Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2834 Discussions

Provision Intel vPro with SCCM 2007 SP2 - strange error

idata
Employee
‎07-16-2010 01:16 AM
2,097 Views

We are trying to provision our Intel vPro clients with SCCM 2007 SP2. We use a test certificate from Verisign with a bit length of 1024 and the Root CA has 2048-bits (there is a 2048-bit limit on vPro clients). The Vpro client has the hash of the Root CA entered (as seen in the log below). The local password in MEBx is configured in SCCM to match the local MEBx password. We have un-provisioned the client multiple times.

I'm particularly interested in the error:

Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.

**** Error 0x431b240 returned by ApplyControlToken

I have tried to search for "Error 0x431b240 returned by ApplyControlToken", but without success. Strange!

This is the AMTOPMGR.log on the SCCM Provisioning server:

>>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<<

Provision target is indicated with SMS resource id. (MachineId = 52861 lovdotvpro1.orebroll.se) SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Found valid basic machine property for machine id = 52861. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Warning: Currently we don't support mutual auth. Change to TLS server auth mode. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

The provision mode for device lovdotvpro1.orebroll.se is 1. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Check target machine (version 5.2.10) is a SCCM support version. (TRUE) SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

The IP addresses of the host lovdotvpro1.orebroll.se are 10.20.19.106. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Attempting to establish connection with target device using SOAP. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Found matched certificate hash in current memory of provisioning certificate SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Create provisionHelper with (Hash: 6CC51B70B989FAD4BAB6C83649EE68C4CA6A0999) SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Set credential on provisionHelper... SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Try to use provisioning account to connect target machine lovdotvpro1.orebroll.se... SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

AMT Provision Worker: 1 task(s) are sent to the task pool successfully. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 12036 (0x2F04)

 

STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=VEYRON SITE=CM1 PID=7296 TID=12036 GMTDATE=Fri Jul 16 07:34:26.421 2010 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 12036 (0x2F04)

 

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 12036 (0x2F04)

 

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 12036 (0x2F04)

 

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 12036 (0x2F04)

 

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 12036 (0x2F04)

 

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 12036 (0x2F04)

 

Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

**** Error 0x431b240 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Fail to connect and get core version of machine lovdotvpro1.orebroll.se using provisioning account # 0. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

**** Error 0x431b240 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Fail to connect and get core version of machine lovdotvpro1.orebroll.se using provisioning account # 1. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Try to use default factory account to connect target machine lovdotvpro1.orebroll.se... SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

**** Error 0x431b240 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Fail to connect and get core version of machine lovdotvpro1.orebroll.se using default factory account. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Try to use provisioned account (random generated password) to connect target machine lovdotvpro1.orebroll.se... SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

**** Error 0x431b240 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Fail to connect and get core version of machine lovdotvpro1.orebroll.se using provisioned account (random generated password). SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Error: Device internal error. This may be caused by: 1. Schannel hotfix applied that can send our root certificate in provisioning certificate chain. 2. incorrect network configuration(DHCP option 6 and 15 required for AMT firmware). 3. AMT firmware self signed certificate issue(date zero). 4. AMT firmware is not ready for PKI provisioning. Check network interface is opening and AMT is in PKI mode. 5. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection. (MachineId = 52861) SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

Error: Can NOT establish connection with target device. (MachineId = 52861) SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)

 

>>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC)<p> 

 

 

 

Regards

Link Copied

7 Replies
idata
Employee
‎07-16-2010 10:24 AM
467 Views

The error message you are seeing can sometimes be the result of a DNS lookup problem. Are you able to ping the client's FQDN from the SCCM server and have it successfuly resolve the proper IP address?

Copy link
idata
Employee
‎07-16-2010 01:58 PM
467 Views
In response to idata

In addition to Dan's comment, i've also seen this error when option 15 is not set in your DHCP scope. This link has your specific error and possible resolutions.

http://technet.microsoft.com/en-us/library/cc161803.aspx http://technet.microsoft.com/en-us/library/cc161803.aspx

Chykun

In response to idata
0 Kudos
Copy link
idata
Employee
‎07-19-2010 12:58 AM
467 Views
In response to idata

Hi!

Option 6 and 15 are set in DHCP. The problem is that the article you mention does not have the exact error we got. The error we are looking for is this: "Error 0x431b240 returned by ApplyControlToken"

I think you reference to the previous error "Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server." which seems to be a some kind of generic error (we also saw this error when we first tried to use a certificate with a 4096 bit root CA but the following error code was different).

We have set up a test enviroment to test the vPro functionality before we purchase any MEBx pre-trusted certificates. To do this we have aquired a test certificate from VeriSign (1024 bit) and entered the hash of the ROOT CA (2048 bit) in MEBx. We've put in the correct password in SCCM so it matches the one we altered in MEBx. This should work, right? Our SCCM runs in native mode - can this be an issue?

In response to idata
0 Kudos
Copy link
idata
Employee
‎07-19-2010 01:13 AM
467 Views
In response to idata

Additional info:

When we look in the clients MEBx "Provisioning record" we see this:

TLS Provisioning mode: PKI

Secure DNS: NO

Host Initiated: YES

HashData: 0000-0000-0000-0000-0000-0000-0000-0000-0000-0000

Hash Algoritm: MD5

Serial Num: 0000-0000-0000-0000-0000-0000-0000-0000-0000-0000

IsDefault Bit: NO

Time Validity Pass: YES

FQDN: veyron.orebroll.se (The correct SCCM provisioning server)

Provisioning IP: 10.10.10.56 (The correct IP of the SCCM provisioning server)

Date of Provision: 7/18/2010 at 11:06

In response to idata
0 Kudos
Copy link
idata
Employee
‎07-19-2010 06:39 AM
467 Views
In response to idata

Ooops! After a closer look at DHCP option 15 we saw that it was set as ourdomain.se. (notice the ending dot!). We set it to ourdomain.se (without an ending dot) on the IP-scope our clients were on, tried provisioning again and then it worked perfectly.

Thanks for the help! Now we're one step further, great! Another question if I may; Does the certificate we issue to MEBx has to be stored and published in Active Directory and how can you locate this certificate in AD?

In response to idata
0 Kudos
Copy link
idata
Employee
‎07-19-2010 02:00 PM
467 Views
In response to idata

here is a step-by-step for the needed certificates. this is using an MS enterprise CA

http://technet.microsoft.com/en-us/library/dd252737.aspx

the short answer is no. Just the server that hosts the OOBM roll needs to have permissions to request certificates using the template you create using the step-by-step.

In response to idata
0 Kudos
Copy link
idata
Employee
‎07-19-2010 12:59 AM
467 Views
In response to idata

Yes, we can ping and resolve the FQDN of the client from the SCCM server,

In response to idata
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.