Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
Announcements
FPGA community forums and blogs have moved to the Altera Community. Existing Intel Community members can sign in with their current credentials.
3051 Discussions

Intel AMT autosetup does not complete with “pending activation” status

naohiro
Novice
18,415 Views

Hi, I am trying to set up vPro client with ACM mode using Intel EMA. I have set up EMA server and uploaded GoDaddy issued certificate. Now I can select “Certificate Provisioning (TLS-PKI)” as activation method in the Intel AMT autosetup menu under Endpoint group menu. I have executed client agent files and the client is recognized in EMA server, but its AMT setup status keeps showing “pending action” and never changes. The MagagebilityServer log is showing that EMA first try to setup with ACM mode then with CCM mode. Does anyone have solution to this situation? The log file follows.

 

2023-03-17 18:10:46.5314|INFO||5868|111|PerformAction - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Message:-- Attempting phase 1 PKI provisioning : (DESKTOP-9PVMM02,C7EB4A4F).
2023-03-17 18:10:46.5314|INFO||5868|111|PerformPkiSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Get Mesh information (Tenant) : (DESKTOP-9PVMM02,C7EB4A4F).
2023-03-17 18:10:46.5314|INFO||5868|111|PerformPkiSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Message:Starting PKI Setup process for endpoint: (DESKTOP-9PVMM02,C7EB4A4F) ComputerName: DESKTOP-9PVMM02.testxxxxxxx.com
2023-03-17 18:10:46.6094|INFO||5868|111|PerformPkiSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Message:Setup computer name DESKTOP-9PVMM02.testxxxxxxx.com : (DESKTOP-9PVMM02,C7EB4A4F).
2023-03-17 18:10:46.6094|INFO||5868|111|RequestHostBasedProvisioningEx - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Message:Sending Agent Stop Remote Configuration Message : (DESKTOP-9PVMM02,C7EB4A4F).
2023-03-17 18:10:46.6094|INFO||5868|111|RequestHostBasedProvisioningEx - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Message:Connecting to Swarm Server : (DESKTOP-9PVMM02,C7EB4A4F).
2023-03-17 18:10:46.6407|WARN||5868|71|MessageManager_ReceivedMessageEx - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [0] - Warning:Received stop remote configuration status from: C7EB4A4F, status: INVALID_PT_MODE (3)
2023-03-17 18:10:46.7252|INFO||5868|111|RequestHostBasedProvisioningEx - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Message:Requesting ME administrator account : (DESKTOP-9PVMM02,C7EB4A4F).
2023-03-17 18:10:47.2343|INFO||5868|111|RequestHostBasedProvisioningEx - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Message:Disconnecting Swarm Server : (DESKTOP-9PVMM02,C7EB4A4F).
2023-03-17 18:10:47.2343|INFO||5868|111|HostBasedSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Message:Attempting host based provisioning : (DESKTOP-9PVMM02,C7EB4A4F).
2023-03-17 18:10:47.2343|INFO||5868|111|StartRouter - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Message:Starting Mesh Router 50339 -> C7EB4A4F:16992, SYSTEM
2023-03-17 18:10:47.4531|INFO||5868|111|HostBasedSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Message:Creating DotNetWSManClient object : (DESKTOP-9PVMM02,C7EB4A4F).
2023-03-17 18:10:47.7343|INFO||5868|111|HostBasedSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Message:Checking if unprovisioned : (DESKTOP-9PVMM02,C7EB4A4F).
2023-03-17 18:10:47.7343|INFO||5868|111|HostBasedSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Message:Checking if the client control mode is enabled : (DESKTOP-9PVMM02,C7EB4A4F).
2023-03-17 18:10:47.7343|INFO||5868|111|HostBasedSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Message:Fetching the digest realms : (DESKTOP-9PVMM02,C7EB4A4F).
2023-03-17 18:10:47.8124|INFO||5868|111|HostBasedSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Message:Check digest realm : (DESKTOP-9PVMM02,C7EB4A4F).
2023-03-17 18:10:47.8124|INFO||5868|111|HostBasedSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Message:Attempting Host Based Admin Setup (EHBP) : (DESKTOP-9PVMM02,C7EB4A4F).
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - System.NullReferenceException: オブジェクト参照がオブジェクト インスタンスに設定されていません。
場所 MeshManageabilityServer.CentralManageabilityServer.HostBasedSetup(Int32 slot, String adminuser, String adminpass, X509Certificate2 rootCertificate, String strEndpointString, AmtSetupRecord amtSetupRecord)
場所 MeshManageabilityServer.CentralManageabilityServer.RequestHostBasedProvisioningEx(Int32 slot, AmtSetupRecord key, Boolean AutoDoPhase2, X509Certificate2 rootCert, String strEndpointString)
場所 MeshManageabilityServer.CentralManageabilityServer.PerformPkiSetup(Int32 slot, AmtSetupRecord key, IPEndPoint helloaddr)
場所 MeshManageabilityServer.CentralManageabilityServer.PerformAction()
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: PID = PKIX-XXXX
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: PPS = 0000-0000-0000-0000-0000-0000-0000-0000
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: State = PendingPhase1
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: GenTime = 03/17/2023 08:46:36
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: ChangeTime = 03/17/2023 08:46:36
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: HelloRequests = 0
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: CompletedRequests = 0
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: ConfigurationProfile =
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: NodeId = Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: UserId = 00000000-0000-0000-0000-000000000000
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: Username = SYSTEM
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: SetupTLS = TlsNoAuth
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: SetupMesh = True
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: SetupCira = False
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: SetupKVM = False
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: DNSSuffix = ysssvema1.testxxxxxxx.com
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: ActivationCertThumbprint = 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: CreationNodeSerial = 4294967295
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: AdminModeRequired = False
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: IsAdminPasswordRandom = True
2023-03-17 18:10:47.9129|ERROR||5868|111|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error:

0 Kudos
1 Solution
naohiro
Novice
18,002 Views

Hello Jose

 

Thank you for your suggestion. I could not delete the GoDaddy cert with SHA1 (It appears automatically when I install my personal cert) last time, so I disabled the one. The cert chain has shrined from 4 to 3 like I posted a screenshot. But it still did not work. Then I set MEBx PKI DNS Suffix then it worked.

 

I reconfigured another environment with not deleting nor disabling GoDaddy cert with SHA1. On client side MEBx PKI DNS Suffix set. Then it worked. So, AMT auto deploy succeeds with both SHA1 on top of the (4 step) chain and with SHA256 on top of the (3 step) chain.

 

As for CIRA I was using DNS server running on EMA server. The clients OS was pointing this DNS manually, but AMT(MEBx) was not. I have added the new zone to another DNS which DHCP server is pointing to. Then it worked. Now CIRA is connected, and I have access to client’s BIOS screen remotely.

 

Intel® EMA Agent: Win64-Service v1.9.0

Intel® ME: v16.1.25.1932  Admin Control Mode 

 

Thank you for your help.

View solution in original post

0 Kudos
19 Replies
JoseH_Intel
Moderator
18,384 Views

Hello naohiro,

 

Thank you for joining the community

 

Please try to check and follow the following article that describes initial connectivity issues:

 

https://www.intel.com/content/www/us/en/support/articles/000092506/software/manageability-products.html

 

Regards

 

Jose A.

Intel Customer Support Technician

 

0 Kudos
naohiro
Novice
18,364 Views

Hi, Jose.

I have checked the list you provided and found there must be DNS issue because I am using hosts files to resolve FQDN of EMA server. While I try to setup a new DNS server, I just want to confirm that does this AMT autosetup issue has something to do with CIRA config? In other words, is CIRA mandatory for AMT autosetup? On which log file can I confirm that there is name resolution problem on vPro clients?

Thanks again for your help.

0 Kudos
JoseH_Intel
Moderator
18,333 Views

Hello naohiro,

 

CIRA is not mandatory for the autosetup feature. There are 2 connection security methods, TLS and CIRA. You can read more under section 1.2.6 of the Intel EMA User guide https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf#page=11


Most of the time these connection issues are related to the DNS suffix. That's a good point to start


Regards

 

Jose A.

Intel Customer Support Technician


0 Kudos
Jimmy_Wai_Intel
Employee
18,321 Views

Hi Naohiro-san,

 

From the log file, it seems you are using Japanese OS. Would you mind sending an email to me at 'jimmy dot wai at intel dot com'? I'll connect you with my colleague in Japan so he may help you with your Japanese setup.

 

Regards,

Jimmy Wai

Technical Sales Specialist, Commercial Client, Intel

0 Kudos
JoseH_Intel
Moderator
18,307 Views

Hello naohiro,


Keep in mind that currently, Intel EMA does not provide internationalization support. The operating system needs to have English-US Windows display language, English-US system locale, and English-US format (match Windows display language).


This might be the root cause of your "pending activation" error


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
naohiro
Novice
18,297 Views

Hi, Jose

Thank you for your support. While waiting for your collage to contact me, I have tried the following.

#1: I have setup a new DNS server on EMA server. The “nslookup” command from vPro clients returns correct EMA server’s FQDN and IP address.

#2: As for EMA server’s language settings, it all changed to English as I attached the screenshot.

 

The vPro clients is still showing “Pending Action” on Intel AMT setup status. The Intel ME is showing “Not Provisioned” status. Under this status I can connect to vPro client’s desktop without user consent only when the vPro client’s OS is booted. When the vPro client is on BIOS menu and no OS is booted, EMA lost connection to vPro client. The CIRA have not connected yet.

0 Kudos
JoseH_Intel
Moderator
18,289 Views

Hello naohiro,


Let me double-check further on this. Will get back to you soon


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
naohiro
Novice
18,271 Views

Hi, Jose

Thank you for your support.

 

Now I understand that CIRA is not mandatory for Intel AMT autosetup, I think I should focus on autosetup first then CIRA. What kind of log file should I check to troubleshoot autosetup issue? The EMALog-ManageabilityServer.txt is showing “Warning:Received stop remote configuration status from: C7EB4A4F, status: INVALID_PT_MODE (3)”, “System.NullReferenceException: オブジェクト参照がオブジェクト インスタンスに設定されていません。 Is there any suggestion from this? Or should I check any other logs?

 

I have changed EMA server language setting and got the following log instead of error message in Japanese.

 

2023-03-22 14:50:40.7389|INFO||6588|53|HostBasedSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Message:Attempting Host Based Admin Setup (EHBP) : (DESKTOP-9PVMM02,C7EB4A4F).
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - System.NullReferenceException: ??????????????? ?????????????????
?? MeshManageabilityServer.CentralManageabilityServer.HostBasedSetup(Int32 slot, String adminuser, String adminpass, X509Certificate2 rootCertificate, String strEndpointString, AmtSetupRecord amtSetupRecord)
?? MeshManageabilityServer.CentralManageabilityServer.RequestHostBasedProvisioningEx(Int32 slot, AmtSetupRecord key, Boolean AutoDoPhase2, X509Certificate2 rootCert, String strEndpointString)
?? MeshManageabilityServer.CentralManageabilityServer.PerformPkiSetup(Int32 slot, AmtSetupRecord key, IPEndPoint helloaddr)
?? MeshManageabilityServer.CentralManageabilityServer.PerformAction()
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: PID = PKIX-XXXX
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: PPS = 0000-0000-0000-0000-0000-0000-0000-0000
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: State = PendingPhase1
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: GenTime = 03/22/2023 04:21:40
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: ChangeTime = 03/22/2023 05:50:29
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: HelloRequests = 0
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: CompletedRequests = 0
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: ConfigurationProfile =
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: NodeId = testxxxxxxx
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: UserId = 00000000-0000-0000-0000-000000000000
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: Username = SYSTEM
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: SetupTLS = TlsNoAuth
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: SetupMesh = True
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: SetupCira = False
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: SetupKVM = False
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: DNSSuffix = xxxxxx1.testxxxxxxx.com
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: ActivationCertThumbprint = testxxxxxxx
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: CreationNodeSerial = 1234567890
2023-03-22 14:50:40.8639|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: AdminModeRequired = False
2023-03-22 14:50:40.8795|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error: IsAdminPasswordRandom = True
2023-03-22 14:50:40.8795|ERROR||6588|53|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.9.1.0, Culture=neutral, PublicKeyToken=0123456789ABCDEF - [1] - Error:

0 Kudos
JoseH_Intel
Moderator
18,241 Views

Hello naohiro,


Can you tell the current environment size? How many systems are you planning to get into your environment?


Please provide the details of the certificate (the SHA level of all the certificates in the certification path provided for GoDaddy, the enhanced key usage in the provision cert). You can share an image of the certificate root from Windows.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
naohiro
Novice
18,234 Views

Hello, Jose-san

Thank you for your reply.

 

This is a PoC environment. I am deploying only one DELL OptiPlex 7000 with vPro Enterprise.

 

Let me attach the screen shot of certificates. If I am missing something, please let me know.

cer5.png

cer4.png

cer3.png

cer2.png

cer1.png

cer6.png

      

0 Kudos
Victor_G_Intel
Employee
18,211 Views

Hello naohiro,


Thank you for your response.


According to the images that you sent the GoDaddy Class 2 Certification Authority certificate is not SHA256; therefore, you will need to contact GoDaddy’s support directly and ask them to help you by providing a SHA256 version of it, once you have it you will need to completely remove the SHA1 version of that certificate from the system and then import the new version making sure that it is imported correctly.


Regards,


Victor G.

Intel Technical Support Technician  


0 Kudos
naohiro
Novice
18,196 Views

Hello Victor

 

Thank you for your support. I am referencing the following documents issued by Intel. https://www.intel.com/content/dam/support/us/en/documents/software/software-applications/how_to_purchase_and_install_godaddy_certificates_for_setup_and_configuration.pdf Do you mean there is a problem on “5.1 Install the Intermediate Certificate” “4. Download the GoDaddy Class 2 Certificate Authority Root Certificate from https://certs.godaddy.com/repository” step? Does the GoDaddy Class2 Certification Authority Root Certificate (gd-class2-root.cer (DER)) on GoDaddy website have issue?

Thank you again for your help.

0 Kudos
naohiro
Novice
18,182 Views

Hello

I have confirmed that when I install my personal certificate or intermediate certificate issued by GoDaddy, the root certificate with SHA1 is installed automatically. I do not have to get the root certificate from https://certs.godaddy.com/repository as described in the manual “How to Purchase and Install GoDaddy Certificates for Intel AMT Remote Setup and Configuration”. It happens automatically.

As for SHA1 issue, the GoDaddy support asks me to install “GoDaddy Certificate Chain – G2 > GoDaddy Class 2 Certification Authority Root Certificate – G2” (SHA256) instead of GoDaddy Certificate Chain > GoDaddy Class 2 Certification Authority Root Certificate” (SHA1). But SHA1 version of root certificate is installed automatically as I mentioned above, so I cannot delete the SHA1 version.

Can anyone tell the document “https://www.intel.com/content/dam/support/us/en/documents/software/software-applications/how_to_purchase_and_install_godaddy_certificates_for_setup_and_configuration.pdf” I am referring is up to date and all correct?

0 Kudos
naohiro
Novice
18,169 Views

Because I could not delete the “Go Daddy Class 2 Certification Authority (SHA1)”, I have disabled the one (screen shot is available). Now I am receiving the different log output. Disabling the certificate is not mentioned in the manual. Is this the necessary procedure?

0 Kudos
JoseH_Intel
Moderator
18,084 Views

Hello naohiro-san,


Thank you for the update. Let me check on this.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
naohiro
Novice
18,053 Views

Hello, Jose-san

I have done several things, now AMT has been provisioned with ACM. The CIRA have not been connected yet. Is that the reason I still cannot connect to vPro client’s BIOS screen via EMA? I believe the last step was needed to provision AMT but it takes time to verify.
#CMOS is cleared with coin battery removable, and initial password is set again for MEBx.
#The client host OS’s IP address is set to DHCP. (Previously static)
#On MEBx “Remote Setup and Configuration > TLS PKI > PKI DNS Suffix” is set. (Previously unset)

If you have any advice for disabling GoDaddy root certificate I mentioned previously, MEBx PKI DNS Suffix setting etc. that would be great.

Thank you for your support.

0 Kudos
JoseH_Intel
Moderator
18,026 Views

Hello Naohiro-san,


Glad to hear that you are getting some progress.

You can try the following:

Make sure you do not have any old GoDaddy provision cert in your local store that is SHA1, in case you do export it and save it, then delete it from the cert management (local machine) then you should install the new cert to make sure that all the certs within the certification path are SHA256, if a SHA1 cert is still coming up this should be evaluated with the vendor


If possible please share AMT version of your target machine


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
naohiro
Novice
18,003 Views

Hello Jose

 

Thank you for your suggestion. I could not delete the GoDaddy cert with SHA1 (It appears automatically when I install my personal cert) last time, so I disabled the one. The cert chain has shrined from 4 to 3 like I posted a screenshot. But it still did not work. Then I set MEBx PKI DNS Suffix then it worked.

 

I reconfigured another environment with not deleting nor disabling GoDaddy cert with SHA1. On client side MEBx PKI DNS Suffix set. Then it worked. So, AMT auto deploy succeeds with both SHA1 on top of the (4 step) chain and with SHA256 on top of the (3 step) chain.

 

As for CIRA I was using DNS server running on EMA server. The clients OS was pointing this DNS manually, but AMT(MEBx) was not. I have added the new zone to another DNS which DHCP server is pointing to. Then it worked. Now CIRA is connected, and I have access to client’s BIOS screen remotely.

 

Intel® EMA Agent: Win64-Service v1.9.0

Intel® ME: v16.1.25.1932  Admin Control Mode 

 

Thank you for your help.

0 Kudos
TomW
Novice
15,279 Views

Just to help anybody else, I had the same issue during provisioning with the Manageability Server log spitting out the error "System.NullReferenceException: Object reference not set to an instance of an object"... which was not very helpful. Thanks to this thread I started to look at the certificate chain and found the root certificate, Comodo's/Sectigo's "AAA Certificate Services" was sha1; all the intermediates with sha256 or sha384. Although this is still in the list of trusted certificates for Intel AMT v16, and listed as sha256 in the Intel AMT bios, it doen't work, which isn't a surprise as Intel AMT v16 doesn't work with sha1 anymore, even pre-loaded sha1 certificates. Unless there's a sha256 version of this CA getting around that has the same fingerprint, but I couldn't find any suggestion that such a certificate existed. 

What I did notice though is as of v15, according to the list of trusted certs in Intel's documentation here, 'USERTrust RSA Certification Authority' (or 'USERTrust RSA CA') was added; link to the cert is that documentation. I recognised this certificate as a subordinate of 'AAA Certificate Services' CA, so I verified that this chained with my Sectigo certificate, which it did, and used that instead which resolved the problem.

Note, even though I was provided a  'USERTrust RSA Certification Authority' intermediate certificate from my certificate supplier, and even though it was sha384, it was different (older) to the  'USERTrust RSA Certification Authority' trusted by Intel AMT. Thankfully they were interchangable.

Here's what my Manageability Server log looked like:

 

2023-08-22 11:14:10.5720|INFO||4040|35|HostBasedSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Attempting host based provisioning : (MSC-iZjrurTekCj,C35D10AF). 
2023-08-22 11:14:10.5720|INFO||4040|35|HostBasedSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Creating DotNetWSManClient object : (MSC-iZjrurTekCj,C35D10AF).
2023-08-22 11:14:11.7439|INFO||4040|35|HostBasedSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Checking if unprovisioned : (MSC-iZjrurTekCj,C35D10AF).
2023-08-22 11:14:11.7439|INFO||4040|35|HostBasedSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Checking if the client control mode is enabled : (MSC-iZjrurTekCj,C35D10AF).
2023-08-22 11:14:11.7439|INFO||4040|35|HostBasedSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Fetching the digest realms : (MSC-iZjrurTekCj,C35D10AF).
2023-08-22 11:14:12.0095|INFO||4040|35|HostBasedSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Check digest realm : (MSC-iZjrurTekCj,C35D10AF).
2023-08-22 11:14:12.0252|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - System.NullReferenceException: Object reference not set to an instance of an object.
at MeshManageabilityServer.CentralManageabilityServer.HostBasedSetup(Int32 slot, String adminuser, String adminpass, X509Certificate2 rootCertificate, String strEndpointString, AmtSetupRecord amtSetupRecord, MiniMeshRouter miniMeshRouter)
at MeshManageabilityServer.CentralManageabilityServer.RequestHostBasedProvisioningEx(Int32 slot, AmtSetupRecord key, X509Certificate2 rootCert, String strEndpointString)
at MeshManageabilityServer.CentralManageabilityServer.PerformPkiSetup(Int32 slot, AmtSetupRecord key, IPEndPoint helloaddr)
at MeshManageabilityServer.CentralManageabilityServer.AttemptPhase1_Pki(AmtSetupRecord key, Int32 slot, IPEndPoint helloAddress, String strEndpointString)
at MeshManageabilityServer.CentralManageabilityServer.AttemptPhase1(AmtSetupRecord key, Int32 slot, IPEndPoint helloAddress, String strEndpointString)
at MeshManageabilityServer.CentralManageabilityServer.PerformAction()
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: PID = PKIX-XXXX
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: PPS = 0000-0000-0000-0000-0000-0000-0000-0000
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: State = PendingPhase1
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: GenTime = 08/22/2023 01:14:04
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: ChangeTime = 08/22/2023 01:14:04
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: HelloRequests = 0
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: CompletedRequests = 0
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: ConfigurationProfile =
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: NodeId = C35D10AFFA0A8D139DC1F717B48AEC9C0861BCA7B69241B93AAEDD9E94959B49
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: UserId = 00000000-0000-0000-0000-000000000000
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: Username = SYSTEM
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: SetupMesh = True
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: SetupCira = False
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: SetupKVM = False
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: DNSSuffix = intelema.xxxxx.xxx
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: ActivationCertThumbprint = 6E8945709226283B24DCD4BC7611FD3D3E717B31
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: CreationNodeSerial = 4294967295
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: AdminModeRequired = False
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error: IsAdminPasswordRandom = False
2023-08-22 11:14:12.0408|ERROR||4040|35|DebugExceptionWithKey - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.11.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error:

 

And here's how my 'Certificate' page in Intel EMA now looks:

TomW_0-1692745217673.png

 

I really wish more helpful logging and error messages were added to Intel EMA. It's really lacking that extra polish and feels very barebones.

0 Kudos
Reply