCS profile.
  4. Right-click the AMT device which will be tested and choose ‘Properties’.
  5. Click the ‘Attribute Editor’ tab.
  6. Scroll down to the field named ‘ServicePrincipalNames’, and double-click it.
  7. Verify that the following SPN’s are registered:
    1. HTTP://fqdn:16992
    2. HTTP://fqdn:16993
    3. HTTP://fqdn:16994
    4. HTTP://fqdn:16995
    5. HTTP://fqdn:623
    6. HTTP://fqdn:664

If you do not see the SPN’s registered, I suggest deleting the AMT object and re-provisioning it.

No duplicate SPN’s

Open a command prompt as administrator and type the following command. It should return zero duplicate SPN’s.

setspn -x

If it shows duplicate SPN’s, it will be necessary to remove the duplicates with this command:

setspn –D <SPN> <Account>

I highly recommend that you google around and read up on the concept of SPN’s and duplicate SPN’s before doing this.

Re-Configuring the AMT Device

Woohoo! Again, the actual meat of the process.

  1. Login to the target AMT system.
  2. Open a command prompt and navigate to C:\Temp\vPro.
  3. Run the following command:
    acuconfig.exe /output console ConfigViaRCSOnly <SCS-Server-FQDN> <ProfileName>

You should see no errors.

Try it out!

First, try to open the WebUI at http://fqdn:16992. Use internet explorer, and make sure that you are logged in as a user which was given access in the SCS profile, and also has the internet explorer options configured properly (outlined above). Also, make sure that the target FQDN is in the ‘Intranet Zone’ in the IE options.

The WebUI should log in correctly. If you get a pop-up window asking for a username and password, then Kerberos has failed and the web page is attempting to use digest authentication.

You can also now use RealVNC+. Make sure to go into the options -> connections tab and check the box labeled ‘Use Single Sign-on’.

Also, you can use Manageability Commander. One issue with Manageability Commander is that it doesn’t support Kerberos SOL connections out of the box. To make Kerberos SOL connections work, it’s necessary to run the program with the following command-line switch: “-alttsp:0”.

Troubleshooting

Troubleshooting is actually pretty difficult, but there are three main things to try.

First, go back over all of the blog posts and double-check everything. This is a pain, and it seems like it won’t solve the problem, but it often does. I once misspelled the registry entry for the Kerberos port number workaround, and spent hours checking every other aspect of the configuration.

Second, if your problem is with Manageability Commander or Intel Platform Solutions Manager, you can configure Intel’s DLL files to dump a log. To do this, navigate to the application folder in Windows Explorer. Look for a file named ‘imrsdk.dll’ or ‘imrsdk_x64.dll’. Add a new file named ‘imrsdk.ini’ with the following code.

[COMMON]
Debug_Level=2

Make sure to restart your application. The Intel DLL will then drop a new file named log.txt into it’s folder, and may offer some good information.

Third, you can try the Wireshark approach. Install Wireshark on a computer with two network cards, and place it between your AMT device and its network connection. Then, bridge the connections on the Wireshark computer. You can use this computer to collect all TCP packets between the AMT device ,the domain controllers, and the SCS service. This might tell you if you have network-level problems. It may also be necessary to insert the Wireshark computer between your workstation and your workstation’s wired connection in order to see if the requested SPN is correct.

The next post will cover adding TLS to the mix!

Intel vPro – Configuration – Part 7 – Provisioning Your First System

vPro Series of Posts


Finally, finally, finally. Let’s provision our first system.

Overview

  1. Set a MEBx Password
  2. Configure MEBx to trust your Root CA
  3. Verify BIOS settings
  4. Verify Intel Management Engine Drivers
  5. Verity Intel LMS Service
  6. Configure Windows to trust both CA’s
  7. Prepare the RCS Configurator Files
  8. Run the provisioning commands
  9. Test and demo the features

Set a MEBx Password

First, reboot the target AMT system and enter the Intel MEBx. MEBx standard for Management Engine Bios Interface. On Dell Optiplex systems, you can press F12 during the Dell boot logo. This causes the one-time boot list to appear. Intel MEBx is one of the entries in the boot list.

When you first enter MEBx, it will ask for a password the default password is “admin”. The MEBx will then immediately ask for you to create a new password. This new password must match the password that you chose for the SCS Profile that you want to assign to this system.

Configure MEBx to trust your Root CA

Once you successfully enter the MEBx and set a new password, it’s necessary to instruct the MEBx to trust your Root CA. First, we need to find the thumbprint for your Root CA.

To find the certificate thumbprint hash:

  1. RDP to your Enterprise Subordinate CA.
  2. Load the ‘Certificate Authorities’ Snap-In from Administrative Tools.
  3. Right-click the CA and choose ‘Properties’.
  4. On the ‘General’ Tab, click ‘View Certificate’.
  5. On the ‘Certificate’ screen that appears, click the tab ‘Certificate Path’.
  6. Double-click the certificate shown that’s at the root of the path (the top certificate). This should cause a new certificate window to appear.
  7. On the new certificate window, verify that ‘Issued to:’ and ‘Issued by:’ correspond to your Offline Standalone Root CA. If either field shows your Enterprise Subordinate CA, you have the wrong certificate open.
  8. Click the ‘Details’ Tab.
  9. Find the field named ‘Thumbprint’ (usually at the bottom).
  10. Write down the value of the ‘Thumbprint’ field.

Next, we need to enter the thumbprint value into the MEBx of your target system. Doing this is a little bit different on every AMT version. For AMT 6.0 versions (Dell Optiplex 980), you enter the MEBx and then choose:

  • ME General Configuration
    • Remote Setup And Configuration
      • TLS PKI
        • Manage Hashes
          • Add a Customized Hash

Once your Thumbprint is added, reboot the system into the BIOS for the next step.

Verify BIOS settings

I’ve noticed that on Dell Optiplex systems it is necessary to disable Intel Trusted Execution (TXT) support in the BIOS. If you leave the setting ‘Enabled’, then the machine will get stuck in a power on\off cycle as soon as the first power control operation is sent to the AMT device from any vPro application. If this happens, you’ll need to reset the BIOS with the CMOS jumper before the system will become functional again. Note that this is separate from the TPM settings. TPM settings do not affect vPro.

I contacted Dell about this issue and a member of their Client Management Team got in touch with me to verify that this is, in fact, a known issue.

Verify Intel Management Drivers

Next, we need to check out the Intel Management Engine (IME) and Serial-Over-LAN (SOL) drivers.

  1. In Windows, Start -> Run -> “devmgmt.msc”. This will open Device Manager.
  2. Expand “Ports (COM & LPT)”.
  3. Confirm that a device is installed named “Intel(R) Active Management Technology – SOL”.
  4. If the device is missing, download the driver from your vendor.
  5. Next, expand “System Devices”.
  6. Confirm that a device is installed named “Intel(R) Management Engine Interface”.
  7. If the device is missing, down the driver from your vendor.

Verity Intel LMS Service

The Intel IME and SOL drivers, when installed manually, also install the Intel LMS service. LMS stands for Local Management Service. If however, your drivers were installed by an imaging system, it’s likely that you’re missing the LMS Service.

  1. On the target AMT system, open the Services snap-in.
  2. Search for the service named ‘Intel(R) Management and Security Application Local Management Service’.
  3. If the service is missing, you will need to search your vendor’s website for the Intel Management Engine drivers. Once found, download and install them.
  4. If you already have the device driver installed, then the Intel Setup program will probably crash. To get it to run if that happens, try installing it with following command-line flags “-nodrv”.

Configure Windows to trust both CA’s

If you attempt to provision the system, but Windows doesn’t trust all of the CA’s in the provisioning certificate chain-of-trust, then the provisioning process will fail. This is somewhat odd since normally when verifying a certificate, only the root CA usually must be trusted. vPro is different — you must explicitly trust every intermediate CA also.

  1. Login to your enterprise subordinate CA and copy the files from F:\wwwroot\intepub\certdata to the target AMT system at C:\temp\certs.
  2. On the target AMT system, start -> run -> mmc.
  3. When prompted, choose to run the certificate snap-in against the local computer account.
  4. Naviage to the ‘Trusted Root Certificate Authorities’ store.
  5. Right-click and choose ‘Import Certificate’.
  6. Import both certificates located at C:\temp\certs.

Prepare the RCS Configurator Files

Trucking right along! It’s time to gather the Intel RCS Configurator files. RCS stands for Remote Configurator Service. It’s a small application that you run on the target AMT system. It will reach out to the SCS service, collect the appropriate SCS profile, and provision the AMT device.

  1. Find the folder named ‘Configurator’ from the Intel SCS Server install files that were downloaded from Intel.
  2. Copy the files in the ‘Configurator’ folder to the target AMT system at C:\temp\configurator.

Run the Provisioning Commands

OK, here goes nothing! Open a command prompt as administrator, navigate to C:\temp\configurator, then run the following command.

acuconfig.exe /output console ConfigViaRCSOnly <SCS-Server-FQDN> <ProfileName>

If everything works, you’ll see a return code of 0. If there’s a failure, things get complicated quickly. vPro is very, very particular about everything. Go back and check the following settings:

  1. DNS and DHCP connectivity from the target system to the SCS server and back.
  2. Target AMT device MEBx contains the certificate thumbprint of the Offline Root CA server.
  3. Target AMT device MEBx password matches the password set in the SCS profile.
  4. All certificates in the certificate chain are 2048-bit.
  5. All certificates in the certificate chain are SHA1.
  6. Target AMT system operating system trusts both the root CA and the intermediate CA.
  7. Intel Management Engine drivers on the target AMT system are installed and operating well.
  8. Intel Management Engine LMS service on the target AMT system is installed and running.
  9. Intel SCS server trusts both the root CA and the intermediate CA.
  10. Intel SCS Service is running as the Network Service account and has proper access to SQL.
  11. Intel SCS Service has the provisioning certificate installed.
  12. Provisioning certificate has the proper OID listed under ‘Application Constraints’.
  13. Provisioining certificate has the proper subject name listed.

Test and Demo the Features

There are two quick ways to test the AMT device. The first is the WebUI, and the second is via KVM.

WebUI

To test the WebUI, navigate to the following page:

If will ask you to login. Use the digest user which you specified in the SCS profile. From here, you should see inventory data and be able to send power commands to the system.

KVM

To test KVM, you’ll need to download RealVNC+ from the RealVNC+ downloads page. Once installed, perform the following steps:

  1. Open Real VNC Viewer Plus
  2. Switch ‘Connection Mode’ to “Intel(R) AMT KVM”.
  3. Type the FQDN of your target AMT system into the text box “AMT System”.
  4. For the ‘Encryption’ combo box, choose ‘None’.
  5. Click the button labeled ‘Options’.
  6. Click the tab labeled ‘Connection’.
  7. Uncheck the checkbox next to the label ‘Use single sign-on if VNC server supports it’.
  8. Click OK to save your changes.
  9. Click ‘Connect’.

If VNC viewer connects, then awesome! You did it! If not, then it’s time to start troubleshooting :(.

In the next post, we’ll investigate Kerberos (Active Directory) support.

Intel vPro – Configuration – Part 6 – Basic SCS Profile

vPro Series of Posts


Let’s create the most basic of SCS profiles and work from there. This will let us test out the provisioning process and the vPro \ AMT features like KVM. After that works, we’ll move on to more advanced profiles that make use of Kerberos and TLS.

Procedure:

  1. Open SCS Console and choose the ‘Profiles’ button on the top-left of the screen, then click ‘New Profile’.
  2. On the ‘Getting Started’ screen, enter ‘rconfig-basic’ for the name, select ‘Configuration\Reconfiguration’, then click ‘Next’.
  3. On the ‘Optional Settings’ screen, check the box labeled ‘Access Control List (ACL)’, then click ‘Next’.
  4. On the ‘Access Control List’ screen, click ‘Add’, and add a digest user named ‘AMTdigest’.
  5. On the ‘User/Group Details’ screen, switch the “Access Type” to “Both”, and check all checkboxes except “Access Monitor’. Then, click OK to save.
  6. On the ‘System Settings’ screen, enter the MEBx password that you want to use for the target AMT systems. It needs to match whatever you manually set the MEBx password to on the target system. We will go over manually setting the MEBx password in later posts. For now, choose a password.
  7. Still on the ‘System Settings’ screen, enter the same password in the box labeled ‘Use the following password for all systems:’.
  8. Click the ‘set’ button next to the label ‘Edit IP and settings’.
  9. On the ‘Network Settings’ screen, choose ‘Use the following as the FQDN’ and select ‘Primary DNS FQDN’ from the drop-down box.
  10. Under the IP frame, choose ‘Get the IP from the DHCP server’.
  11. Under the ‘DNS’ frame, choose ‘Update the DNS directly’.
  12. On the ‘Finish’ screen, click ‘Finish’.

Nice and easy. Next step, actually provisioning a system.

Intel vPro – Configuration – Part 5 – Configure Active Directory

vPro Series of Posts


Whew, made it this far ‘eh? Awesome. Nice work! Before we get started on SCS profiles, we need to do a bit of work in Active Directory. Don’t worry, it won’t take long.

AD OU and Groups

When Kerberos authentication is used with the AMT devices, each AMT device is going to need an actual computer account in AD. The Intel SCS service manages this for you, but it needs to have a specific OU to create the computers in. SCS also needs permission to create computer accounts in that OU.

Procedure

  1. In AD Users and Computers, create an OU to store AMT Objects. I recommend the name “AMT Objects”.
  2. Grant your SCS Server computer account ‘full control’ on this new OU.
  3. In AD Users and Computers, create a new security group connecting to AMT objects. I recommend ‘AMT Admins’.
  4. Assign your user account to be a member of the new group.

That’s it! Next stop: SCS Profile world.

Intel vPro – Configuration – Part 4 – Install and Configure Intel SCS

vPro Series of Posts


Welcome back! This time we’re going to cover the Intel SCS Service. This service does the actual vPro provisioning of your AMT clients. To make it work, you install the service then configure different ‘profiles’ or AMT personalities. On the target AMT system, you then run a command and point that particular AMT system at the profile you want.

General Information

I recommend watching the following videos for more information about SCS and how it works.

  1. SCS Introduction
  2. SCS Module 1 – Introduction to Intel® vPro™ Technology
  3. SCS Module 2 – Intel® SCS Overview
  4. SCS Module 3 – Intel® AMT Configuration
  5. SCS Module 4 – Jobs & Maintenance
  6. SCS Module 5 – Environmental Pre-requisites

Requirements

  1. A single VM running Windows Server 2012 (2008 R2 works).
  2. This VM must have the CA certificate of both the Enterprise Subordinate CA and the Standalone Root CA installed into the ‘Trusted Root Authorities’ store.
  3. SQL Server 2012 Express (2008 or better works).
  4. Intel SCS Service

Overview

  1. Configure the Certificate Trusts
  2. Install SQL Server Express
  3. Install SCS Service
  4. Configure SQL Permissions
  5. Generate a Provisioning Certificate
  6. Export the Provisioning Certificate
  7. Install the Provisioning Certificate

Configure the Certificate Trusts

  1. Login to your enterprise subordinate CA and copy the files from F:\wwwroot\intepub\certdata to the SCS VM at C:\Install_Files\CACertificates.
  2. On the SCS VM, start -> run -> mmc.
  3. When prompted, choose to run the certificate snap-in against the local computer account.
  4. Naviage to the ‘Trusted Root Certificate Authorities’ store.
  5. Right-click and choose ‘Import Certificate’.
  6. Import both certificates located at C:\Install_Files\CACertificates.

Install SQL Server Express

Next, install SQL Server Express on your Intel SCS VM. Here’s a nice video if you need help: tools & tech – install sql server 2012.

Install SCS Service

  1. RDP to your Intel SCS server.
  2. Download and extract the Intel SCS Service Installer.
  3. Run the file .\Intel-SCS-82\RCS\IntelSCSInstaller.exe
  4. On the ‘Welcome’ screen, select all three boxes: database, service, and console.
  5. On the ‘License Agreement’ screen, click ‘I accept’ and ‘next’.
  6. On the ‘Service Logon Authentication’ screen, click ‘Browse’, then ‘advanced’, then ‘Find Now’. Select ‘Network Service’ and click, OK, OK, Next.
  7. On the ‘Database Setup’ screen, in the ‘Database Server’ text box enter the name of the SCS server, then click ‘Next’.
  8. On the ‘Installer SQL Server Authentication’ screen, click ‘Next’.
  9. On the ‘Service SQL Server Authentication’ screen, click ‘Next’.
  10. On the ‘Confirm Setup Configuration’ screen, click ‘Install’.
  11. On the ‘InstallShield Wizard Completion’ screen, click ‘Finish’.

Configure SQL permissions for the Intel SCS Service

  1. In the start menu, run ‘SQL Server Management Studio’ from All Programs -> Microsoft SQL Server 2008 R2.
  2. On the ‘Connect to Server’ screen, click ‘Connect.
  3. On the left navigation pane, navigate to Security -> Logins.
  4. Find the login named ‘NT AUTHORITY\NETWORK SERVICE’. Right-click this login and choose ‘Properties’.
  5. Navigate to the ‘User Mapping’ page. db_datareader and db_datawriter on the IntelSCS database in SQL Server Management Studio.
  6. Click the word ‘IntelSCS’ to highlight that database’s row.
  7. In the bottom frame labeled “Database role membership for IntelSCS”, check the following boxes:
    • db_datareader
    • db_datawriter
    • public
  8. Click OK to save the changes, then exit SQL Server Management Studio.
  9. Restart the RCSServer service from the Windows Services applet.

Generate the Provisioning Certificate

  1. On your SCS server, run “MMC” as administrator, then add the ‘certificate’ snap-in.
  2. When prompted, choose to run the certificate snap-in against the local computer account.
  3. Navigate to Personal -> Certificates.
  4. Right-click and choose ‘All Tasks’ -> ‘Request New Certificate’.
  5. Complete the certificate request wizard. When prompted, choose to request an AMT Provisioning Certificate.

Export the Provisioning Certificate

  1. Open MMC and add the certificates snap-in, targeted at the local computer.
  2. Navigate to Personal -> Certificates
  3. Identify the AMT Provisioning Certificate. Right-click it and choose ‘Open’.
  4. Navigate to the ‘Details’ tab and choose ‘Copy to file’.
  5. On the ‘Welcome’ screen, click ‘Next’.
  6. On the ‘Export Private Key’ screen, choose ‘Yes, export the private key’ then choose ‘Next’.
  7. On the ‘Export File Format’ screen, choose the following two checkboxes, then choose ‘Next’.
    • Include all certificates in the certification path if possible.
    • Export all extended properties.
  8. On the ‘Password’ screen, enter a password to protect the private key.
  9. On the ‘File to Export’ screen, enter ‘C:\Install_Files\scs-prov-cert.pfx’ and click ‘Next’.
  10. On the ‘Completed’ screen, click ‘Close’.

Install the Provisioning Certificate

  1. Open a command prompt as administrator.
  2. Navigate to C:\Install_Files\IntelSCS82\Tools.
  3. Run the following command:
    RCSutils.exe /Certificate Add c:\Install_Files\scs-prov-cert.pfx  /RCSuser NetworkService
    net stop rcsserver && net start rcsserver
  4. Run the following command to verify the import. It will generate a text file with information about all the certificates stored by the RCS service.
     RCSUtils.exe /certificate view /RCSuser NetworkService /log file C:\rcsout.txt
  5. Open the file C:\rcsout.txt and ensure that the expected certificates are listed.

If you screw up the certs, you can remove them by running the certificate view function previously stated, and running the following command against each certificate’s serial number:

RCSUtils.exe /certificate remove  /rcsuser networkservice

ex:
RCSUtils.exe /certificate remove 7C4656C3061F7F4C0D67B319A855F60EBC11FC44 /rcsuser networkservice

Congrats! You now have a viable SCS server installed. Next, we’ll cover configuring Active Directory to work with the SCS Service.