topic Certificate Error Provisioning All AMT Devices in Intel vPro® Platform

Certificate Error Provisioning All AMT Devices

idata — Fri, 09 Jan 2009 16:17:42 GMT

Hey guys,

I have a brand new Dell Optiplex 755 running BIOS A11 and AMT Firmware 3.2.1. I'm having trouble provisioning it. Everything works up until the certificate request is made from out certificate server, however. I'm getting the below messages in the amtproxymgr.log (not amtopmgr.log) on the ConfigMgr site server.

I had one of the guys on our server team check out the certificate server, and it is creating multiple certificates for the same client, and automatically approving them (as is proper), but for some reason, the site server is rejecting the certificate during the verification of the certificate chain. Our internal root CA certificate is in the Trusted Root CA store on the site server, and I have successfully provisioned other clients before.

I have also verified that this is not the self-signed certificate issue, because I have manually unprovisioned the device in SMB mode, and also pulled the CMOS battery to reset back to factory defaults. The same behavior is persisting.

DNS also is not a problem, as I have verified the forward and reverse records for the client from the site server. DHCP option 15 is also set properly. If either of these were the issue, we wouldn't be getting as far as we are in the provisioning process.

Found instruction file: D:\SMS\inboxes\amtproxymgr.box\{50830F19-8E2D-410A-A75B-EC5F0A32F96E}.apx

Processing Instruction: RCT 1;1;62151;3.2.1;vproclient.vprodemo.com;SMS_AMT_OPERATION_MANAGER_PROV;

Request certificate task begin to read Site Control File.

Changes to the site control file settings detected.

Request certificate task success to read parameters from Site Control File.

Request certificate task success to connect to the SQL database.

ERROR: CertCreateCertificateContext failed: 0x80093102, msg=ASN1 unexpected end of data.~

Error: CTaskRequestClientCert::RevokeExistedCertificate failed to get serial number from the certificate binary.

Request certificate task disConnected to the SQL database.

INFO: Enter process request 1

INFO: Save Request

INFO: Add new request

Certificate for vproclient.vprodemo.com has been retrieved.

ERROR: CertGetCertificateChain(...) failed: 0x1000040

ERROR: HandleDisposition failed: the root certificate of the CA is not at the Trust List!

INFO: Enter process request 3

INFO: Delete Request

INFO: Request to delete found

STATMSG: ID=7601 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AMT_PROXY_COMPONENT" SYS=PROVSERVER SITE=123 PID=8536 TID=2220 GMTDATE=Thu Jan 08 21:28:22.411 2009 ISTR0="vproclient.vprodemo.com" ISTR1="certserver.vprodemo.com" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0

Failed to run instruction: RCT 1;1;62151;3.2.1;vproclient.vprodemo.com;SMS_AMT_OPERATION_MANAGER_PROV;

Finished Executing Instruction: RCT 1;1;62151;3.2.1;vproclient.vprodemo.com;SMS_AMT_OPERATION_MANAGER_PROV;

Thanks,

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Re: Certificate Error Provisioning All AMT Devices

idata — Mon, 12 Jan 2009 15:41:28 GMT

I am experiencing this same issue on a HP Compaq dc7900 running AMT 5.0.2. I'd appreciate some feedback on this problem ... any ideas on where it's failing? The certificate authority apperas to be functioning properly.

Which certificate is not in which trust list? I've verified that my internal root and subordinate CA certificates are in their proper locations on the site server. I've also verified that the proper Verisign root and subordinate CA certificates are in their proper locations.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Re: Certificate Error Provisioning All AMT Devices

idata — Mon, 12 Jan 2009 15:56:24 GMT

Here is what the amtopmgr.log file is showing:

>>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<<<p>

Provision target is indicated with SMS resource id. (MachineId = 62378 vproclient.vprodemo.com)

AMT Provision Worker: 1 task(s) are sent to the task pool successfully.~

AMT Provision Worker: Wait 20 seconds...

Found valid basic machine property for machine id = 62378.

Warning: Currently we don't support mutual auth. Change to TLS server auth mode.

The provision mode for device vproclient.vprodemo.com is 1.

Attempting to establish connection with target device using SOAP.

Found matched certificate hash in current memory of provisioning certificate

Create provisionHelper with (Hash: 0CE62E1E26D22E86F2C31BB6D95471C968C9903B)

Set credential on provisionHelper…

Try to use provisioning account to connect target machine vproclient.vprodemo.com...

HTTP digest authentication failed with status = 401.~

Fail to connect and get core version of machine vproclient.vprodemo.com using provisioning account # 0.

Try to use default factory account to connect target machine vproclient.vprodemo.com...

Succeed to connect target machine vproclient.vprodemo.com and core version with 5.0.2 using default factory account.

GeneralInfo.GetProvisioningState finished with HResult = 0x0, status = 0x0, clientError = 0.~

Get device provisioning state is In Provisioning

Passed OTP check on AMT device vproclient.vprodemo.com.

Machine vproclient.vprodemo.com will be added and published to AD and OU is LDAP://.

Send request to AMT proxy component to add machine vproclient.vprodemo.com to AD.

Successfully created instruction file for AMT proxy task: D:\SMS\inboxes\amtproxymgr.box~

Processing provision on AMT device vproclient.vprodemo.com…

Send request to AMT proxy component to generate client certificate. (MachineId = 62378)

Successfully created instruction file for AMT proxy task: D:\SMS\inboxes\amtproxymgr.box~

Wait 20 seconds to find client certificate for AMT device vproclient.vprodemo.com being generated again…

Auto-worker Thread Pool: Current size of the thread pool is 1