Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2834 Discussions

Get "PKI configuration failed" error when provisioning vPro device

idata
Employee
‎04-22-2011 03:24 AM
3,088 Views

Hi,

We have built a testing environment to set up vPro using PKI mode. However, the vPro client is not provisioning properly with the following error messages in SCS console event log:

1214,ERROR!,Error Configuring Intel AMT device: Failed to connect to un-configured Intel AMT device at IP 16.178.122.130: Proper certificate that matches the pre loaded certificate was not found in the user certificate store. PKI configuration failed.,4/22/2011 5:27:07 PM,17410FFB-A956-11DC-BBDA-FE9DD0E9000F,2202,DEVHPCAE\Administrator,WPS2008,

 

1214,ERROR!,Proper certificate that matches the pre loaded certificate was not found in the user certificate store. PKI configuration failed.,4/22/2011 5:27:07 PM,17410FFB-A956-11DC-BBDA-FE9DD0E9000F,1205,,WPS2008,

  • Our testing environment:

     

  1. Server A: Windows 2008 + IIS7.0 + SCS 5.3 + SQL Server 2005 + Domain Controller with DNS Server integrated

     

  2. Client A: Windows 2003 + vPro 3.2.2 AMT version

     

  • The procedure to install and configure vPro testing environment is described below:

     

  1. We are using PKI mode so we install a Certificate Authority on Server A .

     

  2. Create a certificate template and issue the client certificate template on Server A

     

  3. On Server A, request a certificate. In the "Identifying Information For Offline Template, the Name:" field specifiy the fully qualified

     

    name of the Provisioning Server (Server A).

     

  4. Install the client certificate on Server A. Export the client certificate.

     

  5. Open the root certificate. On the Details tab, note down the certificate hash value in the Thumbprint field. Export the root certificate.

     

  6. On Server A, create new Profile in SCS Console. Enable TLS. Create a digest user and give it PT administration right.

     

  7. Start Client A, then press Ctrl+P during startup to enter the Intel MEBX. Manually enter the matching certificate hash value which is obtained from step 5. Input other necessary fields in MEBX.

     

  8. vPro Client A is provisioning automatically. The target vPro device appear in SCS console but with its provisioning status "Not Configured".

     

  9. We are starting to get the above "PKI configuration failed" errors now.

     

Please help to check if I am doing anything wrong. Attached the event log file. Thanks!

event.txt.zip
0 Kudos

Link Copied

4 Replies
idata
Employee
‎04-22-2011 10:57 AM
988 Views

I don't have an Intel SCS 5.3 user guide, but the 5.2 version did not have a good description of how to add your own PKI certificate. The Intel SCS 6.0 user guide does seem to provide detailed steps. Take a look at the steps in the attached doc. I'll check with the experts here to see if the Intel SCS 6.0 process is the same for Intel SCS 5.3.

2013 KB
0 Kudos
Copy link
idata
Employee
‎04-24-2011 10:57 PM
988 Views
In response to idata

Hi Steve,

I enabled DHCP on Server A. On the client computer, set to get IP addresss automatically from DHCP server. After that, the client computer is provisioning correctly without any problems. Thanks!

In response to idata
Copy link
Bruno_Domignues
Employee
‎04-22-2011 06:17 PM
988 Views

Peng,

I have few comments and clues about why you are failing to provisioning your vPro machine (comments inline)

  • Our testing environment:

  1. Server A: Windows 2008 + IIS7.0 + SCS 5.3 + SQL Server 2005 + Domain Controller with DNS Server integrated

>> where is your DHCP, for PKI DHCP with option 15 and 81 is a requirement

  1. Client A: Windows 2003 + vPro 3.2.2 AMT version

>> why are you using a server OS instead o client (e.g. Win XP, Vista, 7)? do you have the HECI/LMS driver installed?

  • The procedure to install and configure vPro testing environment is described below:

  1. We are using PKI mode so we install a Certificate Authority on Server A .
  2. Create a certificate template and issue the client certificate template on Server A

>> Did you follow http://technet.microsoft.com/en-us/library/dd252737.aspx# BKMK_AMTprovisioning22008 this procedures to create the template?

  1. On Server A, request a certificate. In the "Identifying Information For Offline Template, the Name:" field specifiy the fully qualified

     

    name of the Provisioning Server (Server A).
  2. Install the client certificate on Server A. Export the client certificate.
  3. Open the root certificate. On the Details tab, note down the certificate hash value in the Thumbprint field. Export the root certificate.
  4. On Server A, create new Profile in SCS Console. Enable TLS.

>> If you would like to use TLS, you must create also a http://technet.microsoft.com/en-us/library/dd252737.aspx# BKMK_AMTwebserver2008 web cliente template

You must be aware that provisioning using PKI means use of one certificate for provisioning must be issues, but you don't need issue client certificates to establish TLS connection  

Create a digest user and give it PT administration right.

  1. Start Client A, then press Ctrl+P during startup to enter the Intel MEBX. Manually enter the matching certificate hash value which is obtained from step 5. Input other necessary fields in MEBX.
  2. vPro Client A is provisioning automatically. The target vPro device appear in SCS console but with its provisioning status "Not Configured".
  3. We are starting to get the above "PKI configuration failed" errors now.

>> DHCP is an important piece here, your client uses suffix DNS presented by DHCP to validate the certificate. 

Best Regards!

-- Bruno Domingues 

0 Kudos
Copy link
idata
Employee
‎05-12-2011 02:58 AM
988 Views
In response to Bruno_Domignues

Hi Bruno,

Sorry for the delay. We are very busy these days to deal with the issues. Regarding your commments, please see my answers in RED:

  • Our testing environment:

     

  1. Server A: Windows 2008 + IIS7.0 + SCS 5.3 + SQL Server 2005 + Domain Controller with DNS Server integrated

     

>> where is your DHCP, for PKI DHCP with option 15 and 81 is a requirement

--We didn't enable DHCP before. Once it is enabled, everything is OK.

  1. Client A: Windows 2003 + vPro 3.2.2 AMT version

     

>> why are you using a server OS instead o client (e.g. Win XP, Vista, 7)? do you have the HECI/LMS driver installed?

--We built another environment with Windows 7 client. Both Windows 7 and Windows 2003 are provisioned OK. HECI/LMS driver is installed on both client devices

  • The procedure to install and configure vPro testing environment is described below:

     

  1. We are using PKI mode so we install a Certificate Authority on Server A .

     

  2. Create a certificate template and issue the client certificate template on Server A

     

>> Did you follow this procedures to create the template?

--I created a client authentication template with "Client Authentication" policy and another policy with Oid 2.16.840.1.113741.1.2.1

  1. On Server A, request a certificate. In the "Identifying Information For Offline Template, the Name:" field specifiy the fully qualified

     

    name of the Provisioning Server (Server A).

     

  2. Install the client certificate on Server A. Export the client certificate.

     

  3. Open the root certificate. On the Details tab, note down the certificate hash value in the Thumbprint field. Export the root certificate.

     

  4. On Server A, create new Profile in SCS Console. Enable TLS.

     

>> If you would like to use TLS, you must create also a web cliente template

You must be aware that provisioning using PKI means use of one certificate for provisioning must be issues, but you don't need issue client certificates to establish TLS connection

--I didn't find any reference about the "web client template" . I just create another template with "Server Authentication" policy and another policy with Oid 2.16.840.1.113741.1.2.3

--Now we use TLS mutual authentication

Create a digest user and give it PT administration right.

  1. Start Client A, then press Ctrl+P during startup to enter the Intel MEBX. Manually enter the matching certificate hash value which is obtained from step 5. Input other necessary fields in MEBX.

     

  2. vPro Client A is provisioning automatically. The target vPro device appear in SCS console but with its provisioning status "Not Configured".

     

  3. We are starting to get the above "PKI configuration failed" errors now.

     

>> DHCP is an important piece here, your client uses suffix DNS presented by DHCP to validate the certificate.

--After DHCP is enabled, everything is fine. 

Best Regards!

-- Bruno Domingues

 

 

 

 

In response to Bruno_Domignues
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.