Troubleshooting Out of Band Management and Real-Time System Manager for vPro Technology versions 7.0: Part 3
Troubleshooting issues with the Intel® AMT setup and configuration process can be a daunting prospect. This series walks through the troubleshooting methods to pinpoint where problems originate and how to fix them.
Part 3: Setup and Configuration Console Troubleshooting
Setup And Configuration Console Access Forbidden
Setup And Configuration Console Connection Closed
Setup And Configuration Console User Not Authorized
Setup And Configuration Console Timeouts
Once the server components are installed, and the AMT systems are in a correct Setup Mode, one must access the Setup and Configuration Console to manage the setup and configuration process. This console is located in the Symantec Management Console under Settings > All Settings > Remote Management > Out of Band Management. This part of the series covers errors in the console, specifically to common errors scene after the installation has taken place. These errors can also surface due to environmental changes in the infrastructure.
This section lists all the symptoms covered in this article. Use this list to guide you if you are working on a specific issue.
- Setup and Configuration Console Access Forbidden - Generally this is a 403 error on most of the Symantec Management Console Setup and Configuration Nodes
- Setup and Configuration Console Connection Closed - All the Setup and Configuration Nodes show an error that the underlining connection was closed
- Setup and Configuration Console User Not Authorized - This error relates to the access rights to the actual Setup and Configuration Nodes, and can happen even if a user is listed as a Symantec Administrator
- Setup and Configuration Console Timeouts - We've seen timeouts occur in the console, when accessing the Intel AMT Systems list
Setup and Configuration Console Access Forbidden
When accessing the Setup and Configuration Console, the following error is thrown:
The request failed with HTTP status 403: Forbidden
The default error in the console is shown, as here:
The Altiris Log Viewer will reveal the true message, as shown here:
When installing Intel SCS, the manual install defaults to HTTPS, using TLS for secure communication. If the environment is not setup for TLS/HTTPS, the Symantec Setup and Configuration Console will be unable to authenticate to Intel SCS, throwing this error.
- On the Notification Server where Intel SCS is installed, open up IIS Manager.
- Browse down into the Default Web Site and select AMTSCS.
- Right-click on AMTSCS and choose Properties.
- Select the Directory Security tab.
- Click the Edit button under the Secure communications section.
- Uncheck the box labeled 'Require secure channel (SSL).
- Click OK.
- Click Apply and then OK.
Setup and Configuration Console Connection Closed
The error 'The Host Name cannot be resolved', or 'the remote connection was closed' appear when accessing the Setup and Configuration Console. Again you will see the generic message shown previously. In the logs, you'll see this error:
The remote name could not be resolved: '<systemname>'
The problem can also be seen when using the Test functionality on the DNS Configuration node. It may show a 'failed to resolve name' message.
When our Console tries to resolve the name to the Intel SCS Server (even when Symantec Management Platform and SCS are on the same server) it fails and one of these errors are thrown. The difference can be in the perceived FQDN for the Server. Symantec is attempting to acquire the right IP address so it can communicate with SCS.
There are two ways to fix this if a reinstallation does not correctly set the SCS identity within Symantec.
LMHOSTS or HOSTS files - We can update one or both of these files to contain the FQDN we're using to try and translate the IP Address. The error will have what we are using, which may not match what DNS is using for the name.
- In the error message: The remote name could not be resolved: 'Myserver.mydomain', it gives what FQDN it is using to connect to the system.
- One example of this is Symantec called Servername.domain, which did not respond, but Servername.domain.com was a valid name.
- Using NSlookup, you can see what DNS calls the server. For example, at a command-line type nslookup servername. What FQDN is returned? You can also do an nslookup on an IP Address.
- Once you have the name, access the file named lmhosts.sam (or no extension). Place a line in the file with the Server IP Address and invalid name:
- 10.10.10.1 Servername.domain.com
- Whatever invalid name was located in step 1, the above sequence can be used to give the computer the correct IP Address resolution. This resolves the issue. However there may be other steps needed. If this doesn't resolve the issue, continue to step 6.
- Access the Service Location node in the Setup and Configuration Console.
- Change the option to 'Alternate URL:'.
- Specify a new location changing the name to one that resolves, for example:
- Click Apply to save the changes.
Since the Symantec Management Platform and SCS are not fully integrated, they do not have a mechanism that shows if they are on the same server or not. This is why this issue can surface.
Setup and Configuration Console User Not Authorized
After installation or after credential changes the typical error structure appears with the message:
- Access Denied
You currently do not have sufficient network access rights to the Notification Server console.
Please contact your local area network administrator for further assistance.
Note that the error does not have the Red error typically associated with other console errors.
Also note that this is the standard message you receive if you do not have any rights to the Notification Server, except it is only in the right-pane when selecting a Setup and Configuration Node.
After installation only the user who conducted the Intel SCS install, and the Symantec Administrators group, has rights to the console nodes. Until other users are added, only Symantec Administrators and the installer user (usually the Notification Server Application identity) has rights to these nodes. Notification Server role and scope security does not apply to the populating of the data to the right of these nodes (although it does control access to actually showing the nodes themselves in the left-hand tree).
Follow these steps to give the necessary users rights to the Setup and Configuration Console nodes:
- Log into the Symantec Management Console as the Notification Server Application Identity, or the user used to manually install Intel SCS (one of these will usually be the authorized user).
- Access the Symantec Management Console Settings > All Settings > Remote Management > Out of Band Management > Configuration Service Settings > Users.
- Note the users who already have rights.
- Click the blue + icon to add a user.
- Use the User name multi-function field to find and select the user you wish to provide access to the OOBM nodes.
- Click the pencil icon to have a search interface to simplify or provide easier access to the search.
- Under the Role: give Enterprise Administrator rights unless you want to limit which nodes are operable.
- Click OK to complete adding the user.
If no user can access these nodes, the Intel SCS installation needs to be run again under the correct user. Run through these steps to complete this:
- Log onto the Notification Server directly (or with the /console switch if you're using Remote Desktop) with the NS Application Identity.
- In Add/Remove Programs, locate 'Intel® Active Management Technology Setup and Configuration Service' and remove it.
- On the Notification Server, browse to install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\Out of Band Management\IntelSCS\.
- Launch the file AMTConfServer.exe and walk through the install. Be sure to use the Application Identity as the credentials for SCS.
- When prompted for the database credentials, if permissible use the Application Identity.
- Once completed log into the Symantec Management Console with the Notification Server Application Identity, then move back to step 1 of the previous sequence to add other users as necessary.
Setup and Configuration Console Timeouts
Even in small environments we've seen timeouts on the Intel AMT Systems node, and much less frequently on the other nodes. The timeout throws a .NET error and the page is replaced by a timeout error.
The cause is not known at this time. The timeouts do not seem to occur always at particularly busy times for the Notification Server, so it is difficult to know what causes them. When there are plenty of resources available the timeouts generally do not occur, though if the server is extremely busy it doesn't always occur, either. It appears to be caused by varying factors.
A refresh after the timeout error often loads the page just fine. This suggests the loading the page gets into a loop or hung state, instead of a true processing timeout issue.
No full resolution is known at this time, but a few items can help minimize the impact of the issue.
- Remote Consoles - We've seen remote consoles perform better than having the console loaded directly on the Notification Server
- Refresh - Normally the timeouts occur without loading any of the frames within the page. If you click on the link or hit the refresh for the Intel AMT Systems page and no frames load within a minute, refresh the page. Often when the page is refreshed it then loads correctly, even quickly.
Return to Part 1/Index