Ylianst / MeshCentral

A complete web-based remote monitoring and management web site. Once setup you can install agents and perform remote desktop session to devices on the local network or over the Internet.
https://meshcentral.com
Apache License 2.0
4.26k stars 569 forks source link

[Intel AMT] stuck on "Trying Credentials" #5982

Open Silejonu opened 7 months ago

Silejonu commented 7 months ago

Describe the bug The general tab of my device shows that it's "Trying Credentials", and it hasn't updated for days.

To Reproduce Steps to reproduce the behavior:

  1. Add an AMT-capable device in a group (AMT only, or AMT+agent, does not matter)
  2. Go to the general tab of the device
  3. See that it's stuck on "Trying Credentials"
  4. See error

Expected behavior The credentials should be accepted, and the device should be manageable from the MeshCentral UI.

Screenshots Screenshot from 2024-04-02 12-54-29

Screenshot from 2024-04-02 12-55-03

Screenshot from 2024-04-02 12-55-47

Server Software (please complete the following information):

Remote Device (please complete the following information):

Additional context I can control my device without issues when using the "Intel AMT" tab, but all the other tabs don't work until I go into it first.
It seems MeshCentral does not even attempt to connect, as if I try to enter wrong credentials, it doesn't show up in the AMT logs (if I manually try to log in with wrong credentials, it's reported).

Your config.json file

{
  "$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json",
  "settings": {
    "plugins":{"enabled": false},
    "_mongoDb": null,
    "cert": "<my MeshCentral server FQDN here>",
    "_WANonly": true,
    "_LANonly": true,
    "sessionKey": "[…]",
    "port": 443,
    "_aliasPort": 443,
    "redirPort": 80,
    "_redirAliasPort": 80,
    "AgentPong": 300,
    "TLSOffload": false,
    "SelfUpdate": false,
    "AllowFraming": false,
    "WebRTC": false
  },
  "domains": {
    "": {
      "_title": "MyServer",
      "_title2": "Servername",
      "minify": true,
      "NewAccounts": true,
      "localSessionRecording": false,
      "_userNameIsEmail": true,
      "_certUrl": "my.reverse.proxy"
    }
  },
  "_letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before>",
    "_email": "myemail@mydomain.com",
    "_names": "myserver.mydomain.com",
    "production": false
  }
}
si458 commented 7 months ago

What's the group settings like? Have u activated the intel amt feature?

si458 commented 7 months ago

Also if you know what the intel amt credentials are, you can click the blue download icon next to Trying credentials and then enter them manually and wait 5 mins while it tries the credentials

Silejonu commented 7 months ago

What's the group settings like? Have u activated the intel amt feature?

I've tried all policies, none of them made a difference. Right now it's on "Simple Admin Control (ACM)", "Randomize Password", "Deactivate CCM if setup" & "CIRA setup: do nothing".

Also if you know what the intel amt credentials are, you can click the blue download icon next to Trying credentials and then enter them manually and wait 5 mins while it tries the credentials

I did, hence the "Trying Credentials".

One thing I forgot to mention in my initial report: if I try to add my device via "Add Local", nothing happens. The pop-up asking for the machine to add just disappears. The only way to add my machine was to use the "Scan Network" function.

si458 commented 7 months ago

try going into the console tab and typing amt and see what info comes out Also try amtconfig and watch the output

Silejonu commented 7 months ago

I was not using the agent, so when installing it I realised there was an error in my config.json, that I fixed. After playing around a bit, I've been able to successfully register my machine by importing a json file into my group, with credentials now confirmed as "Known".

So, my original issue is fixed, thanks for the assistance. However, adding my machine via "Add Local" still results in nothing happening. Adding it via "Scan Network" finds it and allows me to add it, however it still stays stuck on "Trying Credentials". Is this expected behaviour? If not, and that's something you're interested in understanding/fixing, is there anything I can do to help you diagnose it?

si458 commented 7 months ago

@Silejonu when you add an AMT device, meshcentral doesnt know any credentials about the machine apart from the default admin,admin so it will always show Trying Credentials until you specify what credentials to use for that machine (i have this problem with 1 AMT machine which is connected to my development server, BUT i also have a production agent installed which always shows Trying Credentials but thats expected because its connected to a different meshcentral server!)

BUT

you can specify a user,pass in your config.json for it to try in addition to admin,admin if you use the same one for multiple machines for example (example below, and screenshot of schema file section)

ALSO

you can run amtpasswords from the console tab of the My Server page, which will list the last 3 passwords meshcentral is trying to use for that machine to login with (this is handy to verify you have set the password correctly)

{
  "domains" : {
    "": {
      "amtmanager": {
        "adminaccounts": [
          { "user": "admin", "pass": "admin" },
          { "user": "admin1", "pass": "admin1" },
          { "user": "admin2", "pass": "admin2" }
        ]
      }
    }
  }
}

image

Silejonu commented 7 months ago

@si458 Maybe I am not understanding things correctly, but when adding a device to MeshCentral (via the Local Scan wizard), Intel ME first shows up as having "No Credentials". When clicking on it and adding my credentials, it then changes to "Trying Credentials". And nothing happens.
Note that I have not setup anything regarding password in config.json.
My domains section looks like this:

{
  "domains": {
    "": {
      "_title": "MyServer",
      "_title2": "Servername",
      "minify": true,
      "NewAccounts": true,
      "localSessionRecording": false,
      "_userNameIsEmail": true,
      "certUrl": "https://meshcentral.mydomain.com:443"
    }
}

you can run amtpasswords from the console tab of the My Server page

This command returns nothing (literally, not even an error message) for me.

si458 commented 7 months ago

What nodejs version are u using? Is it 18 or above?

Silejonu commented 7 months ago

I'm using the Docker image ghcr.io/ylianst/meshcentral:latest, which runs Node.js v20.11.1.

si458 commented 7 months ago

Hmmm weird? So try the following, delete device and group, create new group, add device manually, wait for it to say no credentials, add credentials, then go into the Console tab under My Server and type amtpasswords, is the amtpassword listed in the output?

One other thing u can try is visiting http://IPOFREMOTEDEVICE:16992 and try logging in with the amt credentials you have, if u can't login, then the details are incorrect, if u can then it's something else I'm missing?

Silejonu commented 7 months ago

So try the following, delete device and group, create new group, add device manually, wait for it to say no credentials, add credentials, then go into the Console tab under My Server and type amtpasswords, is the amtpassword listed in the output?

Still exact same result: Screenshot from 2024-04-08 20-39-06

One other thing u can try is visiting http://ipofremotedevice:16992/ and try logging in with the amt credentials you have, if u can't login, then the details are incorrect, if u can then it's something else I'm missing?

I can login with the credentials, no problem. They're also accepted by MeshCentral, but the only way I can get it to even try them is via the JSON import functionality. After purging everything to retry from scratch as you asked me, I re-added my device via the JSON import, and it's working just fine: I can access the Intel AMT tab, Admin Credentials are marked as "Known", etc. But amtpasswords still shows not output.

si458 commented 7 months ago

What about importing from the json, logging into the intel amt panel at least once from within meshcentral, then running the amtpasswords? Does it show anything? I have a feeling its not saving the credentials correctly?

Edit. Cud be related to a bug we found before with it not saving ssh/rdp credentials

Silejonu commented 7 months ago

Still nothing. I can use the Intel AMT tab normally, same for the Desktop tab, but nothing is returned by amtpasswords.

si458 commented 7 months ago

Hmmm... very weird? Leave it with me. I have an amt 7 device in the office, so I'll reset it and try it later this week and see if I can find out what's wrong

Silejonu commented 7 months ago

Alright, let me know when/if you'd like me to test a few things.

crltc commented 5 months ago

I was not using the agent, so when installing it I realised there was an error in my config.json, that I fixed. After playing around a bit, I've been able to successfully register my machine by importing a json file into my group, with credentials now confirmed as "Known".

So, my original issue is fixed, thanks for the assistance. However, adding my machine via "Add Local" still results in nothing happening. Adding it via "Scan Network" finds it and allows me to add it, however it still stays stuck on "Trying Credentials". Is this expected behaviour? If not, and that's something you're interested in understanding/fixing, is there anything I can do to help you diagnose it?

I am having a similar problem where using "Add Local" under a group does not do anything and the device is not added (no error or anything, just nothing happens) but when I select "Scan Network" I can discover and add the device. Likewise after I do that entering the credentials it gets stuck on "trying credentials" but if I click the tabs it works and I can use the KVM and see all info.

I am using a fresh install deployed with official docker image version 1.1.24 - haven't customized anything just my reverse proxy options set.

pcmike commented 4 months ago

Same issue here. Always just says Trying Credentials despite everything seeming to work just fine. 🤷🏻‍♂️

EDIT: By the way this is on a 6th gen i7-6700t and Intel® ME reports: Activated, v11.8.50, Trying Credentials. Also when you click on details it doesn't display all the information that I get on my 12th gen i7-12700t which Intel® ME reports: v16.1.30, Activated, Admin Control Mode (ACM), Secured using TLS, Admin Credentials: Known. Hopefully this extra information may help. I'm willing to try anything needed..

EDIT2: I think this is a function of the various versions of AMT. I think the older versions don't implement https on 16993 and therefore don't populate the details tab in mesh central and also don't "appear" to save credentials, even though they do actually save them. I can't be certain if this is truly the case or why.. but maybe the developers can look into this? My 12th gen machine only responds on https:16993 and DOES NOT respond on http:16992; this is the reverse for the 6th gen machine.

si458 commented 2 months ago

i believe this should be fixed now, try using 1.1.27 and report back if its working or not now

mrlenny commented 2 weeks ago

Appears to still be an issue as of 1.1.32

si458 commented 2 weeks ago

@mrlenny can u explain ur setup a little?

nodejs version, meshcentral version, wan/lan/hybrid? intel amt device/version, how are you adding/setting up the amt device? usb key? manual setup in bios? meshagent activating amt? meshagent group, amt only group?

i have been given a lenovo thinkcentre m93p which i believe supports amt so might need to do some testing again!

mrlenny commented 2 weeks ago

@si458 sure, setup is very closely mirroring the previous reporters, BIOS setup AMT, control works after inputting the credentials, they just don't ever change from "Trying." Despite that AMT commands including remote desktop, works. The target device is an OptiPlex 9020.

Hostname 192.168.1.72 Description None Mesh Agent Windows 64bit service Intel® AMT Activated ACM, v9.1.45, Trying Credentials [Edit Intel® AMT credentials] Operating System Microsoft Windows 11 Pro - 23H2/22631

The node version is the same as the previous reporter, the mesh central version is what it comes with 1.1.16, and then I've also upgraded it to 1.1.32 and the issue persists. LAN only, local ethernet connection. MeshAgent group.

si458 commented 2 weeks ago

@mrlenny off the top of my head im guessing its just a display bug and its getting confused because you entered the credentials manually rather than letting meshcentral to the activation. whats the AMT settings for the meshagent group?

mrlenny commented 2 weeks ago

@si458 No Policy

si458 commented 2 weeks ago

@mrlenny OOOOO that could explain why it might be getting confused! i will have alook next week when i get chance

mrlenny commented 2 weeks ago

@si458 switching it to fully automatic WHILE THE AGENT WAS RUNNING removed the issue.