AMT Provisioning hell - Page 2

idata · ‎06-17-2009

Hi all,

Am having major issues with getting clients to provision, with a couple of different error messages. I've read through a lot of the posts on this forum and have been pulling my hair out for days now (pulling hair doesn't fix it).

One client is AMT version 4.0.8 the other is 3.2.1. I am using an internally provisioned certificate as this is a proof of concept before purchasing a 3rd party cert later on. For the AMT 4.0.8 client, provisioning almost works, the client certificate is issued and the object is created in AD, but then the process fails. Here is the relevent portion of the log:

>>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)<p>

Provision target is indicated with SMS resource id. (MachineId = 3486 P57753.parldev.net) SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=DEVSCCMMP1 SITE=APH PID=4828 TID=5304 GMTDATE=Wed Jun 17 06:31:55.335 2009 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5304 (0x14B8)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5304 (0x14B8)

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5304 (0x14B8)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5304 (0x14B8)

Found valid basic machine property for machine id = 3486. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

Warning: Currently we don't support mutual auth. Change to TLS server auth mode. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

The provision mode for device P57753.parldev.net is 1. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

Attempting to establish connection with target device using SOAP. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

Warning: We don't have an provision certificate with old recorded hash. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

Attempting to try all provision certificate to connect target device. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

Create provisionHelper with (Hash: 1EE4C5863DC71989CE1F103654B44E0709EC41D8) SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

Set credential on provisionHelper... SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

Try to use provisioning account to connect target machine P57753.parldev.net... SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

Succeed to connect target machine P57753.parldev.net and core version with 4.0.8 using provisioning account # 0. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:00 PM 5436 (0x153C)

GeneralInfo.GetProvisioningState finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:04 PM 5436 (0x153C)

Get device provisioning state is In Provisioning SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:04 PM 5436 (0x153C)

Passed OTP check on AMT device P57753.parldev.net. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:08 PM 5436 (0x153C)

Machine P57753.parldev.net will be added and published to AD and OU is /OU=AMT LDAP://OU=AMT Managed Computers,OU=NexGen Computers,DC=parldev,DC=net. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:08 PM 5436 (0x153C)

Send request to AMT proxy component to add machine P57753.parldev.net to AD. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:08 PM 5436 (0x153C)

Successfully created instruction file for AMT proxy task: D:\SMS\MP\OUTBOXES\amtproxy.box SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:08 PM 5436 (0x153C)

Processing provision on AMT device P57753.parldev.net... SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:08 PM 5436 (0x153C)

Found client certificate already being generated for AMT device P57753.parldev.net. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:08 PM 5436 (0x153C)

Start 1st stage provision on AMT device P57753.parldev.net. (SOAP) SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:08 PM 5436 (0x153C)

SecurityAdministration.ClearTLSCredentials finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:12 PM 5436 (0x153C)

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:15 PM 5304 (0x14B8)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:15 PM 5304 (0x14B8)

NetworkTime.GetLowAccuracyTimeSynch finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:16 PM 5436 (0x153C)

NetworkTime.SetHighAccuracyTimeSynch finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:18 PM 5436 (0x153C)

NetworkAdmin.SetHostName finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:23 PM 5436 (0x153C)

NetworkAdmin.SetDomainName finished with HResult = 0x0, status = 0x0. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:27 PM 5436 (0x153C)

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:35 PM 5304 (0x14B8)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:35 PM 5304 (0x14B8)

SecurityAdministration.SetTLSCertificateWithKeyPair finished with HResult = 0x0, status = 0x0. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:35 PM 5436 (0x153C)

SecurityAdministration.SetTlsEnabled finished with HResult = 0x80004005, status = 0x0, clientError = 10. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:39 PM 5436 (0x153C)

Error: Failed to finish critical setup and configuration step. (pProvisionHelper->SetTlsEnabled) SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:39 PM 5436 (0x153C)

Error: Can't finish provision on AMT device P57753.parldev.net with configuration code (30)! SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:39 PM 5436 (0x153C)

My environment is server 2008 64 bit with the OOB management point on a seperate server to the primary site server. The other client the AMT 3.2.1 has a different issue, although the MEBx setting are the same. It doesn't get as far:

>>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)<p>

Provision target is indicated with SMS resource id. (MachineId = 3486 P57753.parldev.net) SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=DEVSCCMMP1 SITE=APH PID=4828 TID=5304 GMTDATE=Wed Jun 17 06:31:55.335 2009 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5304 (0x14B8)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5304 (0x14B8)

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 17/06/20...

idata · ‎07-01-2009

Well, assuming you've checked all your network configuration (DHCP, DNS), done a factory reset on the problem unit(s), applied Microsoft hotfix KB960804, and triple-checked your root CA's certificate hash, I'm probably going to have to defer to Microsoft Premiere Support on this one.

By the way, have you opened the AMT Provisioning certificate from your site server, and validated the certificate chain up to your root CA? An invalid certificate chain caused a problem for me a while back. See this blog post for more details:

/community/openportit/vproexpert/blog/2008/11/18/intel-amt-provisioning-issues-with-configmgr-sp1 http://communities.intel.com/community/openportit/vproexpert/blog/2008/11/18/intel-amt-provisioning-issues-with-configmgr-sp1

Edit: Fixed URL

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

idata · ‎07-01-2009

OK, thanks for your help, I'll post the solution once I find it.

Bob

idata · ‎12-07-2011

Any luck with this?