Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

SCCM R3 Out of Band Management Console - Serial Connection Failed

idata
Employee
2,637 Views

Hello everyone,

Really at a dead end and wondering if anyone had any suggestions.

I have SCCM 2007 R3 installed on Server 2008 R2, and have been progressing with the configuration of Out of Band Management. Everything seems to be working correctly with the exception of the Serial Connection in the Out of Band Management Console within the SCCM console.

The CA (also on Server 2008 R2) is issuing the certificates and I can see the SCCM server as the requester.

My test workstation provisions correctly, I'm using a cert from Go Daddy and I'm able to connect with the OOBM console and control power etc. But the Serial Connection fails.

AMTOPMGR.Log shows "Enable SOL with true and IDER with true"

The OOBMConsole.log file shows the familiar errors:

IMR_SOLOpenTCPSession fail with result:0x00000020

I've seen the posts \ messages regarding the incomplete certificate chain but I'm not sure that is the problem.

I've added the certificates in the SCCM server cert store too.

If I run KVMView.exe independently of the SCCM console, but on the same server, I can establish a successful TLS connetion, just not from within the SCCM console itself.

Other features, such as the WebInterface are also working correctly.

Does anyone have any ideas where I'm going wrong, judging by the error in OOBMConsole.log it must be cert related, but I've run out of ideas.

Thanks in advance

0 Kudos
10 Replies
idata
Employee
616 Views

Hi Dave,

I have a link for you to look at if this doesnt help let me know and we will look at it further

/docs/DOC-4153;jsessionid=8AA1B3F40639C481D8B545758B8C0072.node5COMS http://communities.intel.com/docs/DOC-4153;jsessionid=8AA1B3F40639C481D8B545758B8C0072.node5COMS

Look for

Symptom: Not able to perform an IDER or SOL session on and AMT client from the SCCM Out Of Band Management Console.

Greg

0 Kudos
idata
Employee
616 Views

Hi Greg,

Thanks for the response.

Yes, I've seen that link previously and I'm sure I've checked the details.

Telnet is definitely installed on the console machine, and I'm only using a Root CA.

I've added the Root CA certificate into the Trusted Root Certification Authorities store in IE and also in the MMC but still having no luck.

Any other ideas?

Thanks in advance.

0 Kudos
idata
Employee
616 Views

Hi again Greg,

Yes seen that link too.

I've been through the "Issue 2" scenario, since I did have multiple certificates in the root CA.

The problem I have is that KVMView.exe, from the same server as the SCCM console, works correctly using a TLS connection, for both the BIOS connection and the GUI components. Just not with the SOL option from within OOBM from the SCCM console; where I get the Serial Connection failed message.

The OOBCONSOLE.LOG shows the regular "IMR_SOLOpenTCPSession fail with result:0x00000020"

So I'm stuck at what to check next!

Thanks again

0 Kudos
idata
Employee
616 Views

Dave,

SCCM does not support use of subordinate certificate authorities for SOL and IDER features.

Can you view the AMT cert via the AMTwebui and verify that it has been issued by a root CA (single CA in the chain) and not a subordinate CA.

Greg

0 Kudos
idata
Employee
616 Views

Hi Greg,

Yes, I'm only using a root CA, no subordinate CA involved at all.

The AMT WebUI connects successfully and I can see the certificate path details, and all looks correct. Hence why I'm struggling. Everything seems to be OK, but the SOL feature consistently fails with the same TLS error.

I though the previous link might have offered a solution with the multiple entries in the root CA store. But it made no difference, even after i completely re-provisioned the workstations.

The certificate via IE and the WebUI shows that it's been issued by the root CA and issued to the FQDN of the workstation, with valid dates. The key length is 2048 bits, which I believe is OK

The Certification Path shows OK for both the root CA and the target workstation; these two items being the only entry.

The only thing that springs to mind is that the console isn't referencing the FQDN of the workstation, as the certificate is, it just using the hostname.

Could that have an impact?

0 Kudos
idata
Employee
616 Views

I have two questions:

1. When we see issues like this, SOL and IDER typically see the same failures. Please attempt IDER. If IDER passes, the SOL problem is likely an issue with the client and not with configuration.

2. You mentioned access via hostname being a problem. Please attempt to access the AMT webui by hostname only and see what happens. Also, inspect the AMT certificate and see if a client hostname entry appears in the subject alternative name.

0 Kudos
idata
Employee
616 Views

Was this issue resolved?

0 Kudos
idata
Employee
616 Views

Sorry, not been in the office to test, but will have a look today.

Thanks

0 Kudos
idata
Employee
616 Views

Hi again Kyle. Managed to spend a bit of time on the issue again!

Regarding point 1:

IDER also fails and again refers to the OOBConsole.log file. Entries in here again list

IMR_IDEROpenTCPSession2 Failed to Establish TLS Connection.

Point 2:

I can access the Web console via either the FQDN or just the hostname. When logged on the certificate is issued to the FQDN, and in the details section of the certificate I have "CN=" both the FQDN and hostname.

Should there be an additional section for "Subject Alternative name?"

The OOBConsole.log file shows the client is attempting to connect using the FQDN too.

So still stuck I'm afraid.

Thanks Dave

0 Kudos
Reply