Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2917 Discussions

Failed PKI provisioning

Testing123
Novice
12,037 Views

I have installed PKI cert and have added 3 endpoints, but no computers are provisioned, they're all Pending Activation. It seems the PKI certificate chain completed but authentication is failing.

Can someone assist please?

On the EMA Manageability Server I see below:

Message:Attempting Host Based Admin Setup : ().
Warning:Host Based Admin Setup failed - AUTH_FAILED : 
Warning:Host Based Admin Setup (2nd try) - AUTH_FAILED : (
Message:Getting mesh information (Tenant) : (L
Message:Attempting host based admin provisioning: (L
Message:Starting Mesh Router 56547
Message:Creating DotNetWSManClient object : 
Message:Checking if unprovisioned : (
Message:Current Control mode - Client : (
Attempting host based admin provisioning : (
Message:Starting Mesh Router 56552 -> 069C18BF:16992, SYSTEM
Message:Creating DotNetWSManClient object : (
Message:Checking if unprovisioned : (
Message:Checking if the admin control mode is allowed : (
Message:Current certificate chain status - ChainComplete : (
Message:Pushing activation certificate - ----------: (
Message:Pushing activation certificate - Go Daddy Secure Certificate Authority - G2 : (LC-Message:Pushing activation certificate - Go Daddy Root Certificate Authority - G2 :

Message:Pushing activation certificate - Go Daddy Root Certificate Authority - G2 : (
Message:Pushing activation certificate - The Go Daddy Group, Inc. : (L
Message:Current certificate chain status - ChainComplete : (
Message:ConfigurationServerFQDN not set : 
Message:Attempting Host Based Admin Setup : (
Warning:Host Based Admin Setup failed - AUTH_FAILED : 
Warning:Unable to go to admin mode, rolling back out of client mode :
Message:Connecting to Swarm Server : (
Message:Requesting ME unprovisionning : (
Disconnecting Swarm Server : (
Clearing credentials from ema agent : (
Message:Deactivation completed : (
Warning: Failed Intel AMT SetupAdmin activation : (
Warning:-- Failed PKI provisioning : (

 

On the swam server:

Got 0 provisioning hash from computer: Match found!

Intel AMT OTP confirmed. 

 

It looks like the certificate was installed correctly but PKI is failing. Server guide states "PKI domain suffix not matching the PKI certificate" is the problem but the PKI certificate is: servername.domain

 

Any ideas?

0 Kudos
15 Replies
JoseH_Intel
Moderator
11,974 Views

Hello Testing123,


Thank you for joining the Intel community


Could you please attach the EMA logs located in: 


C:\Program Files (x86)\Intel\Platform

Manager\EMALogs

l EMALog-XXX.txt


We will look forward for this information


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
Testing123
Novice
11,969 Views

Thank you Jose,

 

Please find the log files attached.

 

0 Kudos
JoseH_Intel
Moderator
11,956 Views

Hello Testing123,


Thank you very much. Please allow me to analyze these logs with our senior team and I will let you know our findings soon.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
JoseH_Intel
Moderator
11,924 Views

Hello Testing123,


Could you please share your public key so we can verify the chaining? Please go into EMA settings and download both the root and intermediate (if applicable) and the leaf cert and attach to the ticket. We will check if the leaf OID is chaining to the root SHA2. We don't want or need any private keys.


Additionally, please check in Endpoint Groups configuration to see what type of activation method you are using, Cert (TLS-PKI) or Host Based.


We will look forward for your details


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
Testing123
Novice
11,909 Views
0 Kudos
JoseH_Intel
Moderator
11,884 Views

Hello Testing123,


Thank you for the information. We will proceed to analyze it and will let you know our findings soon.


Regards.


Jose A.

Intel Customer Support Technician


0 Kudos
Jonathan8321
Beginner
10,375 Views

Hi Jose,

I'm having the exact same issue here.  Were you ever able to figure out what was causing this?

0 Kudos
Jonathan8321
Beginner
10,303 Views

I was able to get this working finally, so figured I'd post the solution (in my case) for others who may be experiencing the same issue.  As mentioned below by Jose, my DHCP option 15 was not set.  Once I set this to match the suffix of my PKI cert I was able to provision AMT fine

0 Kudos
JoseH_Intel
Moderator
11,812 Views

Hello Testing123,


I just wanted to provide the following update: Our senior team have reviewed the certs and they are not seeing anything obvious. They are pulling in another engineer to get a second look and will get back shortly. We are prioritizing this case and will keep you posted on what we find out.


Regards


Jose A.

Intel Customer Support Technician



JoseH_Intel
Moderator
11,764 Views

Hello Testing123,


We have verified that the cert if fine and there are no issues with it. After further review a likely cause could be that the DHCP option 15 isn't set and the client isn't getting the appropriate DNS suffix (*newplatz.edu).


Could you please verify the DNS suffix on the client by doing an ipconfig /all >Output-0498438.txt and attach to the case.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
JoseH_Intel
Moderator
11,735 Views

Hello Testing123,


I am just following up to double-check if you found the provided information useful. If you have further questions please don't hesitate to ask. If you consider the issue to be completed please let us know so we can proceed to mark this thread as closed. I will try to reach you by a last time on next March 23rd.


Regards


Jose A.

Intel Customer Support Technician




0 Kudos
JoseH_Intel
Moderator
11,687 Views

Hello Testing123,


We will proceed to mark this thread as closed. If you have further issues or questions just go ahead and submit a new topic.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
MKJ
Beginner
11,246 Views

Hi,

 

We are also evaluating EMA in a lab setup and have run into the exact same problem. Our setup is as follows:

- Windows Server 2019 Essential (DC + DNS + DHCP + CA)

- Windows Server 2019 Essential (EMA)

- Client laptop with AMT15

- Test domain tp01.local

- Created ROOT CA issued AMT PKI (correct OID is verified)

- Exported EMAAgent files and run -fullinstall on client

- We can then see the client in EMA console as power on and connected (but unprovisioned)

- We then attempt to provision the client and it fails provisioning and we see these 2 msgs in the Failed Intel AMT SetupAdmin activation and Failed PKI provisioning

- On the client we see the Intel ME software repeated switching states from "Configured" to "Unconfigured".

-  The client is connected via WiFi 

- We have manually added the DNS suffix (tp01.local) and SHA256 hash of the ROOT-CA (using USB Provisioning) to the MEBX on the client

 

Attaching some screen shots and logs in case they help. AMT-PKI.zip contains the certs (ROOT-CA and AMT PKI)

Please help!

0 Kudos
MKJ
Beginner
11,241 Views

Here is a new EMA log when trying to provision a 2nd client.

0 Kudos
MarcinW
Beginner
8,319 Views

did you solve the problem?? 

0 Kudos
Reply