Re: Second stage provisioning fails because there is a Winhttp proxy

idata · ‎08-12-2008

Does anyone have any ideas on how to resolve the following issue?

The status of a client (AMT 3.2.1) system shows provisioned in the SCCM console. I can also open the Out Of Band console by right clicking on the client in the SCCM console (could not do this previously). However connection to the client still fails. I have discovered that the 2nd stage provision on AMT device fails. Please refer to the extract of the amtopmgr.log file.

The PKI infrastructure is in place (AMT client has certificate and AMT status on client also shows provisioned) and I have created the OU for OOBM in AD and granted the SCCM computer account full control in AD OOBM OU and child objects . In addition the SCCM AMT Operations Manager component logged the following: Provisioning failed because there is a winhttp proxy.

We are running the SCCM Primary site server on a VM in Hyper-V. I had the Out of Band service point configured on the Primary site server. Thinking that this might be a problem (because of the VM environment), I relocated the Out of Band service point role to another Physical W2K8 host. This system has the Hyper-V role installed which implies that it has a virtual network adapter. The out of band service point is not located in a VM though. I attempted the process again, however same result. Hyper-V creates a separate virtual network... not sure whether this is the problem. Obviously this is a lab/testing environment.

Any assistance will be appreciated.

Provision task begin<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 4872 (0x1308)

Provision target is indicated with SMS resource id. (MachineId = 49 XV.bcxhpw.lcl) SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 4872 (0x1308)

STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=HPW-HOST1 SITE=C01 PID=6852 TID=6764 GMTDATE=Mon Aug 11 08:05:44.817 2008 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 6764 (0x1A6C)

Found valid basic machine property for machine id = 49. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 4872 (0x1308)

The provision mode for device XV.bcxhpw.lcl is 1. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 4872 (0x1308)

Attempting to establish connection with target device using SOAP. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 4872 (0x1308)

Found matched certificate hash in current memory of provisioning certificate SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 4872 (0x1308)

Create provisionHelper with (Hash: 01E12F9F096DF5995D4DA60EDC2C786DD2458D37) SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 4872 (0x1308)

Set credential on provisionHelper... SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 4872 (0x1308)

Try to use provisioned account (random generated password) to connect target machine XV.bcxhpw.lcl... SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 4872 (0x1308)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:45 AM 6764 (0x1A6C)

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:45 AM 6764 (0x1A6C)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:45 AM 6764 (0x1A6C)

Succeed to connect target machine XV.bcxhpw.lcl and core version with 3.2.1 using provisioned account (random generated password). SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:48 AM 4872 (0x1308)

GeneralInfo.GetProvisioningState finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

Get device provisioning state is Post Provisioning SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

Machine XV.bcxhpw.lcl will be added and published to AD and OU is LDAP://HPW-DC.bcxhpw.lcl/OU=Out of Band Management Controllers,DC=bcxhpw,DC=lcl. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

Send request to AMT proxy component to add machine XV.bcxhpw.lcl to AD. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

Successfully created instruction file for AMT proxy task: C:\SMS\MP\OUTBOXES\amtproxy.box SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

Processing provision on AMT device XV.bcxhpw.lcl... SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

Start 2nd stage provision on AMT device XV.bcxhpw.lcl. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

session params : https://XV.bcxhpw.lcl:16993 , 11001 SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

Delete existing ACLs... SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

ERROR: Invoke(invoke) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

Error: Cannot Enumerate User Acl Entries. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::DeleteACLs SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

Error: Can not finish WSMAN call with target device. Check if there is a winhttp proxy to block connection. (MachineId = 49) SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

STATMSG: ID=7208 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=HPW-HOST1 SITE=C01 PID=6852 TID=4872 GMTDATE=Mon Aug 11 08:05:53.382 2008 ISTR0="XV.bcxhpw.lcl" ISTR1="XV.bcxhpw.lcl" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

Add ACLs.. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

ERROR: Invoke(invoke) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

Error: failed to Add User Acl. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::AddACLs SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

Set Ping Response with true... SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

ERROR: Invoke(get) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Error: Failed to put changes to AMT_GeneralSettings instance. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::SetPingResponse SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Set Kerberos options... SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

ERROR: Invoke(get) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Error: Failed to get AMT_KerberosSettingData instance. SMS_AMT_OPERATION_MANAGER 2008/08/1...

Matthew_R_Intel · ‎08-12-2008

I'm assuming your SCCM Server is...

Microsoft Windows Server 2003 Service Pack 2 or later
Has Windows Remote Management (WinRM) installed: http://go.microsoft.com/fwlink/?LinkId=105682 http://support.microsoft.com/kb/KB936059
Windows Server 2003 Hotfix (KB942841) Installed: http://support.microsoft.com/default.aspx/kb/942841

--Matt Royer

idata · ‎08-12-2008

Yes that is correct.

OS = Windows 2003 Server R2 Standard with Service Pack 2

WinRM - KB936059 installed

Hotfix KB 942841 installed

The DC with Ent Root CA is installed on seperate VM running W2K8 Ent with SP1

Thanx

Jean

Matthew_R_Intel · ‎08-13-2008

You mentioned that AMT Client has a certificate; however, taking a closer look at the log files you posted, I am not seeing any reference to the SCCM creating the AMT Web Certificate on behalf of the AMT client.

Your log

Machine XV.bcxhpw.lcl will be added and published to AD and OU is LDAP://HPW-DC.bcxhpw.lcl/OU=Out of Band Management Controllers,DC=bcxhpw,DC=lcl. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

Send request to AMT proxy component to add machine XV.bcxhpw.lcl to AD. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

Successfully created instruction file for AMT proxy task: C:\SMS\MP\OUTBOXES\amtproxy.box SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

Processing provision on AMT device XV.bcxhpw.lcl... SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

Start 2nd stage provision on AMT device XV.bcxhpw.lcl.

Successful Provision I have done (sniplet)

Machine vPro-Client.vprodemo.com will be added and published to AD and OU is LDAP://vprodemodc.vprodemo.com/OU=Out of Band Management Controllers,DC=vprodemo,DC=com. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:29:51 AM 1428 (0x0594)

Send request to AMT proxy component to add machine vPro-Client.vprodemo.com to AD. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:29:51 AM 1428 (0x0594)

Successfully created instruction file for AMT proxy task: C:\Program Files\Microsoft Configuration Manager\inboxes\amtproxymgr.box SMS_AMT_OPERATION_MANAGER 8/10/2008 11:29:51 AM 1428 (0x0594)

Processing provision on AMT device vPro-Client.vprodemo.com... SMS_AMT_OPERATION_MANAGER 8/10/2008 11:29:51 AM 1428 (0x0594)

Send request to AMT proxy component to generate client certificate. (MachineId = 3) SMS_AMT_OPERATION_MANAGER 8/10/2008 11:29:51 AM 1428 (0x0594)

Successfully created instruction file for AMT proxy task: C:\Program Files\Microsoft Configuration Manager\inboxes\amtproxymgr.box SMS_AMT_OPERATION_MANAGER 8/10/2008 11:29:51 AM 1428 (0x0594)

Wait 20 seconds to find client certificate for AMT device vPro-Client.vprodemo.com being generated again... SMS_AMT_OPERATION_MANAGER 8/10/2008 11:29:51 AM 1428 (0x0594)

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 8/10/2008 11:29:59 AM 5688 (0x1638)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 8/10/2008 11:29:59 AM 5688 (0x1638)

RETRY(1) - Validate client certificate for AMT device vPro-Client.vprodemo.com being generated. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:11 AM 1428 (0x0594)

Found client certificate already being generated for AMT device vPro-Client.vprodemo.com. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:11 AM 1428 (0x0594)

Start 1st stage provision on AMT device vPro-Client.vprodemo.com. (SOAP) SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:11 AM 1428 (0x0594)

SecurityAdministration.ClearTLSCredentials finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:15 AM 1428 (0x0594)

NetworkTime.GetLowAccuracyTimeSynch finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:18 AM 1428 (0x0594)

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:19 AM 5688 (0x1638)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:19 AM 5688 (0x1638)

NetworkTime.SetHighAccuracyTimeSynch finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:20 AM 1428 (0x0594)

NetworkAdmin.SetHostName finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:24 AM 1428 (0x0594)

NetworkAdmin.SetDomainName finished with HResult = 0x0, status = 0x0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:28 AM 1428 (0x0594)

SecurityAdministration.SetTLSCertificateWithKeyPair finished with HResult = 0x0, status = 0x0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:37 AM 1428 (0x0594)

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:39 AM 5688 (0x1638)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:39 AM 5688 (0x1638)

SecurityAdministration.SetTlsServerAuthentication finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:40 AM 1428 (0x0594)

SecurityAdministration.GetDigestRealm finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:44 AM 1428 (0x0594)

SecurityAdministration.SetAdminAclEntryEx finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:48 AM 1428 (0x0594)

SecurityAdministration.SetMEBxPassword finished with HResult = 0x0, status = 0x10, clientError = 0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:52 AM 1428 (0x0594)

We can't set MEBx password at this time. Admin may have already changed this. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:52 AM 1428 (0x0594)

SecurityAdministration.CommitChanges finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:56 AM 1428 (0x0594)

Finished 1st stage provision on AMT device vPro-Client.vprodemo.com. Sleep 5 seconds for 2nd stage provision. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:56 AM 1428 (0x0594)

Start 2nd stage provision on AMT device XV.bcxhpw.lcl

It looks like in your case, it gets right before to the step of "send request to AMT proxy component to generate client certificate" and jumps to second stage provision.

I'm assuming you have configured the "Certificate Template" in the SCCM Out of Band Management Properties? If so, was the certificate for the AMT client generated on Certificate Authority? Can you also double check to see if the AMT Object was created in the Out of Band Management Controllers OU. What does the Amtproxymgr.log have to say?

--Matt Royer

idata · ‎08-13-2008

Hi Matt,

I did configure/import the AMT provisioning cert pfx file in the OOBM component in SCCM. However I also selected the AMT provisioning template instead of the Web cert template. I corrected this and it works 100% now.

Many thanx

Jean

Matthew_R_Intel · ‎08-13-2008

Jean,

To Confirm... You selected the AMT Web certificate template ( that you created on your certificate authority) under "Certificate Template" in the SCCM Out of Band Management Properties and this resolved your issue?

--Matt Royer

idata · ‎08-13-2008

Correct

idata · ‎10-17-2008

Hi Matt, Can you post log for 2nd stage provisioning. I got all the same log you posted for stage 1 provisioning but still getting that WINHTTP proxy error.

Here is my log

>>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

Provision target is indicated with SMS resource id. (MachineId = 33 CMLAB-NY-PX19.cmlab.com) SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

Start to send a basic machine property creation request to FDM. (MachineId = 33) SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

CStateMsgReporter::DeliverMessages - Queued message: TT=1201 TIDT=0 TID='Fill Machine Property' SID=1 MUF=0 PCNT=5, P1='CMLAB-NY-PX19' P2='8913000059B0DD3A8AC4EE5F39479699EFEA23F1438FD88915B21931ABE914224B1DB14F6BB9E7845FC91EFB1400000042000000480000000366000000000000B8217190F8E72BE55816450AD3F561AF898303C775F2A58D6D520BFC5079D7C91629CE8A05CDF70DAEE50FED0CA458EB1420307D8CC72968907DAF4A9EB832C0137BFECD11111C580043' P3='CMLAB-NY-PX19.cmlab.com' P4='admin' P5='D23C3E23DF17A188E1DF45AB328E8DF1C4519523' SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

CStateMsgReporter::DeliverMessages - Created state message file: D:\Microsoft Configuration Manager\inboxes\auth\statesys.box\incoming\iphmyk1r.SMX SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

Warning: Currently we don't support mutual auth. Change to TLS server auth mode. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

The provision mode for device CMLAB-NY-PX19.cmlab.com is 1. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

Attempting to establish connection with target device using SOAP. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

Found matched certificate hash in current memory of provisioning certificate SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

Create provisionHelper with (Hash: 02F11146224794187F0664971630BDB5CCB0A0AC) SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

Set credential on provisionHelper... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

Try to use provisioning account to connect target machine CMLAB-NY-PX19.cmlab.com... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

Succeed to connect target machine CMLAB-NY-PX19.cmlab.com and core version with 3.2.1 using provisioning account # 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:13 PM 5480 (0x1568)

GeneralInfo.GetProvisioningState finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:16 PM 5480 (0x1568)

Get device provisioning state is In Provisioning SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:16 PM 5480 (0x1568)

Passed OTP check on AMT device CMLAB-NY-PX19.cmlab.com. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:20 PM 5480 (0x1568)

Machine CMLAB-NY-PX19.cmlab.com will be added and published to AD and OU is LDAP://OU=Out of Band Management Controllers,OU=NewYork,OU=Americas,OU=AllOffices,DC=cmlab,DC=com. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:20 PM 5480 (0x1568)

Send request to AMT proxy component to add machine CMLAB-NY-PX19.cmlab.com to AD. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:20 PM 5480 (0x1568)

Successfully created instruction file for AMT proxy task: D:\Microsoft Configuration Manager\inboxes\amtproxymgr.box SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:20 PM 5480 (0x1568)

Processing provision on AMT device CMLAB-NY-PX19.cmlab.com... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:20 PM 5480 (0x1568)

Send request to AMT proxy component to generate client certificate. (MachineId = 33) SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:20 PM 5480 (0x1568)

Successfully created instruction file for AMT proxy task: D:\Microsoft Configuration Manager\inboxes\amtproxymgr.box SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:20 PM 5480 (0x1568)

Wait 20 seconds to find client certificate for AMT device CMLAB-NY-PX19.cmlab.com being generated again... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:20 PM 5480 (0x1568)

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:29 PM 2816 (0x0B00)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:29 PM 2816 (0x0B00)

RETRY(1) - Validate client certificate for AMT device CMLAB-NY-PX19.cmlab.com being generated. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:40 PM 5480 (0x1568)

Found client certificate already being generated for AMT device CMLAB-NY-PX19.cmlab.com. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:40 PM 5480 (0x1568)

Start 1st stage provision on AMT device CMLAB-NY-PX19.cmlab.com. (SOAP) SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:40 PM 5480 (0x1568)

SecurityAdministration.ClearTLSCredentials finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:44 PM 5480 (0x1568)

NetworkTime.GetLowAccuracyTimeSynch finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:47 PM 5480 (0x1568)

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:49 PM 2816 (0x0B00)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:49 PM 2816 (0x0B00)

NetworkTime.SetHighAccuracyTimeSynch finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:49 PM 5480 (0x1568)

NetworkAdmin.SetHostName finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:53 PM 5480 (0x1568)

NetworkAdmin.SetDomainName finished with HResult = 0x0, status = 0x0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:56 PM 5480 (0x1568)

SecurityAdministration.SetTLSCertificateWithKeyPair finished with HResult = 0x0, status = 0x0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:05 PM 5480 (0x1568)

SecurityAdministration.SetTlsEnabled finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:09 PM 5480 (0x1568)

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:09 PM 2816 (0x0B00)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:09 PM 2816 (0x0B00)

SecurityAdministration.GetDigestRealm finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:13 PM 5480 (0x1568)

SecurityAdministration.SetAdminAclEntryEx finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:17 PM 5480 (0x1568)

SecurityAdministration.SetMEBxPassword finished with HResult = 0x0, status = 0x10, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:21 PM 5480 (0x1568)

We can't set MEBx password at this time. Admin may have already changed this. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:21 PM 5480 (0x1568)

SecurityAdministration.CommitChanges finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:25 PM 5480 (0x1568)

Finished 1st stage provision on AMT device CMLAB-NY-PX19.cmlab.com. Sleep 5 seconds for 2nd stage provision. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:25 PM 5480 (0x1568)

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:29 PM 2816 (0x0B00)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:29 PM 2816 (0x0B00)

Start 2nd stage provision on AMT device CMLAB-NY-PX19.cmlab.com. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:30 PM 5480 (0x1568)

session params : https://CMLAB-NY-PX19.cmlab.com:16993 , 11001 SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:30 PM 5480 (0x1568)

Delete existing ACLs... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:30 PM 5480 (0x1568)

ERROR: Invoke(invoke) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Error: Cannot Enumerate User Acl Entries. SMS...

Matthew_R_Intel · ‎10-20-2008

Jtech,

I'm assuming that you have installed the following hotfixes?

Windows Server 2003 WinRM 1.1:

Description: Windows Remote Management improves hardware management in a network environment in which various devices run various operating systems. Windows Remote Management uses an interoperable standard protocol to help you monitor and manage computers.
URL: http://support.microsoft.com/kb/936059

Windows Server 2003 Hotfix (KB942841):

Description: A Windows Server 2003-based computer cannot make an SSL connection or a TLS connection to the out-of-band interface on an Intel Active Management Technology (AMT)-enabled computer
URL: http://support.microsoft.com/kb/942841

Complete list of SCCM OOB releated Hotfixes and required software bundles: http://communities.intel.com/docs/DOC-1897

--Matt Royer

idata · ‎10-20-2008

I am running SCCM R2 on WINDOWS 2008? Are there a different set of hot fixes? thanks.

Matthew_R_Intel · ‎10-20-2008

Those Hotfixes should already be included within windows 2008.

During stage 1 provisioning, SCCM uses a combination of the Remote Configuration certificate (PKI) and the default remote admin password to authenticate with the vPro client. The communication between the SCCM Out Of Band Service Point and the vPro client is secured through SSL with the AMT self Signed certificate on the vPro Client. During this process an AD object is created, TLS certificate for the securing future AMT manageability is issued & pushed to the client, setting remote admin password (which SCCM scrables), and then committing the changes. At this point, the device is technically "provisioned". From the log this appears to be functioning just fine.

For second stage provisioning, the SCCM Out Of Band Service Point connects to the AMT client URL (via SSL using the PKI certificate issued during stage1 provisioning) and authenticates with the remote admin password (which was scrambled and set during stage one provisioning). Once it has properly authenticated, it will set the ACLs, power policy, etc; typically known as the "profile" configuration. This is the part that is failing for you.

So with that... If second stage provisioning is failing and you have all the required hotfixes, I would recommend checking the following.

Ensure that your TLS certificate that was requested for the vPro client was properly generated.
Verify that you have created the Web Server Certificates template on your Certificate Authority and that your SCCM Primary Site Servers has the appropriate permission. SCCM SP1 Help File Article: "[Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management|http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx]"; Section: "Preparing the Web Server Certificates for AMT-Based Computers".
Verify that you have configured the certificate template in the Out of Band Management Properties: General Tab. SCCM SP1 Help File Article: "[How to Configure AMT Provisioning|http://technet.microsoft.com/en-us/library/cc161966(TechNet.10).aspx]"; Section: "To configure the out of band management component for AMT provisioning"; Steps: 7-8.
Open up the certificate on the issuing CA and confirm that it was issued to the FQDN of the vPro Client.
Using a web browser, connect to https://<fqdn_of_vpro_client>:16993/ (i.e. https://cmlab-ny-px19.cmlab.com:16993/ ) and ensure that you do not get any certificate errors when you connect to the vpro client manageability URL. It should appears as a valid secure website; look at the SSL connection in the web browser (quickest way is to double click on that lock icon in the bottom right hand corner of the web browser windows) and ensure certificate chains back to a root certificate authority in your SCCM trusted root CA store.

The remote admin password may not have been set correctly during the provisioning process.

Try provisioning the vPro client again and see if you get the same error; however, I would ensure your certificate for the vPro client is correct first.

On another note, sccm R2 still requires the SCCM related hotfixes listed on http://communities.intel.com/docs/DOC-1897

--Matt Royer

idata · ‎03-22-2010

I had a similar issue when I was helping a customer SCCM installation.

Environment: SCCM SP2, Windows 2008 R2 64 bit.

Issue: Provisioning Stage 1 was successful. Provisioning stage 2 failed.

Observation. Certificates were not issued to client FQDN in Certification Authority.

Root Cause: Certificate Template. We followed the Microsoft documentation to create Certificate Template, but that didn't solve our problem. In house CA Provisioning certifcate was fine since I found that hash matched in AMTOpmgr.log.

Solution:

Certificate Template created with the following procdure.

1. run mmc

2. Click on File, Add remove snap-in

3. Select Certificate Templates on left and add, select ok.

4. In Console, click on certificate templates on left, and select webserver template on right, right click and select duplicate template.

5. In General tab, give a name like Config Mgr Web Server template. Click on Publish certificate in Active Directory.

In Request handling tab, select purpose as signature and encryption

In Subject name tab, select subject in the request

In Extensions tab(Important), Select Application Polices, click Edit

Make sure you have all these 4 policies

1. Server Authentication

2. Cleint Authentication

3. Server OID

4. Client OID

For eg: To add Client OID, In the edit application policies extensions, click add and select new. In New Aplication Policy, add Name: AMT Client OID and

Object Identifier as: 2.16.840.1.113741.1.2.1

Similarly, add Server OID. name: Server OID, object identifier: 2.16.840.1.1.113741.1.2.2

Server Authentication and Client Authentication are already populated in the Add Application Policy Window. So just select them.

The OIDs are Server Authentication: 1.3.6.1.5.5.7.3.1 and Client Authentication: 1.3.6.1.5.5.7.3.2 . Just check.

6. In the security tab, I have given read, enroll, autoenroll permissions to SCCM server, enterprise admins, domain admins and adminstrator.

Thats all. Open Certification Authority now, select certificate templates, right click, new certificate template to issue and select the above created template.

Now. Configure your SCCM -> component configuration -> out of band Band Management properties with the new certificate template we created.

Do a full unprovision in client MEBx and restart the client. This time both provisioning stage 1 and stage 2 should be successful. For cross check, you can look at issued certificates in the CA, the issued certifcates template should be the new template we created and Issued to should have cient FQDN with UUID.

Good luck.

Venugopal

Intel