- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have installed PKI cert and have added 3 endpoints, but no computers are provisioned, they're all Pending Activation. It seems the PKI certificate chain completed but authentication is failing.
Can someone assist please?
On the EMA Manageability Server I see below:
Message:Attempting Host Based Admin Setup : ().
Warning:Host Based Admin Setup failed - AUTH_FAILED :
Warning:Host Based Admin Setup (2nd try) - AUTH_FAILED : (
Message:Getting mesh information (Tenant) : (L
Message:Attempting host based admin provisioning: (L
Message:Starting Mesh Router 56547
Message:Creating DotNetWSManClient object :
Message:Checking if unprovisioned : (
Message:Current Control mode - Client : (
Attempting host based admin provisioning : (
Message:Starting Mesh Router 56552 -> 069C18BF:16992, SYSTEM
Message:Creating DotNetWSManClient object : (
Message:Checking if unprovisioned : (
Message:Checking if the admin control mode is allowed : (
Message:Current certificate chain status - ChainComplete : (
Message:Pushing activation certificate - ----------: (
Message:Pushing activation certificate - Go Daddy Secure Certificate Authority - G2 : (LC-Message:Pushing activation certificate - Go Daddy Root Certificate Authority - G2 :
Message:Pushing activation certificate - Go Daddy Root Certificate Authority - G2 : (
Message:Pushing activation certificate - The Go Daddy Group, Inc. : (L
Message:Current certificate chain status - ChainComplete : (
Message:ConfigurationServerFQDN not set :
Message:Attempting Host Based Admin Setup : (
Warning:Host Based Admin Setup failed - AUTH_FAILED :
Warning:Unable to go to admin mode, rolling back out of client mode :
Message:Connecting to Swarm Server : (
Message:Requesting ME unprovisionning : (
Disconnecting Swarm Server : (
Clearing credentials from ema agent : (
Message:Deactivation completed : (
Warning: Failed Intel AMT SetupAdmin activation : (
Warning:-- Failed PKI provisioning : (
On the swam server:
Got 0 provisioning hash from computer: Match found!
Intel AMT OTP confirmed.
It looks like the certificate was installed correctly but PKI is failing. Server guide states "PKI domain suffix not matching the PKI certificate" is the problem but the PKI certificate is: servername.domain
Any ideas?
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Testing123,
Thank you for joining the Intel community
Could you please attach the EMA logs located in:
C:\Program Files (x86)\Intel\Platform
Manager\EMALogs
l EMALog-XXX.txt
We will look forward for this information
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Jose,
Please find the log files attached.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Testing123,
Thank you very much. Please allow me to analyze these logs with our senior team and I will let you know our findings soon.
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Testing123,
Could you please share your public key so we can verify the chaining? Please go into EMA settings and download both the root and intermediate (if applicable) and the leaf cert and attach to the ticket. We will check if the leaf OID is chaining to the root SHA2. We don't want or need any private keys.
Additionally, please check in Endpoint Groups configuration to see what type of activation method you are using, Cert (TLS-PKI) or Host Based.
We will look forward for your details
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Testing123,
Thank you for the information. We will proceed to analyze it and will let you know our findings soon.
Regards.
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jose,
I'm having the exact same issue here. Were you ever able to figure out what was causing this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to get this working finally, so figured I'd post the solution (in my case) for others who may be experiencing the same issue. As mentioned below by Jose, my DHCP option 15 was not set. Once I set this to match the suffix of my PKI cert I was able to provision AMT fine
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Testing123,
I just wanted to provide the following update: Our senior team have reviewed the certs and they are not seeing anything obvious. They are pulling in another engineer to get a second look and will get back shortly. We are prioritizing this case and will keep you posted on what we find out.
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Testing123,
We have verified that the cert if fine and there are no issues with it. After further review a likely cause could be that the DHCP option 15 isn't set and the client isn't getting the appropriate DNS suffix (*newplatz.edu).
Could you please verify the DNS suffix on the client by doing an ipconfig /all >Output-0498438.txt and attach to the case.
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Testing123,
I am just following up to double-check if you found the provided information useful. If you have further questions please don't hesitate to ask. If you consider the issue to be completed please let us know so we can proceed to mark this thread as closed. I will try to reach you by a last time on next March 23rd.
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Testing123,
We will proceed to mark this thread as closed. If you have further issues or questions just go ahead and submit a new topic.
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We are also evaluating EMA in a lab setup and have run into the exact same problem. Our setup is as follows:
- Windows Server 2019 Essential (DC + DNS + DHCP + CA)
- Windows Server 2019 Essential (EMA)
- Client laptop with AMT15
- Test domain tp01.local
- Created ROOT CA issued AMT PKI (correct OID is verified)
- Exported EMAAgent files and run -fullinstall on client
- We can then see the client in EMA console as power on and connected (but unprovisioned)
- We then attempt to provision the client and it fails provisioning and we see these 2 msgs in the Failed Intel AMT SetupAdmin activation and Failed PKI provisioning
- On the client we see the Intel ME software repeated switching states from "Configured" to "Unconfigured".
- The client is connected via WiFi
- We have manually added the DNS suffix (tp01.local) and SHA256 hash of the ROOT-CA (using USB Provisioning) to the MEBX on the client
Attaching some screen shots and logs in case they help. AMT-PKI.zip contains the certs (ROOT-CA and AMT PKI)
Please help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you solve the problem??
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page