Here is a screenshot of the message:
I know there was a long thread about this, but it was closed by Gael. Here is the link:
No one ever posted what the resolution to the problem was. My certificate configuration seems to be working fine.
I can access SoL using the Microsoft Configuration Manager OOBconsole.
Hello Trevor, this error usually indicates a certificate verification issue.
Here is the quote from the Redirection Library Design Guide: "The library has failed to establish a TLS connection with the client. There might be a problem verifying the clients certificate."
Are you able to connect to AMT onthis system remotely using the WebUI?
For your TLS setup are you using mutual authenticatoin or server authentication?
Yes... I closed the issue because Javier said he figured things out. He did post a blog detailing the issues he ran into which caused most of the problems.
Trevor - what too are you using to provision your system? SCS? or the SCS Lite tool? You have enabled the Redirection port, correct?
Thanks for the responses, Gael and Lance.
I am using Microsoft System Center Configuration Manager 2007 SP1 to provision the AMT devices. I get the same error message connecting to both an AMT 3.2.1 device, and an AMT 5.0.1 device. Most of the other functions of the Intel AMT DTK Commander tool work just fine, but I have never been able to use the Serial-over-LAN feature of it.
I do have the IDE-R, Serial-over-LAN, and WebUI features enabled in my out-of-band service point configuration in SCCM. I can connect to the WebUI from the Windows 2003 site server that provisioned the device.
I am able to use the Microsoft SCCM OOBconsole utility to perform serial-over-LAN functions on the same AMT devices that are having an issue with the DTK Commander tool, so I know that the certificate verification is working as expected. This would appear to be some sort of issue with the implementation of the DTK Commander tool.
We will need to contact the DTK folks on this one. For SOL connections, I seem to recall that the DTK has a menu where you can change some of the SOL settings and I have had to do this once or twice, however, I do not have my systems here with me now and will not be able to take a look at this until Tuesday. It does sound as if it is something specific to the DTK. If it is, (and it isn't the menu setting) they will ask you to fill out out a bug report.)
You can take a look at this forum thread - if it is a DTK issue, you can see the questions Tim is going to be asking you and he also has the link to the bug report in there as well.
I'm the support guy for the Managabilty Commander Tool. Can you share some specifics with me so I can try and replicate here? To start, what version of Commander are you using? We posted a new version last week, but I don't recall any specific SOL fixes going into that one. Also, details on your certificate? Did you create the certificate, or is it something purchased (if so, what vendor & product). What level of certificate is it? Are you using mutual or server authentication? Certificate Authority vendor/version/configuration? Is all this on the same server or is it distributed? Anything else you can think of.I see you're seeing this issue regardless of AMT 3.x or 5.x so I'm sure I have the required hardware here.
Thank you for your responses. I will do my best to provide you the information necessary to determine the problem, although I will need some help in determining how to find out what you need to know, in some cases.
Version: I am using the ATM DTK Commander 0.6.8340.2 (pulled from the Details tab of the executable file's properties in Windows Explorer).
Provisioning Certificate: We use a Verisign standard SSL provisioning certificate to provision our AMT devices. It uses the OU verbage of "Intel Client Setup Certificate" rather than an OID (which costs a lot from a 3rd party).
Internal CA: We have a tiered domain structure, with an Windows 2003 Enterprise Root CA in the root domain, and our subordinate CA in the child domain. The ConfigMgr site servers also sit in the child domain.
AMT Web Server Template: We have configured the AMT Web Server Certificate template according to the Microsoft documentation, and it works great when using Serial-over-LAN with the Microsoft out-of-band console.
Can you tell me how to find out whether or not I'm using mutual authentication or not?
Quoting - Tim Tool Guy Duncan (Intel)
Unlike server authentication where the Management Console has to prove who it is to Intel AMT, Mutual authentication is the case where the Management Console also requires Intel AMT to prove "who" it is. So instead of one certificate along with it's root certificate, both systems have the other's root cert in addition to their Certificate. Where all have you installed Certificates (and their associated Root Certificates?)
I have our subordinate and root CA certificates installed in both the [machine-level] Trusted Root CA store, and the [machine-level] Intermediate CA store.
The subordinate and root Verisign certificates appear in their proper locations, the intermediate CA store, and trusted root CA store, respectively.
All of the above is in reference to the system running the Intel AMT DTK Commander tool. Is this the information you are seeking?
Quoting - Gael Holmes (Intel)
I missed a critical request, please send me the exceptions.txt file(s) from the directory you launch Commander from - that will go a long way to getting us to an answer for you. Sorry about that. email@example.com
I submitted the information you requested to the e-mail address you requested. Keep in mind, that although I replicated the problem this morning again, it didn't log anything new to the exception log .... I'm not sure if this will help you or not.
Quoting - Tim Tool Guy Duncan (Intel)
Trevor - have you downloaded the latest DTK? Judging from the version you indicated above, you may not have. I pasted some info regarding the latest release here. If your SOL/IDER is working using other tools, it might be this WS-MAN over TLS issue.
Recent Changes in v. 0.6.09037.2
* Manageability Commander Tool
- Addresses issues when connecting to Intel AMT systems using WS-MAN over TLS connections.
- Addresses issues with CIRA connections using TLS.
* Integrated latest Intel AMT SDK release: 22.214.171.124. The manageability tools now use the latest EOI (SOAP) and WS-MAN interface definitions.
* Published updated User Guide v. 1.5
* More minor cosmetic updates.
* IDE Redirection of some floppy drives or disk images on Intel AMT 5.x systems may not correctly display text in the remote terminal window from the Manageability Commander Tool or in the Manageability Terminal Tool.
* When using Serial Over LAN (SOL) in the Manageability Terminal Tool (or via the Manageability Commander Tool), the function keys may not be recognized by the Intel AMT system. To resolve this issue, change the Special Key Translation mode from the 'Terminal' menu to another option.
* The Manageability Terminal Tool may display erroneous characters during a remoted reboot of an Intel AMT system. This should only affect how the remoted screen is displayed and should not have any effect on the functionality of the Serial Over LAN (SOL) session.
* A network connection to the Internet is needed in order to verify the author (digital signature) of the applications and the installer. Without a full Internet connection, the installer and applications can take a few minutes to start, which may prevent the Manageability Outpost Service Tool from correctly starting as a Windows service.
- A workaround for this is to add the following lines to the LMHOSTS file:
Check out the DOPD SW Engineering Team's blog for all the latest updates, news and discussions related to the Manageability Developer Tool Kit.
build a try might just do the trick. I'll keep digging on this end until I hear you've got it working. I do need to ask how critical this failure is to you. If a fix is required we will need to prioritize this work against other "opportunities." ...td
Well, my high school chemistry teacher always used to tell me: "Gael,if all else fails, read the directions." Finally looking at the latest release of a software product and looking at what it fixed and what the known issues are falls into that category. LOL But, we'll see if the latest version fixes Trevor's issue.
Because of completely separate problems around the Microsoft OOB Management Console included with Configuration Manager 2007 SP1, I am unable to get our support staff up and running with any real AMT use cases yet.
All in all, I wouldn't call this a "high" priority, but considering the vast array of issues we've been having over the past year or so, I would definitely like to get this fixed sooner rather than later. I've been working very hard (and closely with Intel) on getting Intel vPro functional in the OfficeMax IT environment, and have run into roadblock after roadblock. Many of these issues have been environmental, but a few of them have also been vendor interoperability challenges (Intel & Microsoft). The sooner I can get some real, functioning tools into the hands of our lower level support staff members, and get them trained on their usage, the sooner OfficeMax can start realizing the benefits of this awesome technology.
If you want more information on the OOBconsole issue I'm having, please check out this thread on the vPro Expert Center discussion forum. I submitted a ticket to Microsoft Premiere Support just this morning about the issue. I apparently will not be getting any feedback until next week on it, as one of two primary AMT/ConfigMgr support representatives at Microsoft, who I've worked with in the past, will not be back in the office until then.
Thanks for hearing me out, and sorry if this sounds like I'm complaining. I've just been through a lot. :)
FYI, I am currently using the "Manageability Developer Tool Kit - v. 0.6.08337.2" (pulled from the release notes). I will attempt to install and use the newest version to see if that resolves the problem. Thanks for the recommendation.
Quoting - Tim Tool Guy Duncan (Intel)
I tried the latest version of the Intel AMT DTK that you linked to, and it still exhibits the same error during Serial-over-LAN sessions.
Thanks for the quick response - I think you'll have to get Tim the log file. Just out of curiosity, do you have something that might be blocking some of the messages going back and forth? Do you have a sniffer going during cases where it works and where it doesn't?Sometimes anti-virus programs and firewalls cause problems if they are not set up correctly - but I suspect if that was the problem you would not have success with SOL/IDE-r using any tool.
I'm not running any firewall software on my laptop, and I haven't gotten any blocking notifications from my anti-virus software.
And yes, because the ConfigMgr OOBconsole works, I would imagine that there isn't anything being blocked. Each utility should be using the same TCP ports to contact the AMT device (16995 for SoL, and 16993 for TLS communications).
Edit: I did send the log file to Tim earlier today, BTW.
Quoting - Gael Holmes (Intel)
Is there anything else you would like from me?
Do you have a lab environment where you can easily provision an AMT device with a similar configuration to mine, using Configuration Manager, and see if you can replicate the issue?
It seems that the error is occurring in the ExSOLOpenTCPSession method in AmtRedirectorWrapper.cs. The call to IMR_SOLOpenTCPSession on line 661 returns IMRResult.IMR_RES_TLS_CONNECTION_FAILED and assigns the value to a variable named "r".
I'm not sure if it matter at all, but the IntPtr variable data has value 98034960 just prior to the call to Marshal.FreeHGlobal(Data).
Any ideas with that added info?