Community
cancel
Showing results for 
Search instead for 
Did you mean: 
idata
Community Manager
1,316 Views

AMT Connection Errors

I've been trying to test RCS 7 before upgrading from SCS 6 (sql) DB. The SCS 6 deployment was rushed by a contractor and I've been left with the results. What's worse, it got pushed thru project management and is now a live "production" server. Over the last few months, I've been trying to fix the errors/problems with the SCS 6 server. I'll fix one, and another problem, equally perplexing, appears in it's place. I've made the glorious decision to upgrade and replace the server (the SCS process crashes constantly, every couple minutes).

Anyways, before I and push the new server into production, I have to prove it works. I've got my client side script ready, it takes care of all the client side actions and sends the request to the RCS server. The RCS server does not have a DNS entry for provisionserver.domain.com (which I'm not sure if that's part of my problem, but I can't change that until we go into production). My client side script runs:

ACUConfig.exe /verbose ConfigViaRCSOnly *.*.*.* Profile /AbortOnFailure /ADOU OU=AMTOU,DC=organization,DC=com /NetworkSettingsFile "C:\Users\me\Documents\Magic Briefcase\Scripting\vPro\AMTmanager\NetworkSettingsFile.xml"

I've edited some things from that string, security conscious, I'm sure you understand

Anyways, the output from the client side looks great, it sends off all the correct info (we're a multi domain environment) to the RCS. The RCS gets the info and does this.........

***************************************************************************************************************************

2012-12-18 09:24:27: Thread:2260(DETAIL) : User- (RCS Service) - - , Category: (SERVICE) Source: Src\InstProv.cpp : CInstProv::Initialize Line: 111: (COMPLETED) - Initialize Status-0

2012-12-18 09:24:27: Thread:2260(INFO) : GetNetworkSettings, Category: Responding to Get Source For AMT Request Source: Src\RCS_RemoteConfigurationService_WMIProvider.cpp : RCS_RemoteConfigurationService::GetNetworkSettings Line: 1903:

2012-12-18 09:24:27: Thread:2260(DETAIL) : RCS Server , Category: Source: Src\ProfileAccessorXML.cpp : ProfileRepositoryNamespace::ProfileAccessorXML::GetAll Line: 668: Begin GetAll

2012-12-18 09:24:27: Thread:2260(DETAIL) : RCS Server , Category: Start ConfigAMT Source: Src\RCS_RemoteConfigurationService_WMIProvider.cpp : RCS_RemoteConfigurationService::ConfigAMT Line: 275:

2012-12-18 09:24:27: Thread:2260(DETAIL) : RCS Server , Category: computer.domain.com Source: Src\RCS_RemoteConfigurationService_WMIProvider.cpp : RCS_RemoteConfigurationService::ConfigAMT Line: 290: Starting thread for UUID:MY-UDID-OBSCURA-NOT-REAL

2012-12-18 09:24:27: Thread:2260(INFO) : computer.domain.com, Category: Supply New AMT Identity Source: Src\RCS_RemoteConfigurationService_WMIProvider.cpp : RCS_RemoteConfigurationService::ConfigAMT Line: 369: started

2012-12-18 09:24:27: Thread:2260(DETAIL) : computer.domain.com, Category: ConfigAMTInitial Source: Src\Activator_Impl.cpp : RCS_ActivatorService_WMIProviderImpl::ConfigAMTInitial Line: 1713:

2012-12-18 09:24:27: Thread:2260(INFO) : User- (RCS Service) - computer.domain.com - MY-UDID-OBSCURA-NOT-REAL, Category: (PLATFORM_CONFIG) Source: Src\Activator_Impl.cpp : RCS_ActivatorService_WMIProviderImpl::ConfigAMTInitial Line: 1728: (STARTED) - Status-0

2012-12-18 09:24:27: Thread:2260(DETAIL) : RCS Server, Category: End function- Status Source: Src\Activator_Impl.cpp : RCS_ActivatorService_WMIProviderImpl::ConfigAMTInitial Line: 1932: 0

2012-12-18 09:24:27: Thread:2260(DETAIL) : computer.domain.com, Category: MaintenanceConfigThread::run Source: Src\MaintenanceThread.cpp : MaintenanceConfigThread::run Line: 73: start- computer.domain.com UUID- MY-UDID-OBSCURA-NOT-REAL

2012-12-18 09:24:27: Thread:2260(DETAIL) : computer.domain.com, Category: Start function Source: Src\Activator_Impl.cpp : RCS_ActivatorService_WMIProviderImpl::SetupConfigureAMT Line: 482:

2012-12-18 09:24:27: Thread:2260(DETAIL) : computer.domain.com, Category: Try ReConfiguration with Admin user using profile: Test and alternate with Admin user using the 1st digest master password Source: Src\Activator_Impl.cpp : RunConfigThread Line: 305:

2012-12-18 09:24:27: Thread:2260(DETAIL) : computer.domain.com, Category: Start function Source: Src\ConfigThread.cpp : ConfigThread::run Line: 59: run()

2012-12-18 09:24:27: Thread:2260(DETAIL) : computer.domain.com, Category: Start function Source: Src\ConfigThread.cpp : ConfigThread::runConfigure Line: 95: runConfigure

2012-12-18 09:24:27: Thread:2260(DETAIL) : computer.domain.com, Category: TestAllConnections params Source: Src\vProConfigurationInternal.cpp : vProConfigurationNamespace::vProConfigurationInternal::TestAllConnections Line: 276: Connection data - Connection type: TLS-SSL, FQDN: computer.domain.com, IP: 255.255.255.255, UserName: admin

2012-12-18 09:24:27: Thread:2260(DETAIL) : computer.domain.com, Category: Test Connection Source: Src\vProConfigurationInternal.cpp : vProConfigurationNamespace::vProConfigurationInternal::TestConnection Line: 495:

2012-12-18 09:24:27: Thread:2260(DETAIL) : computer.domain.com, Category: DiscoverAMTConnectionMode Source: Src\vProConfigurationInternal.cpp : vProConfigurationNamespace::vProConfigurationInternal::TestConnection Line: 867: Connection Info-computer.domain.com admin SSL_CONN:

2012-12-18 09:24:27: Thread:2260(DETAIL) : computer.domain.com, Category: AMTCommunicator Source: Src\WSMANCommunicator.cpp : AMTInterfaceNamespace::WSMANCommunicator::GetAmtVersion Line: 104: Failed while calling WS-Management call GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error -1073737787: 21037

2012-12-18 09:24:27: Thread:2260(DETAIL) : computer.domain.com, Category: AMTCommunicator Source: Src\EOICommunicator.cpp : AMTInterfaceNamespace::EOICommunicator::GetCoreVersion Line: 459: Failed while calling Soap call GetCoreVersion. Intel(R) AMT connection error -1073737787: The SSL handshake failed. A client certificate for connection to the Intel(R) AMT device could not be found.

2012-12-18 09:24:27: Thread:2260(ERROR) : computer.domain.com, Category: AMT Interface error Source: Src\vProConfigurationInternal.cpp : vProConfigurationNamespace::vProConfigurationInternal::TestConnection Line: 910: Failed while calling Soap call GetCoreVersion. Intel(R) AMT connection error -1073737787: The SSL handshake failed. A client certificate for connection to the Intel(R) AMT device could not be found. , error in discover 0xc0000fc5

2012-12-18 09:24:27: Thread:2260(DETAIL) : computer.domain.com, Category: TestAllConnections params Source: Src\vProConfigurationInternal.cpp : vProConfigurationNamespace::vProConfigurationInternal::TestAllConnections Line: 276: Connection data - Connection type: HTTP, FQDN: computer.domain.com, IP: 255.255.255.255, UserName: admin

2012-12-18 09:24:27: Thread:2260(DETAIL) : computer.domain.com, Category: Test Connection Source: Src\vProConfigurationInternal.cpp : vProConfigurationNamespace::vProConfigurationInternal::TestConnection Line: 495:

2012-12-18 09:24:27: Thread:2260(DETAIL) : computer.domain.com, Category: DiscoverAMTConnectionMode Source: Src\vProConfigurationInternal.cpp : vProConfigurationNamespace::vProConfigurationInternal::TestConnection Line: 821: Connection Info-computer.domain.com admin HTTP_CONN:

2012-12-18 09:24:37: Thread:2260(DETAIL) : computer.domain.com, Category: AMTCommunicator Source: Src\WSMANCommunicator.cpp : AMTInterfaceNamespace::WSMANCommunicator::GetAmtVersion Line: 104: Failed while calling WS-Management call GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error -1073737804: 21020

2012-12-18 09:24:47: Thread:2260(DETAIL) : computer.domain.com, Category: AMTCommunicator Source: Src\EOICommunicator.cpp : AMTInterfaceNamespace::EOICommunicator::GetCoreVersion Line: 459: Failed while calling Soap call GetCoreVersion. Intel(R) AMT connection error -1073737804: A TCP error occurred. Make sure that the destin...

0 Kudos
5 Replies
Joseph_O_Intel
Employee
138 Views

To start with, I would simplify your profile to as basic as possible to confirm provisioning is working, so don't include any options in the SCS Profile, including NO TLS.

Then I would simplify your script to:

ACUconfig.exe /lowsecurity /output console /verbose ConfigViaRCSOnly $SCSServerNameFQDN $profilename /abortonfailure

If that works un-provision your system and rerun the script with the network file setting included.

These steps will ensure the basics of provisioning is working in your new environment.

You also mentioned the "ProvisionServer" DNS entry. As long as you do not have older clients than AMT5, then this is not needed. Not to mention using the acuwizard, doesn't need it regardless.

The "Go Daddy" cert is for provisioning only and has no effect on the possible TLS issue.

When you have verified the above is working let me know and we can go from there.

Joe

idata
Community Manager
138 Views

Joe,

Thanks for your reply! You've got some good info there, and I'll definitely run the test you recommend. I hope to update back within a few days.

Colyn

Joseph_O_Intel
Employee
138 Views

Hey Colyn,

I look forward to your Reply.

As for your SCS 6 issue we can look into that for you as well, I will need a copy of the rcs log and how many AMT devices do you have configured?

 

idata
Community Manager
138 Views

OK, so, this is what I've got......... I created a profile called "Low Security" on the RCS server which has no optional settings defined. This is what it looks like:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Low Security

Network Settings

 

FQDN will be the same as the DNS Look Up FQDN

 

IP will be taken from DHCP

Network Configuration

 

WiFi

 

Do not enable synchronization of Intel® AMT with host platform WiFi profiles

System Settings

 

Enabled Management Interfaces:

 

Web UI

 

Serial Over LAN

 

IDE Redirection

 

KVM

 

RFB password set

 

Timeout for user consent: 5 minutes

Power Management Settings: Always On (S0-S5), Timeout if idle: 3 minutes

 

Intel® AMT set to respond to ping requests

 

Fast Call for Help (Within the enterprise network) is Disabled

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I then grabbed a test machine and used the system discovery to confirm that it was indeed in an unconfigured state. Following this section is the ACU log from the host itself. Note I've changed a few things for security purposes but I do want to call out one thing specifically.

Our clients are joined to "greendomain.com" whereas our servers are joined to "bluedomain.com".

******************************************************************************************************************************

2012-12-21 13:43:16: Thread:6304(INFO) : ACU Configurator , Category: HandleOutPut Source: Src\ActivatorUtils.cpp : HandleOutput Line: 213: Starting log 2012-12-21 13:43:16

2012-12-21 13:43:16: Thread:6304(DETAIL) : ACU Configurator , Category: -Start- Source: Src\HECIDiscovery.cpp : CheckAMT Line: 97: ***** Start CheckAMT ******

2012-12-21 13:43:16: Thread:6304(DETAIL) : ACU Configurator , Category: -HECI- Source: Src\HECIWin.cpp : HECIWin::Init Line: 185: Connected to the Intel(R) Management Engine Interface driver, version 7.0.0.1144

2012-12-21 13:43:16: Thread:6304(INFO) : ACU Configurator , Category: AMT Mode Source: Src\HECIDiscovery.cpp : CheckAMT Line: 317: Intel(R) AMT in PROVISIONING_MODE_ENTERPRISE

2012-12-21 13:43:16: Thread:6304(DETAIL) : ACU Configurator , Category: -Start- Source: Src\HECIDiscovery.cpp : FWUpdateData Line: 59: ***** Start FWUpdateData ******

2012-12-21 13:43:16: Thread:6304(DETAIL) : ACU Configurator , Category: -END- Source: Src\HECIDiscovery.cpp : FWUpdateData Line: 80: ***** END FWUpdateData ******

2012-12-21 13:43:16: Thread:6304(DETAIL) : ACU Configurator , Category: -END- Source: Src\HECIDiscovery.cpp : CheckAMT Line: 426: ***** END CheckAMT ******

2012-12-21 13:43:18: Thread:6304(DETAIL) : ACU Configurator , Category: -Start- Source: Src\HECIDiscovery.cpp : GetAmtFQDN Line: 1157: ***** Start GetAmtFQDN ******

2012-12-21 13:43:18: Thread:6304(DETAIL) : ACU Configurator , Category: -END- Source: Src\HECIDiscovery.cpp : GetAmtFQDN Line: 1229: ***** END GetAmtFQDN ******

2012-12-21 13:43:18: Thread:6304(INFO) : ACU Configurator , Category: Discovery Source: Src\HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 406: Calling function Discovery...

2012-12-21 13:43:18: Thread:6304(INFO) : ACU Configurator , Category: Local System Account Source: Src\HostBasedSetup.cpp : HostBasedSetup::GetLocalSystemAccount Line: 195: Calling function GetLocalSystemAccount over MEI...

2012-12-21 13:43:18: Thread:6304(DETAIL) : ACU Configurator , Category: -HECI- Source: Src\HECIWin.cpp : HECIWin::Init Line: 185: Connected to the Intel(R) Management Engine Interface driver, version 7.0.0.1144

2012-12-21 13:43:18: Thread:6304(INFO) : ACU Configurator , Category: Local System Account Source: Src\HostBasedSetup.cpp : HostBasedSetup::GetLocalSystemAccount Line: 229: Function GetLocalSystemAccount over MEI ended successfully

2012-12-21 13:43:19: Thread:6304(INFO) : ACU Configurator , Category: Discovery Source: Src\HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 450: Host Based Setup is supported

2012-12-21 13:43:19: Thread:6304(INFO) : ACU Configurator , Category: Discovery Source: Src\HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 480: Current Control Mode: 0 (Not provisioned)

2012-12-21 13:43:19: Thread:6304(INFO) : ACU Configurator , Category: Discovery Source: Src\HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 519: Allowed Control Modes: 2 (Admin) and 1 (Client)

2012-12-21 13:43:19: Thread:6304(INFO) : ACU Configurator , Category: Discovery Source: Src\HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 523: Function Discovery ended successfully

2012-12-21 13:43:19: Thread:6304(DETAIL) : ACU Configurator , Category: Returned data Source: Src\ActivatorDll.cpp : GetHostAndMEInfo Line: 3865: GetHostAndMEInfo output data: IsAMT:True, isAmtCapable:False, isEnterpriseMode:True, configurationMode:0, isRemoteConfigEnabled:True, AMTversion:7.1.3, isMobile:False, provisioningTlsMode:2, suuid:MY-UDID-OBSCURA-NOT-REAL, isClientConfigEnabled:True, hostBasedSupport:True, configurationState:1, FQDN:s3r14l4c0mp.greendomain.com.

2012-12-21 13:43:19: Thread:6304(INFO) : ACU Configurator, Category: -ConfigViaRCSOnly- Source: Src\ActivatorMain.cpp : wmain Line: 824: s3r14l4c0mp.greendomain.com:Starting Remote configuration...

2012-12-21 13:43:19: Thread:6304(DETAIL) : ACU Configurator , Category: -Start- Source: Src\ActivatorDll.cpp : RemoteConfiguration Line: 2992: ***** Start RemoteConfiguration ******

2012-12-21 13:43:21: Thread:6304(DETAIL) : ACU Configurator , Category: -Start- Source: Src\HECIDiscovery.cpp : TcpIpDiscovery Line: 1256: ***** Start TcpIpDiscovery ******

2012-12-21 13:43:21: Thread:6304(DETAIL) : ACU Configurator , Category: -END- Source: Src\HECIDiscovery.cpp : TcpIpDiscovery Line: 1332: ***** END TcpIpDiscovery ******

2012-12-21 13:43:23: Thread:6304(DETAIL) : ACU Configurator , Category: -Start- Source: Src\HECIDiscovery.cpp : GetAmtFQDN Line: 1157: ***** Start GetAmtFQDN ******

2012-12-21 13:43:23: Thread:6304(DETAIL) : ACU Configurator , Category: -END- Source: Src\HECIDiscovery.cpp : GetAmtFQDN Line: 1229: ***** END GetAmtFQDN ******

2012-12-21 13:43:23: Thread:6304(DETAIL) : ACU.dll, Category: GenerateOTP Source: Src\ActivatorDll.cpp : GenerateOTP Line: 996: Changing AMT state from IN-provisioning to Pre-Provisioning in order to set AMT OTP

2012-12-21 13:43:23: Thread:6304(DETAIL) : ACU Configurator , Category: -Start- Source: Src\ActivatorDll.cpp : StopConfiguration Line: 4756: ***** Start StopConfiguration ******

2012-12-21 13:43:23: Thread:6304(DETAIL) : StopConfiguration, Category: Entering StopConfiguration Source: Src\ActivatorDll.cpp : StopConfiguration Line: 4757:

2012-12-21 13:43:23: Thread:6304(INFO) : ACU Configurator , Category: Unprovision Source: Src\HostBasedSetup.cpp : HostBasedSetup::StopConfiguration Line: 322: Calling function StopConfiguration over MEI...

2012-12-21 13:43:23: Thread:6304(INFO) : ACU Configurator , Category: Local System Account Source: Src\HostBasedSetup.cpp : HostBasedSetup::GetLocalSystemAccount Line: 195: Calling function GetLocalSystemAccount over MEI...

2012-12-21 13:43:23: Thread:6304(DETAIL) : ACU Configurator , Category: -HECI- Source: Src\HECIWin.cpp : HECIWin::Init Line: 185: Connected to the Intel(R) Management Engine Interface driver, version 7.0.0.1144

2012-12-21 13:43:23: Thread:6304(INFO) : ACU Configurator , Category: Local System Account Source: Src\HostBasedSetup.cpp : HostBasedSetup::GetLocalSystemAccount Line: 229: Function GetLocalSystemAccount over MEI ended successfully

2012-12-21 13:43:23: Thread:6304(INFO) : ACU Configurator , Category: Unprovision Source: Src\HostBasedSetup.cpp : HostBasedSetup::StopConfiguration Line: 345: ****************************

2012-12-21 13:43:23:...

Joseph_O_Intel
Employee
138 Views

Now that you got it working, you should be fine from here on out for provisioning purposes of your clients in the greendomain.com, however keep the following in mind'

The Provisioning cert must contain the domain name that DHCP option 15 provides. Such as in your environment having servers in blue.com and clients in green.com. The problem lies in the domain mismatch between the client/server and what ever option 15 provides. Since your systems are provisioning, then either you are using a multidomain certificate or there is no mismatch between the clients and Option 15.

The reason just installing the certificate in the personal store of the RCS Serer works, is that there are preloaded cert hashes in the MEBx that checks against the incoming certificate for validation.

Joe

Reply