Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2834 Discussions

Provisioning stopped after CA Rebuild

idata
Employee
‎10-08-2009 07:46 AM
2,162 Views

Good Morning,

I've gotten to provision approximately 200 vPro clients using SCCM SP1. The process was running nice and smoothly for months now. However, do to unforeseen circumstances, our Network group had to rebuild our CA. Supposedly, everything has been restored to the way it once was, however, I am seeing a consistent break in the process.

Going to our OOB MP and looking at the amtproxymgr.log file, I see: "ERROR: ICertRequest2->Submit failed: 0x80070005."

I've seen this error early on when first building out our infrastructure. We have a multi-domain hierarchy and our CA sits in our top level "Domain1.com" and the OOB Management point sits in "Domain2.com". Refering to Microsoft's guidance here http://technet.microsoft.com/en-us/library/cc161803.aspx http://technet.microsoft.com/en-us/library/cc161803.aspx, we needed to add SCCM.Domain2.com to CERTSRV_DOM_ACCESS sitting in Domain1.com.

In the past, this resolved our issue and we were able to begin provisioning. Now, hoever, with the assurances that were given about the environment being restored, we are seeing the same issue where the chain is not being validated due to a block in rights.

My question is this, do we need to remove and then rebuild the OOB Mgmt Role on our Management Point for the provisioning process to be restored? Or could it be that there is still an oversite in that our OOB was not actually added to the correct Security group to manage the provisioning certificate?

Any help would be GREATLY appreciated.

Best Regards,

Johnny Cadavid

0 Kudos

Link Copied

4 Replies
Matthew_R_Intel
Employee
‎10-08-2009 08:02 AM
562 Views

Johnny,

The submit failure usually cased by... Not being able to find the Issuing CA or the SCCM Site Server not having sufficent permission to request the certificate. I would recommend checking the following...

  • Verify that you have created the Web Server Certificates template on your Certificate Authority and that your SCCM Primary Site Servers has the appropriate permission. SCCM SP1 Help File Article: "[Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management|http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx]"; Section: "Preparing the Web Server Certificates for AMT-Based Computers".
  • Verify that you have configured the certificate template in the Out of Band Management Properties: General Tab. SCCM SP1 Help File Article: "[How to Configure AMT Provisioning|http://technet.microsoft.com/en-us/library/cc161966(TechNet.10).aspx]"; Section: "To configure the out of band management component for AMT provisioning"; Steps: 7-8.

--Matt Royer

0 Kudos
Copy link
idata
Employee
‎10-08-2009 09:53 AM
562 Views
In response to Matthew_R_Intel

Matt,

Like I said, the environment was happily chugging along until the CA was rebuilt. I really don't want to rebuild the OOB Role from scratch if I don't have to because nothing was touched. Is it a matter of a GUID changing or something that would cause this to happen? I'm just trying to get an understanding of why.

In response to Matthew_R_Intel
0 Kudos
Copy link
Matthew_R_Intel
Employee
‎10-08-2009 10:01 AM
562 Views
In response to idata

If they rebuilt the CA infrastructure... i would make sure the CA template that you are explecting to use is still there and you still have the appropriate permissions to that template.

--Matt Royer

In response to idata
0 Kudos
Copy link
idata
Employee
‎10-19-2009 07:18 AM
562 Views
In response to idata

Matt,

Thanks for the pointer. It ended up being that the OOB MP wasn't actually placed in the CERTSRV_DCOM_ACCESS Security Group for the CA in our top domain. After a reboot, the provisioning started working. It's brought up another interesting problem, but I am going to start a new thread for that.

Thanks Matt!

In response to idata
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.