search

Ylianst / MeshCommander

MeshCommander is a Intel(R) Active Management Technology (Intel(R) AMT) remote management tool. It's feature rich and includes a built-in remote desktop viewer for Hardware-KVM, a Serial-over-LAN terminal, IDER-Redirection support and much more. MeshCommander is built on web technologies and runs on many plaforms. In addition to being available as a stand-alone tool, MeshCommander was built to be very space efficient to that it can be uploaded into Intel AMT flash space to have it served diretly from the Intel AMT web serve.
Apache License 2.0
326 stars 71 forks source link

VNC not supported anymore in newer Intel AMT versions. Giving Error "Error 400, unable to set values." #98

Open Spamm00r opened 4 months ago

Spamm00r commented 4 months ago

Hi,

I'm unable to enable VNC on Intel AMT 16.1.30.

Researching the problem, i found out that Intel has remove possibility to use VNC in the newer versions of Intel AMT:

https://community.intel.com/t5/Intel-vPro-Platform/KVM-VNC-doesn-t-work-following-BiOS-ME-Update/td-p/1537110

Im not sure in which version this change was introduced.

Trying to connect via VNC, the connection fails with the error: "no password configure for vnc auth"

So the VNC server is listening, but we are unable to set a password. How can you add a password to allow VNC connections again. How can you enable KVM via VNC again? Or what alternative method is there to get bios level remote KVM again?

Without VNC, intel AMT is useless to me.

jsastriawan commented 4 months ago

New firmware disables non-TLS port and VNC port 5900. Meshcommander will still work over TLS port (16993 and 16995).

If you want, you can create a VNC shim layer to allow VNC client like Tiger VNC to talk to AMT KVM. This shim layer basically handles AMT Websocket Digest Authentication and initial KVM negotiation before shuffling the RFB3.8 stream between AMT and VNC Viewer.

https://github.com/jsastriawan/pyws/blob/main/amtkvm.py

My code is written in Python and I wrote this specifically for firmware 12 and above. The above code is based on MeshCommander code (esp. amt-redir JavaScript). Feel free to evaluate and use if it meets your needs, no support implied.

You can always download Intel official AMT SDK which has source code and sample code for KVM too.

Spamm00r commented 4 months ago

Thanks for the quick reply.

I'd like to rely on as few tools as necessary. Intel writes in it's reference guide that you can enable port 5900 for KVM vis this Method:

Change the Default Port Setting End of Support Note: Port 5900 is no longer supported. Attempting to configure an RFB password or enabling the port via IPS_KVMRedirectionSettingData.PUT causes Intel AMT to return the message unsupported. For details on affected releases, see Working with Port 5900.

The following steps describe how to enable or disable the ability to use the default KVM port (Port 5900).

  1. Ensure that the KVM interface is enabled: See Enable/Disable the KVM Interface. If it is enabled, continue to the next step.

  2. Retrieve the instance of IPS_KVMRedirectionSettingData, where the “InstanceID” key equals “Intel(r) KVM Redirection Settings”.

  3. Set the IPS_KVMRedirectionSettingData.Is5900PortEnabled and IPS_KVMRedirectionSettingData.RFBPassword properties:

a. To disable: set IPS_KVMRedirectionSettingData.Is5900PortEnabled to false.

b. To enable: set IPS_KVMRedirectionSettingData.Is5900PortEnabled to true, and provide an IPS_KVMRedirectionSettingData.RFBPassword if there is no previous value.

  1. Invoke IPS_KVMRedirectionSettingData.Put

Collapse imageClick here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

$kvmRedirectionSettingDataRef =$wsmanConnectionObject.NewReference("SELECT * FROM IPS_KVMRedirectionSettingData WHERE InstanceID='Intel(r) KVM Redirection Settings'")

$kvmRedirectionSettingDataInstance =$kvmRedirectionSettingDataRef.Get()

$kvmRedirectionSettingDataInstance.SetProperty("Is5900PortEnabled","true")

$kvmRedirectionSettingDataInstance.SetProperty("RFBPassword","P@ssw0rd")

$kvmRedirectionSettingDataRef.Put($kvmRedirectionSettingDataInstance)

Collapse imageAdditional Information

An RFBPassword is required if port 5900 is enabled. It must be a strong password – exactly eight characters long, containing a capital letter, a lower case letter, a digit, and a special character.

Collapse imageInstance Diagram

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fworkingwithport5900.htm

So the easier way would be to do this via PowerShell and get the 5900 port back.

I'm right now stuck at getting the IntelVpro modules working in powershell. Unfortunately Intels Manual seems to be outdated. I can't get the intelVpro module to work in powershell. And I cna't find older intel AMT SDK's that came with a setup program that installed these modules.

Do you know how to get IntelVpro powershell modules to work and toggle the VNC settings via poweshell?

jsastriawan commented 4 months ago

Hi,

As described by the documentation, VNC port is now disabled by default in the new firmware. I do not believe it is the issue with the vPro powershell module. VNC using port 5900 is clear text and not secure and I believe that is the reason why. And based on what is written on "Working with Port 5900", there is an end of support note too which basically said that the feature has been disabled since 6-7 years ago.