Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander

Exit Code 75

idata
Employee
2,719 Views

I'm testing the new rcs v 8 and I'm getting this error when trying to configure devices:

2013-01-04 11:02:04: Thread:4264(DETAIL) : ACU Configurator , Category: WMI_ConfigAMT Source: Src\WMIAccess.cpp : WMI_ConfigAMT Line: 1090: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target. (0xc000521c) ((ExecMethod WMI_ConfigAMT) A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target. (0xc000521c). An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. (0xc000521f). Valid certificates for SSL connection not found. (0xc00007e7). (0xc000521c). )

2013-01-04 11:02:04: Thread:4264(DETAIL) : ACU Configurator , Category: -END- Source: Src\ActivatorDll.cpp : RemoteConfiguration Line: 3545: ***** END RemoteConfiguration ******

2013-01-04 11:02:04: Thread:4264(ERROR) : ACU Configurator, Category: Exit Source: Src\ActivatorMain.cpp : wmain Line: 1096: ***********Exit with code 75. Details: Failed to complete remote configuration of this Intel(R) AMT device. A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target. (0xc000521c). An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. (0xc000521f). Valid certificates for SSL connection not found. (0xc00007e7). The RCS failed to process the request.

I'm using the same certificate that was used with our SCS 6 server and our RCS 7 server. I'm confused by the username and password error. I don't know what it's referring to. I can only guess it's the AMT service account, however the service account is active, and I've ensured the RCS service is running under that account with the correct password. The certificate with the private key is in the personal store of the service account running the RCS along with the 2 go daddy intermediaries. While testing and trying to resolve this error, I've added the following OID's:

2.16.840.1.114413.1.7.23.1

2.16.840.1.114413.1.7.23.2

2.16.840.1.113741.1.2.3

2.16.840.1.113741.1.2.2

2.16.840.1.113741.1.2.1

1.3.6.1.5.5.7.3.1

1.3.6.1.5.5.7.3.2

The certificate thumbprint matches that of the go daddy hash pre-loaded in the intel AMT store. I've verified this using system discovery. The certificate traces back up the go daddy chain, and I've verified the hash of the top level certificate.

There's gotta be something I've missed during the setup of RCS 8, but I can't figure it out.... Any help would be appreciated.

0 Kudos
2 Replies
Joseph_O_Intel
Employee
1,105 Views

Hey Colyn,

The GoDaddy certificate that you used previously with older versions of SCS, should be working fine with SCS8 for provisioning. So that shouldn't be the issue. This certificate should only have a single OID (2.16.840.1.113741.1.2.3) and should have a matching domain name to your DHCP Option 15. This should be in the personal certificate store of the Network Service account.

The other OID's mentioned within the docs are used for MTLS communications and are provided by your CA thru a template that issues certs to your clients during MTLS provisioning. These OIDS are:

• For remote access: 2.16.840.1.113741.1.2.1

• For local access: 2.16.840.1.113741.1.2.2

I would recommend that you clean up your certificate template and then create a new provisioning profile, that is as basic as possible, without TLS. In that way you can prove provisioning is working or not. Once Basic provisioning is working, try provisioning with TLS.

0 Kudos
idata
Employee
1,105 Views

 

The template doesn't have all the OID's I mentioned, I had manually added the extensions while testing because the certificate's weren't working. In any event, I figured out what the problem was...

SCS 8 needs the provisioning server to be issued a certificate as part of the same template it's working with. This wasn't necessary with 6 or 7. Anyways, the fix in my case was to hit up CertSrv and manually issue a cert to the server (which was installed in the personal store of the service account running the RCS).

0 Kudos
Reply