Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2834 Discussions

Server unexpectedly disconnected when TLS handshaking.

idata
Employee
‎01-17-2011 07:22 AM
2,037 Views

Hi

I'm searching for a solution regarding the above error. I crawled already through a lot of threads. We use SCCM to do an in-bound provisioning.

DHCP is setup with option 6 and 15 in place

Provisioning certificate and also the web certificate is prepared

AMT is detected but not provisioned.

PC was unprovised multiple times

CMOS reset tested

We use our own certificate root so hash was added.

OOBM server is Windows 2008 R2

Here is the provisioning log. Original domain name is replaced by X.Y.Z. !!!!

>>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)<p> 

Provision target is indicated with SMS resource id. (MachineId = 306 PC1167466W7.X.Y.Z) SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

Found valid basic machine property for machine id = 306. SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

Warning: Currently we don't support mutual auth. Change to TLS server auth mode. SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

The provision mode for device PC1167466W7.X.Y.Z is 1. SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

AMT Provision Worker: 1 task(s) are sent to the task pool successfully. SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 39124 (0x98D4)

 

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 39124 (0x98D4)

 

Check target machine (version 5.2.10) is a SCCM support version. (TRUE) SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

The IP addresses of the host PC1167466W7.X.Y.Z are 140.100.4.20. SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

Attempting to establish connection with target device using SOAP. SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

Found matched certificate hash in current memory of provisioning certificate SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

Create provisionHelper with (Hash: 966D32ADFEE1F8A52CD0E36D27EDDEEC251BC2DD) SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

Set credential on provisionHelper... SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

Try to use provisioning account to connect target machine PC1167466W7.X.Y.Z... SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

Server unexpectedly disconnected when TLS handshaking. SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

**** Error 0x4e5b1f0 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

Fail to connect and get core version of machine PC1167466W7.X.Y.Z using provisioning account # 0. SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

Try to use default factory account to connect target machine PC1167466W7.X.Y.Z... SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

Server unexpectedly disconnected when TLS handshaking. SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

**** Error 0x4e5b1f0 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

Fail to connect and get core version of machine PC1167466W7.X.Y.Z using default factory account. SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

Try to use provisioned account (random generated password) to connect target machine PC1167466W7.X.Y.Z... SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

Server unexpectedly disconnected when TLS handshaking. SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

**** Error 0x4e5b1f0 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

Fail to connect and get core version of machine PC1167466W7.X.Y.Z using provisioned account (random generated password). SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

Error: Device internal error. This may be caused by: 1. Schannel hotfix applied that can send our root certificate in provisioning certificate chain. 2. incorrect network configuration(DHCP option 6 and 15 required for AMT firmware). 3. AMT firmware self signed certificate issue(date zero). 4. AMT firmware is not ready for PKI provisioning. Check network interface is opening and AMT is in PKI mode. 5. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection. (MachineId = 306) SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

Error: Can NOT establish connection with target device. (MachineId = 306) SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:49 63016 (0xF628)

 

>>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 17.01.2011 13:30:50 63016 (0xF628)

Any ideas how to solve this issue or maybe an idea how to further troubleshoot this issue.

Thanks in advance

Joachim

0 Kudos

Link Copied

3 Replies
KYLE_H_Intel
Employee
‎01-17-2011 11:40 AM
490 Views

In the context that you are seeing it, this error is usually the result of a problem with the provisioning certificate. However, from the log it looks like that part was successful. The failure happened when attempting to connect with provisioning account. When you added the custom certificate hash for your network into MEBX, did you change the password to something that matches the SCCM provisioning account? It looks like there might be a password mismatch.

Does this happen with just this client or does it happen with all clients?

Did you make any changes to SCCM during the successful and unsucessful provisioning attempts?

0 Kudos
Copy link
idata
Employee
‎08-25-2011 12:24 AM
490 Views
In response to KYLE_H_Intel

Were you guys able to solve this. I am having the Exact same scenario with the exacy same issue. PLease help.

In response to KYLE_H_Intel
0 Kudos
Copy link
idata
Employee
‎08-26-2011 02:11 AM
490 Views
In response to idata

Hi

it's solved in our environment but I can't remember exactly what solved this issue. The whole AMT stuff is let's say quite complex.I changed so many settings that at the end I am unable to provide a solution for this dedicated issue

Because we use SCCM and Intel AMT it's offen a time issue. If the certificates are correct and also the user/password is set up correctly in SCCM it can take a while because the client creates a one time password which is used by sccm to connect to the machine. The one time password is created on the client side, has to be updated in the database and the provisioning process has to be initiated. The process is initiated once a day as I remember but you can force it via sendsched and the code {00000000-0000-0000-0000-000000000120}.

My recommendation would be:

1) double check the certifcates

2) double check the password entered in sccm if you use sccm

3) take a break for at least one day

4) use the sensched script or exe to inititate the AMT cycle

Regards

Joachim

In response to idata
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.