Hello,

Thank you for the reply. But it didn't solve my problema.

I'll futher detail what is going on here:

On the amtopmgr.log, everything seems to be fine. (log attached).

However, on the amtproxymgr.log i see some errors:

Processing Maintenance Inbox...Done 25/03/2011 10:12:18 SMS_AMT_PROXY_COMPONENT 13796 (0x35E4)

 

Found instruction file: C:\Program Files\Microsoft Configuration Manager\inboxes\amtproxymgr.box\{55F25CD5-43FD-4929-950E-38683A3164B1}.apx 25/03/2011 10:12:18 SMS_AMT_PROXY_COMPONENT 13796 (0x35E4)

 

Processing Instruction: ADT CREATE;RODRIGO.trt9a.local;OU=Out of Band Management Controllers,OU=Windows Vista,OU=CAPITAL,OU=COMPUTADORES,OU=TRT9,DC=trt9a,DC=local;00000000-0000-0000-0000-6CF049FE3365;6.0.30;8913000028E9845A35C6AD463E844CE52EE0F0CA6C039F07D1E651A30168D3D9E638F595F35374B21596DB811400000042000000480000000366000000000000768A12D289594E052E47077BADFF1430EE6EF0BB08A817750B14FC5F13A68B167D7F024D581222FE180359210E3E30770D3FA53251F1A576FE2BA0D73881DDE27C4C3BB762684DF60000 25/03/2011 10:12:18 SMS_AMT_PROXY_COMPONENT 13796 (0x35E4)

 

AD Task - DoExecute. 25/03/2011 10:12:18 SMS_AMT_PROXY_COMPONENT 13796 (0x35E4)

 

AD Task - Create Action Start. 25/03/2011 10:12:18 SMS_AMT_PROXY_COMPONENT 13796 (0x35E4)

 

AD Task - UpdateObject failed. FQDN: RODRIGO.trt9a.local, ADDN: OU=Out of Band Management Controllers,OU=Windows Vista,OU=CAPITAL,OU=COMPUTADORES,OU=TRT9,DC=trt9a,DC=local. 25/03/2011 10:12:19 SMS_AMT_PROXY_COMPONENT 13796 (0x35E4)

 

STATMSG: ID=7604 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AMT_PROXY_COMPONENT" SYS=BR64 SITE=TRT PID=14232 TID=13796 GMTDATE=Fri Mar 25 13:12:19.273 2011 ISTR0="RODRIGO.trt9a.local" ISTR1="OU=Out of Band Management Controllers,OU=Windows Vista,OU=CAPITAL,OU=COMPUTADORES,OU=TRT9,DC=trt9a,DC=local" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 25/03/2011 10:12:19 SMS_AMT_PROXY_COMPONENT 13796 (0x35E4)

 

Failed to run instruction: ADT CREATE;RODRIGO.trt9a.local;OU=Out of Band Management Controllers,OU=Windows Vista,OU=CAPITAL,OU=COMPUTADORES,OU=TRT9,DC=trt9a,DC=local;00000000-0000-0000-0000-6CF049FE3365;6.0.30;8913000028E9845A35C6AD463E844CE52EE0F0CA6C039F07D1E651A30168D3D9E638F595F35374B21596DB811400000042000000480000000366000000000000768A12D289594E052E47077BADFF1430EE6EF0BB08A817750B14FC5F13A68B167D7F024D581222FE180359210E3E30770D3FA53251F1A576FE2BA0D73881DDE27C4C3BB762684DF60000 25/03/2011 10:12:19 SMS_AMT_PROXY_COMPONENT 13796 (0x35E4)

 

Finished Executing Instruction: ADT CREATE;RODRIGO.trt9a.local;OU=Out of Band Management Controllers,OU=Windows Vista,OU=CAPITAL,OU=COMPUTADORES,OU=TRT9,DC=trt9a,DC=local;00000000-0000-0000-0000-6CF049FE3365;6.0.30;8913000028E9845A35C6AD463E844CE52EE0F0CA6C039F07D1E651A30168D3D9E638F595F35374B21596DB811400000042000000480000000366000000000000768A12D289594E052E47077BADFF1430EE6EF0BB08A817750B14FC5F13A68B167D7F024D581222FE180359210E3E30770D3FA53251F1A576FE2BA0D73881DDE27C4C3BB762684DF60000 25/03/2011 10:12:19 SMS_AMT_PROXY_COMPONENT 13796 (0x35E4)

When i look at the OU, there is a created and disabled computer object named RODRIGO, with pre-windows 2000 named: RODRIGO$iME

On the General tab, dns name: CN=RODRIGO,OU=Out of Band Management Controllers,OU=Windows Vista,OU=CAPITAL,OU=COMPUTADORES,OU=TRT9,DC=trt9a,DC=local

Now on SCCM console, when i go and look at the SMS_AMT_PROXY_COMPONENT's log there is the following error:

Failure: The AMT Proxy Manager failed to update a object in the AD. FQDN: RODRIGO.trt9a.local, ADDN: OU=Out of Band Management Controllers,OU=Windows Vista,OU=CAPITAL,OU=COMPUTADORES,OU=TRT9,DC=trt9a,DC=local.

Possible cause: the SMS service account does not have permission to remove the object in the Active Directory, or this object doesn't exist.

I've already checked the persmission and the SCCM computer's account and the service account user have, them both, FULL control on the OU and on the created object!

There is one more information, when i access https://rodrigo.trt9al.local:16993 https://rodrigo.trt9al.local:16993 it opens up the Intel Active Management Technology. I can then check the Web Certificate Information and it's valid and ok (i'm using internal CA for the provisioning certificate as well and i've added the CA root's hash manually on the ME firmware). When i click on the "Log On" button of the web site I get a HTTP 400 Bad Request!

For last, on the oobmgmt.log of the client:

New OTP generated 25/03/2011 09:52:21 oobmgmt 168 (0x00A8)

 

Upload provisioning data state message sent successfully. TopicType = STATE_TOPICTYPE_AMT_CLIENT_DATA_SYNCHRONIZE, OTPHash = A88E07836B0960BF372DD701F0F4191F01F1B766, RetryCount = 0 25/03/2011 09:52:21 oobmgmt 168 (0x00A8)

 

Raising event:

 

[SMS_CodePage(850), SMS_LocaleID(1046)]

 

instance of SMS_OOBMgmt_StartConfig_Success

 

{

 

ClientID = "GUID:83f6cb20-f328-4ee1-aa59-75ee0f4fefcc";

 

ConfigurationStartTime = "2011-03-25 09:52:21";

 

DateTime = "20110325125221.814000+000";

 

MachineName = "RODRIGO";

 

ProcessID = 2844;

 

SiteCode = "TRT";

 

ThreadID = 168;

 

};

 

25/03/2011 09:52:21 oobmgmt 168 (0x00A8)

 

Successfully activated the device. 25/03/2011 09:52:21 oobmgmt 168 (0x00A8)

 

Upload manufacturing data state message sent successfully. TopicType = STATE_TOPICTYPE_AMT_CLIENT_DATA_SYNCHRONIZE, Root Certificate Hash = 47FE70A49E967481AAEB50BACF88961B78BCE7D4, AMT Core Version = 6.0.30 25/03/2011 09:52:21 oobmgmt 168 (0x00A8)

 

END 25/03/2011 09:52:21 oobmgmt 168 (0x00A8)

Almost forgot to say that i can use power control on the machine without a problema, but when i try to connect to the Out of Band Management Console, it starts on Busy, goes to Connection and the it ends on Disconnected after a few seconds!

Please, could someone give any direction on how to solve it?

Hi Rodrigo,

You are not have problem on power control because these operations from SCCM are using Digest Authentication while OOB Console uses kerberos for authentication.

in order to kerberos authetnication works, SCCM should be able to create a User object in AD to represent the vPro machine, and as far I can see in your logs, SCCM is failing to update this object:

RODRIGO.trt9a.local;OU=Out of Band Management Controllers,OU=Windows Vista,OU=CAPITAL,OU=COMPUTADORES,OU=TRT9,DC=trt9a,DC=local

Can you confirm that this object is under this OU? Are you using login account name equal machine name? (i.e. machine name = Rodrigo and login account = Rodrigo)? if it's the case, you problably will face problems since you can't have the same spn in AD. For more information, read this http://support.microsoft.com/kb/251359 KB

Best Regards!

--Bruno Domingues

Hello Bruno,

Thanks for the reply.

Answering your questions, my user login account is not RODRIGO.trt9a.local. That's for the computer's account name. So, they are not the same.

And yes, the computer object has been created on the correct OU, however it's disabled and its pre-windows name is RODRIGO$iME.

I dont understand how SCCM can create the object in the OU and then can't update it!

Also, on the created object, on the attribute editor, attribute "servicePrincipalName", there are four values:

HTTP/RODRIGO.TRT9A.LOCAL:16992

HTTP/RODRIGO.TRT9A.LOCAL:16993

HTTP/RODRIGO.TRT9A.LOCAL:16994

HTTP/RODRIGO.TRT9A.LOCAL:16995

Now, after doing what you said on your first reply, when i try to access the AMT's web page on https://rodrigo.trt9a.local:16993 https://rodrigo.trt9a.local:16993 and click on Log On... I no longer get the HTTP 400 error. Now it pops up the login/password box, but when i type in my user and password it doesnt log me in... Does not accept my password, probably because of the error when updating the computer's object in that OU.

I have already tried to log in with an user account that belongs only to one group and the user has access configured on the OOB component.

Any ideias?

Best regards,

Rodrigo

Rodrigo,

There is nothing wrong with SPNs in AD object, the problem is that this object is disabled instead of enabled.

Do you tried provision a different machine and see if this problem happens again? or unprovision & provision to make sure that nothing broken after the initial configuration? I would suggest you focus attention on why SCCM is getting error to update AD object.

My two cents!

-- Bruno Domingues