KVM not working with TLS

KVM not working with TLS

Imagen de Blair Muller

Hey everyone,

Im hoping you can help with another issue Im having.

I am provisioning systems with SCS 8.1. When I provision a
system without TLS and can control the GUI of the client however when I
provision a system with TLS I cannot. I can power on and off the workstation. I
can also get to the web GUI however I cannot control the GUI.

Any ideas on how I can troubleshoot?

I have included screen shots and have tried to contol the systems with multiple products:

  • KVM View Intergration with SCCM doesnt show the desktop it stops at using proxy 127.0.0.1:65352
  • Management Commander Tool just sits at connect/abort connect
  • VNC Viewer Plus starts and gives the error The connection closed unexpectedly
  • I can log into the Web GUI and everything works with TLS
publicaciones de 21 / 0 nuevos
Último envío
Para obtener más información sobre las optimizaciones del compilador, consulte el aviso sobre la optimización.
Imagen de Gael Hofemeier (Intel)

It sounds like you haven't integrated your Certificates into the KVM feature via Real VNC. Can you use the KVM feature if you have not provisioned your system with TLS? Also, you aren't trying to start up the KVM Session on the local AMT Client, right?
Here are some resources that might help:
http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/DOCS/Implementation%20and%20Reference%20Guide/default.htmLook under the following folder: SDK Resources>KVM Application Developers Guide>Intel AMT SDK Support for KVM>Libraries>KVM Proxy LibraryYou could also try the Open Manageability DTK (very similar to the Commander.)http://opentools.homeip.net/open-manageabilityAlso checkout the RealVNC viewer docs online:http://www.realvnc.com/products/viewerplus/1.1/docs/ae1047609.html#Rae86616If all this fails, could you run the SCS Discovery Tool and attach the XML file?

Follow me on Twitter: @GaelHof Facebook: https://www.facebook.com/gh.intelblogs
Imagen de Blair Muller

Hi Gael,Yes I can use the system if it is not provisioned with TLS.I have also worked out that if I set theRFBPassword password I can control the system with TLS.If I goto the Web GUI the AD intrgration is working.I tried unchecking theUse currently logged on credentials option so it
will prompt ,e for an account to connect with but it doesn't.I put the information out therehttp://blair-muller.blogspot.com.au/and will update it when we have a solution but I think there is a underlying issue as I am told that thestandard port and RFBPassword options are for backwards
compatibility with standard VNC clients. Youd typically only need to use
those settings if you cant log in with an AMT digest or Kerberos authorized
account.

Adjuntos: 

AdjuntoTamaño
Descargar Answer.JPG47.62 KB
Imagen de Blair Muller

Attached are the Discovery results.Outpost stated the TLS is disabled but that doesn't make sense.

Adjuntos: 

AdjuntoTamaño
Descargar HpTest.bamits.local.xml5.27 KB
Descargar outpost.JPG70.52 KB
Imagen de Gael Hofemeier (Intel)

The RFB Password is not optional and it has to be exactly 8 characters (if going through port 5900). If you are accessing the KVM via the redirection ports then you do not need the RFB password.

Follow me on Twitter: @GaelHof Facebook: https://www.facebook.com/gh.intelblogs
Imagen de Gael Hofemeier (Intel)

Hi - No, I don't need the SCS Discovery anymore. I'll have to do some digging regarding the authentication checkbox. I have never run the tool without having that checked. I assumed you would have to have Kerberos set up in order to do that.

Follow me on Twitter: @GaelHof Facebook: https://www.facebook.com/gh.intelblogs
Imagen de Blair Muller

Thanks Gael. I did upload the results int eh previus post. Sorry about that.Interesting enough it is happening to systems that are provisioned with SCS 8.1 and also for systems provisioned with SCCM.Regards,Blair

Imagen de Gael Hofemeier (Intel)

Hello Blair - here is a little more information:

If using standard VNC clients for TLS connections, you will need to use Intels proxy server (in the SDK - are you using this proxy server?)

Also RFB only talks
to 5900 port and that port does not support TLS protocol.

On the Authentication Checkbox - you should have been prompted for credentials.

Follow me on Twitter: @GaelHof Facebook: https://www.facebook.com/gh.intelblogs
Imagen de Blair Muller

Thanks Gael,

So I understand putting in the RFB
password, I am actually bypassing TLS? Even if Use TLS server authenticiation
is selected?

When I untick Use currently logged on credentials
it actually just gives me the attached screen. Failed to start viewer. It doesn't ask for any credentials.

Anyidea on how to troubleshoot?Are they any logs or anything that can point me in the right direction?

In regards to the VNC question. I don't think I am using a proxy server, I tried to use VNC server as another means to test.

Adjuntos: 

AdjuntoTamaño
Descargar Error.JPG0 bytes
Imagen de Gael Hofemeier (Intel)

Hi Brian,I too, wrote a blog for troubleshooting KVM and TLS issues. The more I started thinking about it the more confused I got so I put together a matrix that is in the blog. It covers which ports can be used, requirements for the viewers and for authentication.I would say that if you are not being prompted for a password when the box is not checked, there may be a bug in KVM Viewer. You should try it with the KVM Control utility that is in the SDK and see if you have the same issue.Take a look at the blog along with the suggested trouble shooting tips and let me know if it answers any of your questions?Thanks

Follow me on Twitter: @GaelHof Facebook: https://www.facebook.com/gh.intelblogs
Imagen de Blair Muller

Hey Gael,

Great work on the Blog. It
explains so much. I think it was needed and it will be referred to a lot. I
will lookin into and report back.

Thanks for all you help

Imagen de Blair Muller

Hey Gael,

Does this refer to theIntel
Client SetupCertificate at all?

The only other thing I can think of is
that I'm using Windows 2008 R2 Standard for my CA. I see comments that say you
must use an enterprise version of the OS because you can't duplicate templates
but it seems you can now in standard version.

I have this setup in a development
environment. Would you be happy to jump in and have a look? It's happening in
my development and production environment.

I can send you more details offline.

Regards,Blair

Imagen de Gael Hofemeier (Intel)

Is this a question about provisioning? Or is it still the TLS/KVM question?

Follow me on Twitter: @GaelHof Facebook: https://www.facebook.com/gh.intelblogs

Hi Blair,

The Intel Client Setup Cert is used for remote configuration only.

There are two methods of certificates that can be used for vPro, 1) The Provisioning certificate: This is aquired through 3rd party vendor like Go Daddy or VeriSign. We call this method "remote configuration". To answer your question above, the Client Setup Certificate is a part of this cert.It gets installed into the provisioning Servers users certificate store. During provisioning this cert is matched against the hash on theAMT client system in the FW.2) The second one is a cert created from the enterprise Certificate Authority. We refer to this as the TLS cert used for secure communication when permforming AMT remote operations after the systemhas been configured.

Questions that I have...

1. Your post title says KVM not working with TLS. Is the AMT device provisioned? The system must be configured before using our KVM feature.
2. Did you create the certificate template from the CA?
3. Is the template in your SCS provisioning profile?
4. Have you tried a profile without TLS to make sure the environment is functioning? If it si functioning please try KVM without TLS. If this works then we can focus on the TLS from CA part.

Note the KVM is only supported on AMT 6.0 and above.

Imagen de Blair Muller

Hi Guys,

How does IPV6 affect this solution? The reason why I ask is
because as soon as I turned off IPV6 the issue was fixed. As soon as the system
registers an IPV6 address the KVM fails.

Thanks very much for all your help. I started working backwards
and these were my steps. For anybody else looking for the answer:

Re-installed the CA on an Enterprise version of
the OS. No difference

I provisioned the systems without TLS and could
connect via IP address but not host name.

I turned of IPV6 and deleted the records and I
could connect via Host Name.

I provisioned the system with TLS and could
connect using a Digest username and password.

I provisioned the system with Ad integration and
could connect using an AD username and account.

Regards,BLair

Imagen de Blair Muller

Hi everyone,

I've blogged about it and my experinence with VPro. You can check it out here:http://blair-muller.blogspot.com.au/2012/08/troubleshooting-kvm-control-of-vpro.html

Looking forward to working out the IPV6 issue.Regards,Blair

Imagen de Gael Hofemeier (Intel)

I'm glad it's (sort of) figured out. And I'm glad you are blogging about your experiences. I'm going to see if I can dig up what is going on with KVM and IPV6.

Follow me on Twitter: @GaelHof Facebook: https://www.facebook.com/gh.intelblogs
Imagen de Gael Hofemeier (Intel)

I'm not sure I caught everything from your steps above:Removing the TLS piece - can you connect with KVM with IPV6 (with the host name?)There is an intersesting section in the docs - I don't know if you have found it -http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/DOCS/Implementation%20and%20Reference%20Guide/default.htmLook under this section: Setup and Configuration of Intel AMT>Configuration Settings>Network Administration>Detailed Description>DDNS Settings

When a network supports Dynamic DNS (DDNS), Intel AMT will update the DNS server with its IP addresses. Intel AMT gets the DNS server IP either from DHCP or from a static setting. Intel AMT will update the DNS zone with both IPv4 andIPv6addresses. The Intel AMT DDNS feature only supports forward look-up non-secure DNS zones. The DDNS mechanism works when Intel AMT has a dedicated FQDN (both IPV4 andIPv6addresses) and also when it shares an FQDN with the host (IPv4 addressing only). Intel AMT does not support a configuration with shared FQDN + DDNS enabled +IPv6.

Starting with Release 6.0 the Intel AMT FQDN can be either shared (i.e., the same as the host FQDN) or dedicated. The Intel AMT FQDN consists of two fields: itshost nameand itsdomain name. When the FQDN is shared, both must be the same as the host. In a dedicated FQDN, at least one of the two fields must be different from the host.

The DDNS settings are part of the AMT_GeneralSettings object. SeeGet DDNS SettingsandSet/Get General Network Settings.

Follow me on Twitter: @GaelHof Facebook: https://www.facebook.com/gh.intelblogs
Imagen de Blair Muller

Hey Gael,

No I cannot get to the host namewhen
TLS is not configured. Only via its IP address

I get the feeling from that reference that IPV6 is not supported? I also see it in here. Setup and Configuration of Intel AMT > Configuration Settings > Network Administration > Detailed Description > DDNS Settings

Regards,Blair

Imagen de Blair Muller

Hi Everyone,I've blogged about the solution, if you are running a IPv6 networkhttp://blair-muller.blogspot.com.au/2012/08/how-to-remote-control-vpro-system-on.htmlRegards,Blair

This is acquired through 3rd party vendor like Go Daddy or Signer. We call this method "remote configuration". To answer your question above, the Client Setup Certificate is a part of this cert.It gets installed into the provisioning Servers users certificate store. During provisioning this cert is matched against the hash on the Amt client system in the FW.2) The second one is a cert created from the enterprise Certificate Authority. We refer to this as the T LS cert used for secure communication when performing AMT remote operations after the system has been configured.
http://www.webzonecreation.com

Inicie sesión para dejar un comentario.