Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2931 Discussions

SCS 7.0 Remote Configuration Issues

AList1
Novice
2,632 Views

Hello,

For the better part of 2 years we have been trying to get a production vPro environment working consistently. We finally managed to get a working v6.0 environment up and running with about 200 out of 700 machines provisioned. This was not used as much as we found that due to varying BIOS versions and drivers, configuration was very hit or miss. That being said, it at least did work on 200 or so machines.

When SCS 7.0 was released we decided that since it supports Server 2008 R2 we would move to using that and start over. We renewed our cert and following the installation steps, but ever since then we have been unable to remotely provision any machines. The following is the steps I took that based on our previous working vPro environment and installation doc's should have been enough for it to work. I am hoping that with the assistance of the community, I can figure out where the fault lies and I am happy to contribute back to the community with an in-depth document on the steps necessary for this to work.

Server Installation & Configuration Setup

Windows 2008 Server R2 Datacenter 64-bit (ESX Virtual Machine)

  • RCS Service installed as Active Directory user that is used to run the service
    • Active Directory User
      • Local Administrator on box
      • Service set to run as AD User
      • Set only to 2 groups (Workstation admin group) - Avoids Kerberos ticket size limits
  • GoDaddy certificate installed under Certificate store of Active Directory user
  • GoDaddy intermediate and root certificates installed and certificate trust appears verified when checking on the cert information
  • ProvisionServer.{domain}.{suffix} DNS address secured and pointed to Server
  • Server is on Private IP space with no access to internet
  • Firewall has WMI-In and Service whitelisted as exceptions (no outgoing traffic is being blocked)
    • TCP 16992-16995 and TCP 9971 Open
  • DHCP Option 15 is available and correct
  • No errors related to the RCS Service in the Event Viewer
  • UAC is on but configured to allow services to run without confirmation

Client Setup

Windows XP SP3 32-bit - Dell 960

  • Firewall is on and does not block outgoing traffic, the following ports are open
    • TCP 16992-16995 and TCP 9971 Open
  • HECI driver is installed at latest version available to Dell 960 models, LMS and SOL drivers also installed and at latest version
  • BIOS updated to latest available for Dell 960 model
  • ACU_Config is run as the same user running the RCS Service
  • RCS Service user is also local administrator on the client machine
  • Intel Management and Security Status utility shows the system is currently Unconfigured and Awaiting Configuration
    • Network Information shows all fields as "Information Unavailable"
    • Extended System Details show Intel MEI Driver as enabled

Active Directory Setup

  • OU setup underneath our division OU that allows the RCS Server user to create and delete AMT Computer objects

ACU_Config Configuration

The following is the Configuration string used to config the machine:

ACUConfig.exe /verbose ConfigViaRCSOnly provisionserver.{domain}.{suffix} "VPSA Standard Profile" /Abortonfailure

Note: The Domain and Suffix are replaced with the domain information.

ProvisionServer is accessible from the client computer via ping and remote desktop.

Client Log

2011-04-24 22:17:43:545 Thread:1908(INFO) : ACU Configurator , Category: HandleOutPut Source: .\Src\ActivatorUtils.cpp : HandleOutput Line: 216: Starting log 2011-04-24 22:17:432011-04-24 22:17:43:545 Thread:1908(DETAIL) : ACU Configurator, Category: VerifyFileSignature Source: .\Src\ActivatorMain.cpp : wmain Line: 105: Verifying the digital signature of ACU.dll, this operation might take up to 3 minutes...2011-04-24 22:17:53:358 Thread:1908(INFO) : ACU Configurator , Category: VerifyFileSignature Source: .\Src\ActivatorUtils.cpp : VerifyFileSignature Line: 984: The file "ACU.dll" is signed and the signature was verified.2011-04-24 22:17:53:498 Thread:1908(DETAIL) : ACU Configurator , Category: -Start- Source: .\Src\HECIDiscovery.cpp : CheckAMT Line: 115: ***** Start CheckAMT ******2011-04-24 22:17:53:498 Thread:1908(DETAIL) : ACU Configurator , Category: -HECI- Source: .\Src\HECIWin.cpp : HECIWin::Init Line: 188: Connected to the Intel(R) Management Engine Interface driver, version 5.0.1.10552011-04-24 22:17:53:608 Thread:1908(INFO) : ACU Configurator , Category: AMT Mode Source: .\Src\HECIDiscovery.cpp : CheckAMT Line: 321: Intel(R) AMT in PROVISIONING_MODE_ENTERPRISE2011-04-24 22:17:53:717 Thread:1908(DETAIL) : ACU Configurator , Category: -END- Source: .\Src\HECIDiscovery.cpp : CheckAMT Line: 418: ***** END CheckAMT ******2011-04-24 22:17:55:717 Thread:1908(DETAIL) : ACU Configurator , Category: -Start- Source: .\Src\HECIDiscovery.cpp : GetAmtFQDN Line: 1143: ***** Start GetAmtFQDN ******2011-04-24 22:17:55:748 Thread:1908(DETAIL) : ACU Configurator , Category: Status message Source: .\Src\HECIDiscovery.cpp : GetAmtFQDN Line: 1161: Failed to get data from the firmware. (0xc0000022)2011-04-24 22:17:55:748 Thread:1908(DETAIL) : ACU Configurator , Category: -END- Source: .\Src\HECIDiscovery.cpp : GetAmtFQDN Line: 1215: ***** END GetAmtFQDN ******2011-04-24 22:17:56:186 Thread:1908(INFO) : ACU Configurator , Category: Discovery Source: .\Src\HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 385: Calling function Discovery...2011-04-24 22:17:56:248 Thread:1908(INFO) : ACU Configurator , Category: Local System Account Source: .\Src\HostBasedSetup.cpp : HostBasedSetup::GetLocalSystemAccount Line: 174: Calling function GetLocalSystemAccount over MEI...2011-04-24 22:17:56:248 Thread:1908(DETAIL) : ACU Configurator , Category: -HECI- Source: .\Src\HECIWin.cpp : HECIWin::Init Line: 188: Connected to the Intel(R) Management Engine Interface driver, version 5.0.1.10552011-04-24 22:17:56:248 Thread:1908(ERROR) : ACU Configurator , Category: Local System Account Source: .\Src\HostBasedSetup.cpp : HostBasedSetup::GetLocalSystemAccount Line: 201: Error: failed to retrive Local System Account using MEI; error code - 12011-04-24 22:17:56:248 Thread:1908(INFO) : ACU Configurator , Category: Discovery Source: .\Src\HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 405: Host Based Setup is not supported2011-04-24 22:17:56:248 Thread:1908(INFO) : ACU Configurator , Category: Discovery Source: .\Src\HostBasedSetup.cpp : HostBasedSetup::Discovery Line: 407: Function Discovery ended successfully2011-04-24 22:17:56:248 Thread:1908(INFO) : ACU Configurator, Category: -ConfigViaRCSOnly- Source: .\Src\ActivatorMain.cpp : wmain Line: 778: VPSA800597.ad.ilstu.edu:Starting Remote configuration...2011-04-24 22:17:56:248 Thread:1908(DETAIL) : ACU Configurator , Category: -Start- Source: .\Src\ActivatorDll.cpp : RemoteConfiguration Line: 3145: ***** Start RemoteConfiguration ******2011-04-24 22:17:58:639 Thread:1908(DETAIL) : ACU Configurat...
3 Replies
idata
Employee
1,736 Views

Hi Adam,

The PKI private key was not installed with provisioning certificate in the new certificate store. You can see this in the log you posted:

" 2011-04-24 22:18:18:733 Thread:1908(DETAIL) : ACU Configurator , Category: WMI_ConfigAMT Source: .\Src\WMIAccess.cpp : WMI_ConfigAMT Line: 1167: Initial connection to the Intel(R) AMT device failed. (0xc00007d2) ((ExecMethod ConfigAMT) Intel(R) AMT Configuration failed. Initial connection to the Intel(R) AMT device failed. Failed while calling Soap call GetCoreVersion. Intel(R) AMT connection error -1073737810: Failed to get the certificate private key. , error in discover 0xc0000fae)".

Regards and good luck,

David

0 Kudos
AList1
Novice
1,736 Views

Hi David,

Thanks for the reply, I was looking at that but for some reason I must have thought that it was for the client side and that there was something wierd on that end.

I was given a CRT file from GoDaddy and installed that into the store. Do I have to go through the procedure to import that into an IIS 7 machine and then export it out as a PFX?

-Adam

0 Kudos
AList1
Novice
1,736 Views

David,

That led us on the right path. I had just imported the CRT file that we got back from GoDaddy. Since we had switched servers and renewed the certificate without regenerating a CSR, I had not generated the cert with a private key. The fix (for GoDaddy) was to go into the account and choose Re-Key a cert and enter a newly generated CSR from that server. After this was done and I followed the steps in a GoDaddy document it was then able to provision. Thanks for all the help, I will write up this procedure in the next week or so, so others may benefit.

-Adam

0 Kudos
Reply