Community
cancel
Showing results for 
Search instead for 
Did you mean: 
idata
Community Manager
1,322 Views

Issue with AMT provisioning with internal (subordinate) ca

<!--[if gte mso 9]> Normal 0 14 false false false IT X-NONE X-NONE MicrosoftInternetExplorer4 <![endif]--><!--[if gte mso 9]> </w:...

0 Kudos
4 Replies
idata
Community Manager
47 Views

Here is amtopmgr.log file:

Incoming Connection from 10.0.0.11:49212. SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 3800 (0x0ED8)

 

Incoming data is - Configuration version: PKI Configuration. SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 3800 (0x0ED8)

 

Count : 1 SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 3800 (0x0ED8)

 

UUID : D0859608-B772-DD11-A847-0019992FC5E5 SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 3800 (0x0ED8)

 

Found matched hash from hello message with current provision certificate. (Hash: C4A82DCC1EAC529E254ADEEA4650238E733FBCF5) SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 3800 (0x0ED8)

 

** Requesting AMT Discovery - Source,Custom,IPV4Address,10.0.0.11,NetBios,vprocl11, ** SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 3800 (0x0ED8)

 

Successfully created instruction file for AMT Discovery. SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 3800 (0x0ED8)

 

Warning: AMT device D0859608-B772-DD11-A847-0019992FC5E5 has not been discoveried by SMS or previously detected with NOT AMT capable machine. Send discovery instruction file. SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 3800 (0x0ED8)

 

Waiting for incoming hello message from AMT devices... SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 3800 (0x0ED8)

 

AMT Discovery Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 2116 (0x0844)

 

AMT Discovery Worker: Reading Discovery Instruction E:\Program Files\Microsoft Configuration Manager\inboxes\amtopmgr.box\disc\{1DF73945-7ACA-49C8-B53A-404D79B7F99E}.DSC... SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 2116 (0x0844)

 

AMT Discovery Worker: Execute query exec AMT_GetProvAccounts SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 2116 (0x0844)

 

AMT Discovery Worker: Finish reading discovery instruction E:\Program Files\Microsoft Configuration Manager\inboxes\amtopmgr.box\disc\{1DF73945-7ACA-49C8-B53A-404D79B7F99E}.DSC SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 2116 (0x0844)

 

AMT Discovery Worker: Parsed 1 instruction files SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 2116 (0x0844)

 

AMT Discovery Worker: There are 1 tasks in pending list SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 2116 (0x0844)

 

AMT Discovery Worker: Send task to completion port SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 2116 (0x0844)

 

Auto-worker Thread Pool: Current size of the thread pool is 1 SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 2116 (0x0844)

 

AMT Discovery Worker: 1 task(s) are sent to the task pool successfully. SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 2116 (0x0844)

 

STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=SRV01 SITE=V01 PID=3068 TID=2116 GMTDATE=mar nov 03 11:36:04.989 2009 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 2116 (0x0844)

 

AMT Discovery Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 2116 (0x0844)

 

AMT Discovery Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 2116 (0x0844)

 

AMT Discovery Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 2116 (0x0844)

 

AMT Discovery Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 2116 (0x0844)

 

AMT Discovery Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.04 2116 (0x0844)

 

Auto-worker Thread Pool: Work thread 2856 started SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.05 2856 (0x0B28)

 

CAMTDiscoveryWSMan::DoConnectToAMTDevice: Failed to establish tcp session to 10.0.0.11:16992. SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.06 2856 (0x0B28)

 

Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

**** Error 0x308b280 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

**** Error 0x308b280 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

**** Error 0x308b280 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

session params : https://vprocl11:16993 , 11001 SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

ERROR: Invoke(get) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

Description: A certificate is required to complete client authentication SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

Error: Failed to get AMT_SetupAndConfigurationService instance. SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

session params : https://vprocl11:16993 , 11001 SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

ERROR: Invoke(get) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

Description: A certificate is required to complete client authentication SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

Error: Failed to get AMT_SetupAndConfigurationService instance. SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

session params : https://vprocl11:16993 , 11001 SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

ERROR: Invoke(get) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

Description: A certificate is required to complete client authentication SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

Error: Failed to get AMT_SetupAndConfigurationService instance. SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

CSMSAMTDiscoveryTask::Execute - DDR written to E:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

Auto-worker Thread Pool: Succeed to run the task . Remove it from task list. SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.11 2856 (0x0B28)

 

AMT Discovery Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.24 2116 (0x0844)

 

AMT Discovery Worker: Wait 3600 seconds... SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.24 2116 (0x0844)

 

Auto-worker Thread Pool: Work thread 2856 has been requested to shut down. SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.51 2856 (0x0B28)

 

Auto-worker Thread Pool: Work thread 2856 exiting. SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.51 2856 (0x0B28)

 

Auto-worker Thread Pool: Current size of the thread pool is 0 SMS_AMT_OPERATION_MANAGER 03/11/2009 12.36.51 3232 (0x0CA0)
KRISHNA_V_Intel
Employee
47 Views

Did you have a chance to review these Technet articles. Yes it is possible to issue provision cert from Internal CA.

<!--[if !mso]> v\:* {behavior:url(# default# VML);} o\:* {behavior:url(# default# VML);} p\:* {behavior:url(# default# VML);} .shape {behavior:url(# default# VML);} v\:textbox {display:none;} <![endif]-->Slide 7<!--[if !ppt]-->.O {color:black; font-size:149%;} .O1 {color:black; font-size:149%;} .O2 {color:black; font-size:149%;} .O3 {color:black; font-size:149%;} .O4 {color:black; font-size:149%;} a:link {color:# C7015B !important;} a:active {color:# FDB605 !important;} a:visited {color:# 379900 !important;}<!--.sld {left:0px !important; width:6.0in !important; height:4.5in !important; font-size:103% !important;} --><!--[endif]-->•AMT Provisioning Certificate (Used for Provisioning) •Determine 3rd party or Self Generated •3rd Party CA (Verisign, Godaddy, Comodo, Starfield) •http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx http://technet.microsoft.com/en-http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx us/library/cc161804(TechNet.10).aspx# BKMK_AMTprovisioning1 •Self Generated from Internal PKI infrastructure •http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx# BKMK_AMTprovisioning2 http://technet.microsoft.com/en-http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx... BKMK_AMTprovisioning2 us/library/cc161804(TechNet.10).aspx# BKMK_AMTprovisioning2 •Export Cert for SCCM / WS-MAN Translator in later configuration step •http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx http://technet.microsoft.com/en-http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx us/library/cc161804(TechNet.10).aspx# BKMK_AMTprovisioning3 •Web Server Certificate (AMT TLS Cert) •Create New Web server Template •Recommend certificate name: ConfigMgr AMT Web Server Certificate •Primary site server computer account (SCCM SP1 Server) must have Full Control permissions •http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx http://technet.microsoft.com/en-http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx us/library/cc161804(TechNet.10).aspx# BKMK_AMTwebserver

idata
Community Manager
47 Views

Hello Mohan,

in the previous lab I've setup an internal ca which issued amt certificate and it works.

Note: that ca was also root ca in that env.

Now I would like to understand if it is possible and is supported to make a lab where there are two ca:

- first one is root ca

- second one is subordinate ca and this ca release AMT certs..

Giovanni

KRISHNA_V_Intel
Employee
47 Views

yes, it is possible and I have done that. You need to install the subCA. I had my CA on the domain controller and my subCA on the SCCM SP1 server and the corresponding templates created with site server full control permission. in hte OOB management component you need to point to the CA for the web server template. I have not done issuing internal provision certificate from SubCA but I would think that also should work.

Reply