Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Valid certificate for PKI configuration not found - Intel SCS 9.1

JSank
Beginner
4,225 Views

Hello,

I am using Intel SCS 9.1. Machines are listed in SCS console but with status "Configuration Failed" and connection status "Not Discovered". I tried manual discovery by selecting the machine and "Discover data", I am getting below error.

Failed while calling

WS-Management call

GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error

0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable.

Valid certificate for PKI configuration not found.

What i did so far

1. Certificates are created in Subordinate CA. I went trough the certificate and validated the settings. Looks like verification are good. I used two documents as a reference to created certificates.

a) SCCMGuru - https://sccmguru.wordpress.com/2013/12/22/integrating-configuration-manager-2012-r2-with-intel-scs-9-0-part-3-certification-authority/ Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 3 : Certification Authority | SCCM GURU

b) Intel SCS user guide - Section "9.2.5 Defining Enterprise CA Templates"

2. Did some research on this form and followed the suggestion of creating a basic low security profile

acuconfig.exe /lowsecurity /output console /verbose ConfigureViaRCSOnly <$SCSServerName> /wmiuser domain\AMTAdmin /wmiuserpassword P@ssw0rd

( )

This test failed as well. I get below error

Exit with code

75.

Details: Failed to complete remote configuration of this Intel(R) AMT device.

Failed while calling

WS-Management call

GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error

0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable.

Valid certificate for PKI configuration not found.

 

My final intention is to get it working from SCCM 2012. Since i am unable to do it from SCCM, Started with SCS console to get at-lest few machines going and then think of getting it to work from SCCM.

Any suggestion to right direction is appreciated.

Thank you

0 Kudos
14 Replies
Bruno_Domignues
Employee
1,824 Views

Hi,

What is going on in your case is that these machines are not yet provisioned. Those guidelines that you mentioned are related with certificate issue to *each* vPro machine in order to allow integration with SCCM, however for provision, you have two course of action: Use a 3rd party certificate for provision, e.g. https://support.godaddy.com/help/article/5260/setting-up-a-ssl-for-intel-vpro GoDaddy, that is the reason that you are getting this error, *or* adopt /community/itpeernetwork/vproexpert/blog/2011/03/08/lets-step-through-host-based-configuration-and-intel-vpro-technology Host Based Configuration that is available since AMT 6.2. Bboth cases, I would suggest you use the Intel https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=24585&lang=eng&ProdId=3051 SCS Add-on for System Center Configuration Manager, and inside this .zip file you will find documentation how to provision in order to allow integration with SCCM.

Best Regards!

-Bruno Domingues

JSank
Beginner
1,824 Views

Thank you. I have already installed SCS Add-on for SCCM. I am using a domain CA for certificates. I will go trough the documentation and update my findings.

0 Kudos
JSank
Beginner
1,824 Views

Hi Brunodom,

Thanks again for your suggestion. I went trough the document that you suggested. Its pretty detailed.

Here is what i did.

1. I have downloaded "intelscs_9.1.2.74", "IntelSCS_SCCMAddon_2.1.6.3"

2. I have my Microsoft Enterprise CA. Certificates are prepared in Subordinate CA following the instructions specified in Section 2.0 prerequisites in "Intel(R)_SCS_Addon_SCCM_2012.pdf". This includes disabling "Disabling OOB Management Controller Provisioning" in all SCCM collections

3. User groups are prepared as specified in the document section 2.6.6. In my case "Kerberos Admin User Group" and "Redirection User Group" has same user. Created two groups so i can allocate approprite permission when creating profile - hope this is okay.

4. Our requirement is to use "Remote Configuration" in "Admin Control mode" with SCS integration

5. SCS is installed in Database mode

6. I have created a profile within SCS console follwing instructions in "3.2 Creating a Profile for Remote Configuration"

7. Installed SCCM Addon and pointed it to use the profile within SCS

8. I have enabled "Intel AMT: Discover and Report" and "Intel AMT: Remote Configuration". This populated few machines and i am targeting only to few test machines now.

9. When "Intel AMT: Remote Configuration" is run, it fails again with same error given above

Failed while calling

WS-Management call

GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error

0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable.

Valid certificate for PKI configuration not found.

You have mentioned the requirement of a 3rd party cert in previous post. This is the only thing that i did not do as the guide "Intel(R)_SCS_Addon_SCCM_2012.pdf" did not specify that. However certificate issued by microsoft enterprise CA is used in the AMT profile created withing SCS console.

Is a 3rd party cert required? Is there a doc that i can refer to on information that i would need to provide to 3rd party to get certificate. Guess i can follow instructions in this link to get certificate imported

Thanks for your assistance.

0 Kudos
JSank
Beginner
1,824 Views

Update:

found a post that will guide in cert creation process. https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=21742&lang=eng Intel® Download Center

But this doc is written in 2012 might be out of date. Cert request file was created and when uploaded to godaddy, got warning that cert for internal domain name will expire in September. my sccm server that runs SCS is sccm.domain.pri but external name is domain.com

0 Kudos
Bruno_Domignues
Employee
1,824 Views

The 3rd party certification is required for Remote Configuration, i.e. allow admin control mode. In this case, you can follow these instructions (GoDaddy) to issue the certificate: https://support.godaddy.com/help/article/5260/setting-up-a-ssl-for-intel-vpro https://support.godaddy.com/help/article/5260/setting-up-a-ssl-for-intel-vpro You must pay attention that you must generate the certificate request for your Intel SCS and using your internal domain. Actually, Certificate Authorities can't issue certificates for private domains, must be those that can publicly verified.

Best Regards!

-Bruno Domingues

JSank
Beginner
1,824 Views

Thank you! Does this mean we cannot implement Remote based configuration method as our internal domain name is different than the one registered in public. Our DHCP option 15 returns internal domain name and Public CA's cannot issue certificate for internal domain name. is there a way around to implement this. Thank you

0 Kudos
Bruno_Domignues
Employee
1,824 Views

Yes, if you aren't a public owner of your internal domain, you won't be allowed to issue a certificate for this purpose - unfortunately. However, there are others methods that you can follow but all these methods require that you 'touch' your machines. Here are two high level strategies to overcome this limitation:

1. Inject a PID/PSS (aka. PSK method) pair into each vPro machine (manually or using a USB key);

2. Issuing an internal provisioning certificate to Intel SCS and injecting the hash of root CA into each vPro machine (manually or using a USB key)

In addition to these strategies, there are several OEMs that offer the service to customize BIOS/ME and they can deliver from factory vPro machine with PSK or PKI using your internal certificate.

If you believe that these methods are viable and would like further details, let me know.

Best Regards!

-Bruno Domingues

0 Kudos
JSank
Beginner
1,824 Views

Thanks again. We are yet to decide if we should go with manually touching each machine. I was wondering how other organizations will end up doing. Say a company has 50,000 machines with OOBM and internal domain name. when their cert expires 1st Nov 2015, they can no longer manage unless they touch each machine?

Please share details on implementing with a USB, i will go trough the doc and a decision will be made today or tomorrow. Thanks again for your assistance.

Regards,

Jegadesh

0 Kudos
Bruno_Domignues
Employee
1,824 Views

Jagadesh,

Actually, most companies are relying their activation on Host Based Configuration method that is much simpler and I'm also assuming that majority of companies that activated using PKI (using internal domain) will shift to HBC. For security reasons, there are several companies that even activating using Admin Control Mode, decided to enable User Consent. Even those that required Admin Control Mode using internal domain, are in conversation with OEMs to inject their own root certificate into ME to keep with this capability.

In order to use USB key, you will need the USBFile.exe utility that can found into Intel https://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk?language=ru AMT SDK. Here is an example of syntax to create the USB key using CA root certificate:

USBFile.exe -create setup.bin admin -consume 0 -amt -kvm 1 -oHash 1 -oHash 0 -hash cca-ca.pem CCA-CA -prov 1

The setup.bin file is generated and must be placed in a USB key formatted with FAT16 - basically with USB key created, you need only boot the machine with USB connected and you will asked if you allow to inject the hash of root CA into ME. Some OEMs requires you to enable this capability into BIOS.

Best Regards!

-Bruno Domingues

0 Kudos
JSank
Beginner
1,824 Views

One step closure to solution. We have decided to go with host based configuration. Profile and plugin's are configured for this. Enabled discovery and configuration TS. configure 2 machines without error using configure.bat. These machines are now showing up in "Intel AMT: Configured" collection. Right clicked on machine --> Manage Out of Band --> Discover AMT Status, looks like this runs successfully. On My OOB server, amtopmgr.log looks good (below are the content). However, "AMT Provisioning" column in SCCM is still empty. All Out of band management options except "Discover AMT Status" are grayed out. updated machine policies and hardware inventory on test machines and still no go. Any idea ? Thank you

AMT Discovery Worker: Wakes up to process instruction filesSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)AMT Discovery Worker: Wait 3600 seconds...SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)AMT Discovery Worker: Wakes up to process instruction filesSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)AMT Discovery Worker: Reading Discovery Instruction C:\SMS\inboxes\amtopmgr.box\disc\{D58DF5A3-A2AC-44BE-85BB-86DB1D167E79}.RDC...SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)AMT Discovery Worker: Execute query exec AMT_GetThisSitesNetBiosNames NULL, '16777710', 'XYZ'SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)AMT Discovery Worker: CSMSAMTDiscoveryWorker::RetrieveInfoFromResource - Found machine TestMachine (TestMachine.Domain.local), ID: 16777710 IP: 192.168.1.3 from Resource 16777710.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)AMT Discovery Worker: Execute query exec AMT_GetAMTMachineProperties 16777710SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)Discovery will use ip resolved from netbios:SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)192.168.1.3SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)AMT Discovery Worker: Execute query exec AMT_GetProvAccountsSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)AMT Discovery Worker: Finish reading discovery instruction C:\SMS\inboxes\amtopmgr.box\disc\{D58DF5A3-A2AC-44BE-85BB-86DB1D167E79}.RDCSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)AMT Discovery Worker: Parsed 1 instruction filesSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)AMT Discovery Worker: Send task TestMachine.Domain.local to completion portSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)General Worker Thread Pool: Current size of the thread pool is 1SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)AMT Discovery Worker: 1 task(s) are sent to the task pool successfully.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=SCCMOOBM.domain.local SITE=XYZ PID=3364 TID=2388 GMTDATE=Mon Feb 16 20:39:43.465 2015 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)General Worker Thread Pool: Work thread 3092 startedSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM3092 (0x0C14)Discover TestMachine using IP address 192.168.1.3SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM3092 (0x0C14)DoPingDiscoveryForAMTDevice succeeded.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM3092 (0x0C14)Flag iWSManFlagSkipRevocationCheck is set.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM3092 (0x0C14)session params : https://TestMachine.Domain.local:16993 https://TestMachine.Domain.local:16993 , 2011001SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM3092 (0x0C14)AMT Discovery Worker: There are 1 tasks in pending listSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)AMT Discovery Worker: Wait 20 seconds...SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)AMT Discovery Worker: Wakes up to process instruction filesSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)AMT Discovery Worker: There are 1 tasks in pending listSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)AMT Discovery Worker: Wait 20 seconds...SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)DoWSManDiscovery succeeded with user name: admin. AMTStatus = 1.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)Start Kerberos DiscoverySMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)Flag iWSManFlagSkipRevocationCheck is set.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)session params : https://TestMachine.Domain.local:16993 https://TestMachine.Domain.local:16993 , 2484001SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)DoKerberosWSManDiscovery succeeded. AMTStatus = 4.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)Discovery to IP address 192.168.1.3 succeed. AMT status is 4.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)CSMSAMTDiscoveryTask::Execute, discovery to TestMachine succeed. AMT status is 4.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)CSMSAMTDiscoveryTask::Execute - DDR written to C:\SMS\MP\OUTBOXES\ddr.boxSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)CStateMsgReport...
0 Kudos
Bruno_Domignues
Employee
1,824 Views

Jagadesh,

Based on the logs that you shared, looks like that SCCM is correctly discovering these machines:

Discovery to IP address 192.168.1.3 succeed. AMT status is 4.

*and*

Discovery to IP address 192.168.2.160 succeed. AMT status is 4

AMT status 4 means that is Externally Provisioned, i.e. Using Intel SCS in your case. What happens is that SCCM takes some time to refresh the status and in order to speed this process, you can force an "Update Collection Membership" following with a F5 (refresh).

For this discovery (i.e. SCCM native that shows in column), SCCM doesn't use the agent to update the status, it's done directly from OOB Service Point, connecting remotely to vPro machine, that is the reason that Inventory policy didn't make any change in this status.

Please, let me know if worked.

Best Regards!

-Bruno Domingues

0 Kudos
MKies1
Beginner
1,824 Views

Hi,

same problem on my side.

Discovery says succeed with Status 4, but no AMT Status and Version appearing in the SCCM Console for that device. No possibility to start out of band Management Console (greyed out).

AMT Configuration itself looks correct.

I use:

Intel SCS 10.0.11.35

Intel SCS SCCM Addon 2.1.6.3

AMT Firmware Version (saw throug web Interface): 6.2.50 build 1062

SCCM 2012 R2

Any help would be great. Thanks!

0 Kudos
MKies1
Beginner
1,824 Views

I found the solution to my Problem here on TechNet:

https://social.technet.microsoft.com/Forums/en-US/8a99dadc-27c1-4a8f-a386-370a27f4d479/problem-with-out-of-band-discovery-resulting-with-out-of-band-features-not-available-in-sccm-console?forum=configmanagergeneral Problem with Out of Band Discovery resulting with Out of Band features not available in SCCM console for computers with …

Add the Computer Account which has the Out of Band Management Role to the Local Group SMS_SiteSystemToSiteServerConnection_MP_XXX on the SCCM 2012 R2 Primary Site Server and restart the SMS_Executive on the Out of Band Management Server.

0 Kudos
Bruno_Domignues
Employee
1,824 Views

Hi,

Usually, this problem happens with kerberos authentication issues - that unfortunately, doesn't work without properly configuration.

1st. In SCCM you have to make sure that kerberos is working, so you have to open IE and point to a vPro machine provisioned using FQDN:16993 (e.g. https://vPromachine.prodemolab.com:16993 https://vPromachine.prodemolab.com:16993) - at this point you probably will see the Intel ME log in page. Clock on log in bottom and see what happens . if you get in, we have another problem, but by experience you probably will be prompted to fill your credentials - that means that kerberos is not working. so, to fix it:

1. Create http://support.microsoft.com/en-us/kb/908209 these two registry keys in SCCM server (32bits and 64bits). by default, IE doesn't allow send a kerberos token over a port non-80, and we need to send over 16993;

2. Configure your IE Intranet zones to recognize your local domain, i.e. Internet Options -> Security -> Sites -> Advanced -> put here your domain, e.g. https://*.suffix https://*.suffix

3. While in Intranet zone -> Custom Level... -> User Authentication -> Logon - > select "Automatic Logon with current user name and password"

Test again the authentication using IE... now it should works.

Best Regards!

-Bruno Domingues

0 Kudos
Reply