Hello,

Here is the scenario :

we configure 80 computers with AMT ( tls enable on port 16995 and digest authentification with certificate and DHCP mode with reservations).

all machine was test before moving to a datacenter.

we plug all the 80 computers ( power cable and network cable only) to unconfigurated network switches but not booting any computers to windows.

after the configuration of the switch amt not working.

The only way to make it works is tu unplug the power supplies for 10 seconds and plugin again. then without booting to windows amt fonctionalitiys work again for around 25 days.

What Happend when you plug the power supplies without booting ( network initializings something )?

Is there something to configure on network switches ?

is there a kind of Grace period ?

is there a powershell command to do the same reset as remove the power cable ?

Hope to find somboddy to help me for this stange scenario.

Thanks in advance

I have a Lenovo M73 ThinkCentre and the CPU is Core™ i5-4590.  When I try to run the ACUWizard I receive the attached error message.  I am running the ACUWizard with a local admin account.  The ME firmware is 9.1.1.1000.  I have installed Intel Management Engine Components 11.6.0.1047.

2017-02-22 13:29:59: Thread:8092(DETAIL) : ACU.dll, Category: SetCompatibilityMode Source: ACUDll.cpp : SetCompatibilityMode Line: 220: Set compatibility mode to 10.0.

2017-02-22 13:29:59: Thread:8092(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : CheckAMT Line: 85: Entering

2017-02-22 13:29:59: Thread:8092(DETAIL) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 191: Connected to the Intel(R) Management Engine Interface driver, version 11.6.0.1042

2017-02-22 13:29:59: Thread:8092(ERROR) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::_doIoctl Line: 410: Intel(R) Management Engine Interface error- I/O control command The handle is invalid. (6)

2017-02-22 13:29:59: Thread:8092(ERROR) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 200: Intel(R) Management Engine Interface error- Failed to connect to the Intel(R) Management Engine Interface PTHI client.

2017-02-22 13:30:14: Thread:8092(DETAIL) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 191: Connected to the Intel(R) Management Engine Interface driver, version 11.6.0.1042

2017-02-22 13:30:14: Thread:8092(ERROR) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::_doIoctl Line: 410: Intel(R) Management Engine Interface error- I/O control command The handle is invalid. (6)

2017-02-22 13:30:14: Thread:8092(ERROR) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 200: Intel(R) Management Engine Interface error- Failed to connect to the Intel(R) Management Engine Interface PTHI client.

2017-02-22 13:30:29: Thread:8092(DETAIL) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 191: Connected to the Intel(R) Management Engine Interface driver, version 11.6.0.1042

2017-02-22 13:30:29: Thread:8092(ERROR) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::_doIoctl Line: 410: Intel(R) Management Engine Interface error- I/O control command The handle is invalid. (6)

2017-02-22 13:30:29: Thread:8092(ERROR) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 200: Intel(R) Management Engine Interface error- Failed to connect to the Intel(R) Management Engine Interface PTHI client.

2017-02-22 13:30:44: Thread:8092(DETAIL) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 191: Connected to the Intel(R) Management Engine Interface driver, version 11.6.0.1042

2017-02-22 13:30:44: Thread:8092(ERROR) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::_doIoctl Line: 410: Intel(R) Management Engine Interface error- I/O control command The handle is invalid. (6)

2017-02-22 13:30:44: Thread:8092(ERROR) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 200: Intel(R) Management Engine Interface error- Failed to connect to the Intel(R) Management Engine Interface PTHI client.

2017-02-22 13:30:59: Thread:8092(DETAIL) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 191: Connected to the Intel(R) Management Engine Interface driver, version 11.6.0.1042

2017-02-22 13:30:59: Thread:8092(ERROR) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::_doIoctl Line: 410: Intel(R) Management Engine Interface error- I/O control command The handle is invalid. (6)

2017-02-22 13:30:59: Thread:8092(ERROR) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 200: Intel(R) Management Engine Interface error- Failed to connect to the Intel(R) Management Engine Interface PTHI client.

2017-02-22 13:31:14: Thread:8092(DETAIL) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 191: Connected to the Intel(R) Management Engine Interface driver, version 11.6.0.1042

2017-02-22 13:31:14: Thread:8092(ERROR) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::_doIoctl Line: 410: Intel(R) Management Engine Interface error- I/O control command The handle is invalid. (6)

2017-02-22 13:31:14: Thread:8092(ERROR) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 200: Intel(R) Management Engine Interface error- Failed to connect to the Intel(R) Management Engine Interface PTHI client.

2017-02-22 13:31:29: Thread:8092(DETAIL) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 191: Connected to the Intel(R) Management Engine Interface driver, version 11.6.0.1042

2017-02-22 13:31:29: Thread:8092(ERROR) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::_doIoctl Line: 410: Intel(R) Management Engine Interface error- I/O control command The handle is invalid. (6)

2017-02-22 13:31:29: Thread:8092(ERROR) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 200: Intel(R) Management Engine Interface error- Failed to connect to the Intel(R) Management Engine Interface PTHI client.

2017-02-22 13:31:44: Thread:8092(DETAIL) : ACU Configurator , Category: Status message Source: HECIDiscovery.cpp : CheckAMT Line: 154: AMT Status code - An internal error has occurred in the Intel(R) AMT device. This might indicate an interface error, or an application error. (0xc0004269)

2017-02-22 13:31:44: Thread:8092(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : IsChangeToAMTAllowed Line: 1100: Entering

2017-02-22 13:31:44: Thread:8092(DETAIL) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 191: Connected to the Intel(R) Management Engine Interface driver, version 11.6.0.1042

2017-02-22 13:31:44: Thread:8092(ERROR) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::_doIoctl Line: 410: Intel(R) Management Engine Interface error- I/O control command The handle is invalid. (6)

2017-02-22 13:31:44: Thread:8092(ERROR) : ACU Configurator , Category: -HECI- Source: HECIWin.cpp : HECIWin::Init Line: 200: Intel(R) Management Engine Interface error- Failed to connect to the Intel(R) Management Engine Interface PTHI client.

2017-02-22 13:31:44: Thread:8092(ERROR) : ACU Configurator , Category: Error message Source: HECIDiscovery.cpp : IsChangeToAMTAllowed Line: 1108: Failed to connect to the WD client of the Intel(R) Management Engine Interface.  (0xc0000056)

2017-02-22 13:31:44: Thread:8092(DETAIL) : AMT Discovery, Category: HECI Discovery Source: HECIDiscovery.cpp : CheckAMT Line: 170: Exiting

2017-02-22 13:31:44: Thread:8092(DETAIL) : ACU Configurator , Category: AMT Status Source: ACUDll.cpp : GetHostAndMEInfo Line: 4296: This system does not have Intel(R) AMT (or it is disabled in the Intel MEBX, or the correct drivers are not installed or enabled, or the current user does not have permissions to the drivers). (0xc0000063)

2017-02-22 13:31:44: Thread:8092(DETAIL) : ACU Configurator , Category: Returned data Source: ACUDll.cpp : GetHostAndMEInfo Line: 4474: GetHostAndMEInfo output data: IsAMT:False, isEnterpriseMode:False, configurationMode:0, isRemoteConfigEnabled:False, AMTversion:, isMobile:False, provisioningTlsMode:0, uuid:7D4BA014-10EF-11E5-973A-90014CA31500, isClientConfigEnabled:False, hostBasedSupport:False, configurationState:2032405000, FQDN:RILEY.domain.co.uk, embeddedConfigurationAllowed:False. isLANLessPlatform:False. PKIDNSSuffix: Empty.

It seems that if you need support with configuring SCS / AMT your only option is to either post a thread on here or hope that someone on Reddit sysadmin will be able to help.  What other resources are available?  I gather that telephone support is not available for this product which is a shame.  I am grateful for the support I have so far received on this forum but we continue to have issues with configuring AMT and it would be nice to be able to get some assistance with it - but from whom?

Regards,

Graham

We are develop our system on Ubuntu Server 16.10, but current Intel SCS only support on Windows or SUSE Linux

How could I set up key for Intel AMT on Ubuntu pc

For example, TPM is restricted in China, how can a@ laptop shipping to China pass vPRO vertification？

I just reinstalled my operating system and wanted to know if I really need to install the following drivers:

- PCI Simple Communications Controller

- PCI Serial Port

I know it installs AMT, but since I'm a home user and I don't use it. Can I forgo installing the drivers and just disable them in the Device Manager? Will it affect my PC's ability to function correctly? If yes, what can be affected by not installing the drivers?

The server hosting the RCS has its firewall enabled.  I cannot connect to it using SCS Console from client PC or from the SCCM server during SCCM Add-on installation.  I know there is a small section in the manual that states:

--------------------------------

If you install the RCS on a computer that is protected by a firewall, you might receive error messages when you

try to connect to the RCS.

Solution:

You must make sure that the firewall is configured to enable the WMI to connect to the RCS. For more

information, refer to the Microsoft Developer Network:

http://msdn.microsoft.com/en-us/library/aa389286(VS.85).aspx

--------------------------------

However this doesn't help in any way.  I click the link but the page talks about using VBScript?  If I disable the firewall on the RCS server I can connect so it's obviously a firewall issue, the question is which port/s do I need to open?  If I capture the traffic on my PC whilst trying to connect to the RCS server I see attempts to connect on port 135 except I have tried enabling the rule "Windows management Instrumentation (WMI-In)" on the server but no luck.

Any ideas?

Graham

I'm trying to install the SCS Add-on for ConfigMgr and I'm running into an error right after launching setup. The error is:

Failed to identify the SCCM installation.

I'm running in a standalone Primary Site running System Center Configuration Manager, Current Branch, build 1702. I have tried installing the SCS Add-on from my own workstation, which has the ConfigMgr console installed, the Site Server, and another test VM, all of which have the console installed and I've verified they connect to the site, work, etc.

The Site Server does not have a SMS Provider installed on it, rather 2 other servers have SMS Providers installed on them. Is the Intel SCS add-on installer looking for the WMI namespace on the Site Server, failing, and producing the error I'm seeing?

Is there any way I can get a hold of the files which are extracted / installed by the installer and manually install the add-on / console extension?

Edit: I should've included the contents of the SCCMAddon.log file. Here it is:

2017-03-28 16:56:58,965 - DEBUG: Starting

2017-03-28 16:56:58,971 - INFO : Starting Log

2017-03-28 16:56:58,972 - INFO : Version: 2.1.8.10

2017-03-28 16:56:59,036 - INFO : No previous settings found.

2017-03-28 16:56:59,160 - DEBUG: Entering SettingsViewModel.ctor

2017-03-28 16:57:01,265 - FATAL: Failed to identify the SCCM installation.

System.InvalidOperationException: Sequence contains no elements

   at System.Linq.Enumerable.First[TSource](IEnumerable`1 source)

   at SCCMConfig.DAL.SCCMProber.GetSCCMInstallationFolder64bit(Architecture& pArchi)

   at SCCMConfig.DAL.SCCMProber.GetSCCMInstallationFolder(Architecture& pArchi)

   at SCCMConfig.DAL.SCCMProber.Detect()

   at SCCMConfig.Actions.ActionPerformer.Detect()

   at Intel.SCS.ACIWizard.ViewModel.WelcomeViewModel.<Init>b__8()

Message was edited by: Scott Metzel

Yesterday I provisioned my first AMT machine via SCCM Task Sequence & RCS.  It truly was a beautiful moment after days / weeks of pain.  I can connect via Commander using my AD creds (Kerberos & TLS) just fine but no matter what I try I cannot login via Web UI.  I have tried IE, Chrome and Firefox.  All display slightly different results.  If I use IE I receive the username / password prompt but no matter what I enter I cannot login.  I do not receive the username / password prompt in Chrome or Firefox.

I'm thinking it might have something to do with the client certificate.  I followed section 9.2.5 of the SCS guide when defining the certificate template. Any ideas? Many thanks in advance.

Hi everyone,

I am trying to use the Intel AMT HLAPI to make a connection to an AMT device that has been provisioned to use Kerberos authentication and mutual TLS.

The machine I am connecting from has a valid certificate for mutual TLS, the subject is CN=<machine_fqdn>.

The connection works fine if I enter the username:

ci = new ConnectionInfoEX("<target_machine_fqdn>", "<domain\\username>", "<password>", true, "CN=<machine_fqdn>", ConnectionInfoEX.AuthMethod.Kerberos, null, null, null);

However, if I try to use the currently logged in user on the machine where I run this command from (I saw that this works by leaving the user and password blank):

ci = new ConnectionInfoEX("<target_machine_fqdn>", "", "", true, "CN=<machine_fqdn>", ConnectionInfoEX.AuthMethod.Kerberos, null, null, null);

if fails in GetVersionWSMan() in AMTInstanceManager line 922 after a few seconds (4-5). Exception is:

{Intel.Management.Wsman.WsmanConnectionException: Server unexpectedly disconnected ---> Intel.Management.Wsman.WsmanConnectionException: Server unexpectedly disconnected

   at Intel.Management.Wsman.HttpTransport.GetResponse(String method)

   at Intel.Management.Wsman.ClientRequest.Send(XmlDocument reqDoc, String soapCmd)

   at Intel.Management.Wsman.ClientRequest.Send(XmlDocument reqDoc)

   at Intel.Management.Wsman.WsmanConnection.RetryLoop(XmlDocument reqDoc, Exception& resultExp)

   --- End of inner exception stack trace ---

   at Intel.Management.Wsman.WsmanConnection.SendObjectRequest(String msgId, XmlDocument reqDoc, IManagedReference refObj, IManagedInstance input)

   at Intel.Management.Wsman.WsmanConnection.SubmitRequest(XmlDocument reqDoc, IManagedReference refObj, IManagedInstance input)

   at Intel.Management.Wsman.WsmanConnection.SubmitRequest(String requestString, IManagedReference refObj, IManagedInstance input)

   at Intel.Management.Wsman.ManagedReference.Get()

   at Intel.Manageability.Impl.AMTInstanceManager.GetVersionWSMan() in f:\AMT_SDK_11.6.0.7\Windows\High Level API\Src\Intel_Manageability_Library\HLAPI Lib\AMTInstance\AMTInstanceManager.cs:line 922

   at Intel.Manageability.Impl.AMTInstanceManager.SetVersionInfo() in f:\AMT_SDK_11.6.0.7\Windows\High Level API\Src\Intel_Manageability_Library\HLAPI Lib\AMTInstance\AMTInstanceManager.cs:line 868}

System.Exception {Intel.Management.Wsman.WsmanConnectionException}

If I provision the machine to use only server TLS (not mutual), from the same machine I ran the code above, both connecting with username and password blank (so using the currently logged on user) and connecting by entering the user in ConnectionInfoEx works fine. The only difference from the commands above is that the certificate is an empty string "".

My only conclusions so far:

- It works with mutual TLS by entering the credentials manually, so the TLS mutual certificate is correct.

- It works with server TLS by leaving the credentials empty, it indeed uses the current user, so that is not the problem

- It works with entering the same user that's logged in manually, so it cannot be a permission issue

If anyone came across this, or has any idea how I could find the cause for the exception, I would be most grateful.

Hi everyone,

I am trying to connect to an AMT machine that is provisioned with Kerberos authentication (no TLS at this point), using the HLAPI. The connection is done from a machine that is not in the same domain as the users defined for Kerberos authentication.

The connection to the machine works fine:

amt = AMTInstanceFactory.CreateEX(ci);

After I connect, I need to get the realms of the user. If I attempt:

KerberosEntry kerberosUser = amt.Config.ACL.GetKerberosUser(ci.UserName);

List<Realm> realms = kerberosUser.Realms;

it fails with an exception with failure: Intel.Manageability.Exceptions.ACLFailures.UserNameDoesNotExists

This probably makes sense, since the HLAPI GetKerberosUser() function uses the system functions to get the SID of the given username:

string sid = (userNameOrSID.Contains("\\")) ? GetUserNameSID(userNameOrSID) : userNameOrSID;

and GetUserNameSID tries:

NTAccount account = new NTAccount(userName);

SecurityIdentifier sIdentifier = (SecurityIdentifier)account.Translate(typeof(SecurityIdentifier));

It cannot translate the username to an SID because the object does not exist in the Active Directory this machine is part of.

My question is: can somehow the SID of the user that was used for Kerberos authentication be obtained from the AMT machine (AMT instance), instead of trying to resolve it locally from the machine where the connection is initiated?

If I could run the GetKerberosUser function giving directly the SID as parameter, instead of username, it would probably succeed and get the realms correctly.

Any advice would be greatly appreciated. Thanks in advance.

So it seems that I have one final issue before I start deploying AMT across my campus.  The test machines show the time as being 1 hour behind within AMT interface however inside the OS and BIOS it shows the correct time.  I have the option "Synchronize Intel AMT clock with operating system" ticked within the profile used to configure the client.  I found this but I'm not sure what I can do with this information.  Is time synchronization a one-time only thing during initial configuration or should it synchronize on an on-going basis?

Thanks,

Graham

Hi everyone,

I am trying to use the Intel AMT HLAPI to make a connection to an AMT 11.0 device that has been provisioned to use Digest authentication and mutual TLS.

The machine I am connecting from has a valid certificate for mutual TLS, the subject is CN=<machine_fqdn>.

I am using the Sample HLAPI project from Intel, and have also access to the HLAPI in debug.

I defined the connection as follows:

ci = new ConnectionInfoEX("<target_machine_fqdn>", "<digest_username>", "<password>", true, "CN=<machine_fqdn>", ConnectionInfoEX.AuthMethod.Digest, null, null, null);

It works fine if I connect to an AMT 6.1 machine provisioned from the same SCS with the same settings.

However, if I try to connect the same way to the AMT 11 machine (just change the target machine FQDN in the above ConnectioInfoEx), it fails in GetVersionWSMan() in AMTInstanceManager line 922. Exception is:

{Intel.Management.Wsman.WsmanConnectionException: Server unexpectedly disconnected ---> Intel.Management.Wsman.WsmanConnectionException: Server unexpectedly disconnected

   at Intel.Management.Wsman.HttpTransport.GetResponse(String method)

   at Intel.Management.Wsman.ClientRequest.Send(XmlDocument reqDoc, String soapCmd)

   at Intel.Management.Wsman.ClientRequest.Send(XmlDocument reqDoc)

   at Intel.Management.Wsman.WsmanConnection.RetryLoop(XmlDocument reqDoc, Exception& resultExp)

   --- End of inner exception stack trace ---

   at Intel.Management.Wsman.WsmanConnection.SendObjectRequest(String msgId, XmlDocument reqDoc, IManagedReference refObj, IManagedInstance input)

   at Intel.Management.Wsman.WsmanConnection.SubmitRequest(XmlDocument reqDoc, IManagedReference refObj, IManagedInstance input)

   at Intel.Management.Wsman.WsmanConnection.SubmitRequest(String requestString, IManagedReference refObj, IManagedInstance input)

   at Intel.Management.Wsman.ManagedReference.Get()

   at Intel.Manageability.Impl.AMTInstanceManager.GetVersionWSMan() in f:\AMT_SDK_11.6.0.7\Windows\High Level API\Src\Intel_Manageability_Library\HLAPI Lib\AMTInstance\AMTInstanceManager.cs:line 922

   at Intel.Manageability.Impl.AMTInstanceManager.SetVersionInfo() in f:\AMT_SDK_11.6.0.7\Windows\High Level API\Src\Intel_Manageability_Library\HLAPI Lib\AMTInstance\AMTInstanceManager.cs:line 868}

System.Exception {Intel.Management.Wsman.WsmanConnectionException}

Does anyone have any idea how I could find out the cause of this issue? Thanks in advance.

@We are having an issue using VNC and the Manageability Commander Tool. The issue is that we have 3 systems provisioned but only one of the 3 systems is able to remote into the others via  AMT KVM. For example: System A can remote into System B and System C. System C cannot remote into B or A. Likewise System B cannot remote into C or A.

Has anyone had this issue and have knowledge on how to fix it?

The systems are Dell Latitudes E7440 (system A), Latitude E6440 (system B), and Latitude E6530 (system C).

All have Windows 8.1 Enterprise.

All provisioned using Intel SCS version 11

All accessible via their web URL (https://SystemX.site.corp:16993)

Hi,

we have a VPN server with SSTP connection, which authenticated by user credentials and Server certificate on 2012 R2.

Now i must implement SSTP connection with user credentials and user certificate.
I found that there are many solution to store user certificates not in their OS, but in the TPM or IPT. Fine.

maybe has someone the documentations how to configure all this?
how i can import the certificates into IPT?
how i can say to VPN client - hey, please use a certificate from IPT?

thank you very much!

Hi All,

So I have gone through the steps to get the SCCM 2012 Add On configured.  I had some issues with getting Intel AMT: Discovery working, but I've resolved that now and now I am trying to run the Intel AMT: Configuration Task Sequence.  I'm having a lot of issues with this one and it seems to be failing on me.  I was hoping that someone here has had some experience with this and can assist?

I've attached my SMSTS.log file which is coming up with a few errors when I'm trying to run the script.  I'm seeing errors about DNS, FQDNs, Event IDs about incorrect usernames and passwords etc (screenshot attached for that one)

Basically I've been looking into this one for a while now and I'm banging my head against the desk.  How does one get this to work?  I've not really seen anything online which has a solution for this.

Hello,

After I configured AMT in MEBx, I am not able to access the web UI on port 16992, nor able to connect via any tool. Port seems to closed (based on the telent console behavior) so I suspect the problem should be in the MEBx configuration or HW support. For the MEBx configuration, I was able to configure other PCs (different HW) successfully which brings me to believe the setup may be correct.

If I'm able to configure it in MEBx and enable it in BIOS is it still possible there is an incompatible HW in the path? How could I narrow this down and find the piece that may cause it?

(Q77 chipset, AMT v8)

Thank you for suggestions,

Tomas Fabry

Honeywell International

Hi All,

I have a computer that has an i7 with vPro / MEBX on it, and I wanted to know how it should be configured for use as a private home business computer.

The user guide, while helpful, still leaves me unclear on how I should set it up for maximum security. 

Any guidance is much appreciated.

Thanks,

John

Hi everyone,

I've been working with the HLAPI library, and came across the following issue:

when connecting to an AMT11 machine with digest authentication and server TLS, if the 1st connection uses the correct credentials, the 2nd connection works even if the credentials are wrong.

See below sample code:

            IAMTInstance amt;

            IAMTInstance amt2;

            try

            {

              ConnectionInfoEX ci = new ConnectionInfoEX("ro-nrc-vpro.anita.local", "admin", "Abcd1234!", true, // correct user and password

                                             "", ConnectionInfoEX.AuthMethod.Digest, null, null, null);

                amt = AMTInstanceFactory.CreateEX(ci);

                if (amt != null)

                  Console.WriteLine("First connection ok");

                amt.Dispose();

                amt = null;

                ConnectionInfoEX ci2 = new ConnectionInfoEX("ro-nrc-vpro.anita.local", "lkk", "fg", true,     // incorrect user and password

                                               "", ConnectionInfoEX.AuthMethod.Digest, null, null, null);

                amt2 = AMTInstanceFactory.CreateEX(ci2);          // this also succeeds!!

                if (amt2 != null)

                  Console.WriteLine("Second connection ok");

                amt2.Dispose();

                amt2 = null;

            }

Any ideas?

Note: I could only  reproduce the issue with digest and server TLS, doesn't happen if server TLS is not enabled, and I did not try yet with Kerberos or with mutual TLS.

Note 2: if I stay in a break point long enough before the amt2 = AMTInstanceFactory.CreateEX(ci2) command (this "long enough" varies from attempt to attempt), the CreateEX fails, like expected. So it seems to have something to do with cleaning up the old connection..

Novell ZENworks has feature to provision the intel devices using AMT technologies in enterprise mode. This feature was working perfectly fine with Java 6. This feature is broken now. Currently ZENworks uses JDK 1.8.051 and we are trying to provision AMT device (amt verison 6.2).

ZENworks sends the provision command at port 16993 in response device exchanges the certificates. Attached are wireshark traces for the communication. At the end device closes the connection with fatal alert unsupported certificate.

We are not sure which kind of certificate device is expecting.

ZENworks connects the device twice. Once for provisioning and second time for gathering the asset information from the device. Sometimes first calls succeeds and we see the provisioning record too on the AMT device (see the attachment IMG_20170413_112035563.jpg)

Can some body suggest what is the problem here?

Thanks,

Ashish S.

Developer at Novell