- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
For the better part of 2 years we have been trying to get a production vPro environment working consistently. We finally managed to get a working v6.0 environment up and running with about 200 out of 700 machines provisioned. This was not used as much as we found that due to varying BIOS versions and drivers, configuration was very hit or miss. That being said, it at least did work on 200 or so machines.
When SCS 7.0 was released we decided that since it supports Server 2008 R2 we would move to using that and start over. We renewed our cert and following the installation steps, but ever since then we have been unable to remotely provision any machines. The following is the steps I took that based on our previous working vPro environment and installation doc's should have been enough for it to work. I am hoping that with the assistance of the community, I can figure out where the fault lies and I am happy to contribute back to the community with an in-depth document on the steps necessary for this to work.
Server Installation & Configuration Setup
Windows 2008 Server R2 Datacenter 64-bit (ESX Virtual Machine)
- RCS Service installed as Active Directory user that is used to run the service
- Active Directory User
- Local Administrator on box
- Service set to run as AD User
- Set only to 2 groups (Workstation admin group) - Avoids Kerberos ticket size limits
- Active Directory User
- GoDaddy certificate installed under Certificate store of Active Directory user
- GoDaddy intermediate and root certificates installed and certificate trust appears verified when checking on the cert information
- ProvisionServer.{domain}.{suffix} DNS address secured and pointed to Server
- Server is on Private IP space with no access to internet
- Firewall has WMI-In and Service whitelisted as exceptions (no outgoing traffic is being blocked)
- TCP 16992-16995 and TCP 9971 Open
- DHCP Option 15 is available and correct
- No errors related to the RCS Service in the Event Viewer
- UAC is on but configured to allow services to run without confirmation
Client Setup
Windows XP SP3 32-bit - Dell 960
- Firewall is on and does not block outgoing traffic, the following ports are open
- TCP 16992-16995 and TCP 9971 Open
- HECI driver is installed at latest version available to Dell 960 models, LMS and SOL drivers also installed and at latest version
- BIOS updated to latest available for Dell 960 model
- ACU_Config is run as the same user running the RCS Service
- RCS Service user is also local administrator on the client machine
- Intel Management and Security Status utility shows the system is currently Unconfigured and Awaiting Configuration
- Network Information shows all fields as "Information Unavailable"
- Extended System Details show Intel MEI Driver as enabled
Active Directory Setup
- OU setup underneath our division OU that allows the RCS Server user to create and delete AMT Computer objects
ACU_Config Configuration
The following is the Configuration string used to config the machine:
ACUConfig.exe /verbose ConfigViaRCSOnly provisionserver.{domain}.{suffix} "VPSA Standard Profile" /Abortonfailure
Note: The Domain and Suffix are replaced with the domain information.
ProvisionServer is accessible from the client computer via ping and remote desktop.
Client Log
2011-04-24 22:17:43:545 Thread:1908(INFO) : ACU Configurator , Category: HandleOutPut Source: .\Src\ActivatorUtils.cpp : HandleOutput Line: 216: Starting log 2011-04-24 22:17:432011-04-24 22:17:43:545 Thread:1908(DETAIL) : ACU Configurator, Category: VerifyFileSignature Source: .\Src\ActivatorMain.cpp : wmain Line: 105: Verifying the digital signature of ACU.dll, this operation might take up to 3 minutes...2011-04-24 22:17:53:358 Thread:1908(INFO) : ACU Configurator , Category: VerifyFileSignature Source: .\Src\ActivatorUtils.cpp : VerifyFileSignature Line: 984: The file "ACU.dll" is signed and the signature was verified.2011-04-24 22:17:53:498 Thread:1908(DETAIL) : ACU Configurator , Category: -Start- Source: .\Src\HECIDiscovery.cpp : CheckAMT Line: 115: ***** Start CheckAMT ******2011-04-24 22:17:53:498 Thread:1908(DETAIL) : ACU Configurator , Category: -HECI- Source: .\Src\HECIWin.cpp : HECIWin::Init Line: 188: Connected to the Intel(R) Management Engine Interface driver, version 5.0.1.10552011-04-24 22:17:53:608 Thread:1908(INFO) : ACU Configurator , Category: AMT Mode Source: .\Src\HECIDiscovery.cpp : CheckAMT Line: 321: Intel(R) AMT in PROVISIONING_MODE_ENTERPRISE2011-04-24 22:17:53:717 Thread:1908(DETAIL) : ACU Configurator , Category: -END- Source: .\Src\HECIDiscovery.cpp : CheckAMT Line: 418: ***** END CheckAMT ******2011-04-24 22:17:55:717 Thread:1908(DETAIL) : ACU Configurator , Category: -Start- Source: .\Src\HECIDiscovery.cpp : GetAmtFQDN Line: 1143: ***** Start GetAmtFQDN ******2011-04-24 22:17:55:748 Thread:1908(DETAIL) : ACU Configurator , Category: Status message Source: .\Src\HECIDiscovery.cpp : GetAmtFQDN Line: 1161: Failed to get data from the firmware. (0xc0000022)2011-04-24 22:17:55:748 Thread:1908(DETAIL) : ACU Configurator , Category: -END- Source: .\Src\HECIDiscovery.cpp : GetAmtFQDN Line: 1215: ***** END GetAmtFQDN ******2011-04-24 22:17:56:186 Thread:1908(INFO) : ACU Configurator , Category: Discovery Source: .\Src\HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 385: Calling function Discovery...2011-04-24 22:17:56:248 Thread:1908(INFO) : ACU Configurator , Category: Local System Account Source: .\Src\HostBasedSetup.cpp : HostBasedSetup::GetLocalSystemAccount Line: 174: Calling function GetLocalSystemAccount over MEI...2011-04-24 22:17:56:248 Thread:1908(DETAIL) : ACU Configurator , Category: -HECI- Source: .\Src\HECIWin.cpp : HECIWin::Init Line: 188: Connected to the Intel(R) Management Engine Interface driver, version 5.0.1.10552011-04-24 22:17:56:248 Thread:1908(ERROR) : ACU Configurator , Category: Local System Account Source: .\Src\HostBasedSetup.cpp : HostBasedSetup::GetLocalSystemAccount Line: 201: Error: failed to retrive Local System Account using MEI; error code - 12011-04-24 22:17:56:248 Thread:1908(INFO) : ACU Configurator , Category: Discovery Source: .\Src\HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 405: Host Based Setup is not supported2011-04-24 22:17:56:248 Thread:1908(INFO) : ACU Configurator , Category: Discovery Source: .\Src\HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 407: Function Discovery ended successfully2011-04-24 22:17:56:248 Thread:1908(INFO) : ACU Configurator, Category: -ConfigViaRCSOnly- Source: .\Src\ActivatorMain.cpp : wmain Line: 778: VPSA800597.ad.ilstu.edu:Starting Remote configuration...2011-04-24 22:17:56:248 Thread:1908(DETAIL) : ACU Configurator , Category: -Start- Source: .\Src\ActivatorDll.cpp : RemoteConfiguration Line: 3145: ***** Start RemoteConfiguration ******2011-04-24 22:17:58:639 Thread:1908(DETAIL) : ACU Configurat...Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Adam,
The PKI private key was not installed with provisioning certificate in the new certificate store. You can see this in the log you posted:
" 2011-04-24 22:18:18:733 Thread:1908(DETAIL) : ACU Configurator , Category: WMI_ConfigAMT Source: .\Src\WMIAccess.cpp : WMI_ConfigAMT Line: 1167: Initial connection to the Intel(R) AMT device failed. (0xc00007d2) ((ExecMethod ConfigAMT) Intel(R) AMT Configuration failed. Initial connection to the Intel(R) AMT device failed. Failed while calling Soap call GetCoreVersion. Intel(R) AMT connection error -1073737810: Failed to get the certificate private key. , error in discover 0xc0000fae)".
Regards and good luck,
David
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi David,
Thanks for the reply, I was looking at that but for some reason I must have thought that it was for the client side and that there was something wierd on that end.
I was given a CRT file from GoDaddy and installed that into the store. Do I have to go through the procedure to import that into an IIS 7 machine and then export it out as a PFX?
-Adam
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
David,
That led us on the right path. I had just imported the CRT file that we got back from GoDaddy. Since we had switched servers and renewed the certificate without regenerating a CSR, I had not generated the cert with a private key. The fix (for GoDaddy) was to go into the account and choose Re-Key a cert and enter a newly generated CSR from that server. After this was done and I followed the steps in a GoDaddy document it was then able to provision. Thanks for all the help, I will write up this procedure in the next week or so, so others may benefit.
-Adam
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page