- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi around,
after a long Time trying and fiddling i got AMT Provisioning to run in our environment.
We use Server 2012 R2 with the latest Intel SCS Tool and the Intel Add on for SCCM 2012.
I provisioned some clients and it worked well.
Now i tried to Full unconfigure a client due to a password change and reconfigure it using the acuconfig-batch file with the updated Password.
The Password was also updated in the SCS Profile we use to provision.
The Unconfigure worked but trying to reconfigure i get the following error:
2015-09-23 14:05:54: Thread:6072(ERROR) : ACU Configurator, Category: Exit Source: Src\ActivatorMain.cpp : wmain Line: 1254: ***********Exit with code 75. Details: Failed to complete remote configuration of this Intel(R) AMT device. An Active Directory interface internal error occurred. Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).
It looks like a simple AD Problem so i checked the service account we use for provisioning. It has actually full controll of the OU and the object so i can't figure out what could produce the Access denied.
I tried to provision a new client and got the same error.
The object is created in the AD OU but something seems to go wrong afterwards.
I tried to reuse the old password but it brought no result.
Has anyone had a problem like this and can point in a helpful direction?
Thanks
Thomas
- Tags:
- Provisioning
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Bruno,
thank you for the answer.
The 'Always use the OS Host Name...' Button is not checked in the used Provisioning Profile.
Do you have another idea for this case?
Thanks
Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the cause of the Problem while searching the Object-Attributes.
When creating the AD Object it creates a User-Account and not a Machine Account, therefore it can't set some of the attributes.
Now i will have to search why it is suddenly creates User/Accounts instead of the Machine/Accounts.
Thanks for your help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have been running SCS for quite a while now but the same issue popped up last week.
SCS server has Full privileges on AMT Computer accounts and I can't track any changes to have caused this. RCS seems to fail to update AMT Computer's password...?
brunodom: we did have this option enabled. Disabling and retrying configuration seems to have no effect.
I filtered domain controller event logs and I can see that Computer account's password is successfully reset. In fact I can see no related failures.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 23.09.2015 16:34:06
Event ID: 4724
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: DOMAINCONTROLLER.internal.domain.com
Description:
An attempt was made to reset an account's password.
Subject:
Security ID: DOMAIN\SCSSERVER$
Account Name: SCSSERVER$
Account Domain: DOMAIN
Logon ID: 0x110D519B
Target Account:
Security ID: DOMAIN\COMPUTER$iME
Account Name: DOMAIN$iME
Account Domain: COMPUTER
Very strange...
From RCSlog.log on SCS server:
2015-09-24 10:06:41: Thread:16264(DETAIL) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ADInterfaceInternal Source: ADInterfaceInternal.cpp : ADInterfaceNamespace::ADInterfaceInternal::UpdateADObjectPassword Line: 411: Step into UpdateADObjectPassword
2015-09-24 10:06:41: Thread:16264(DETAIL) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ADInterfaceInternal Source: ADInterfaceInternal.cpp : ADInterfaceNamespace::ADInterfaceInternal::GetAMTadObject Line: 1508: Step in GetAMTadObject
2015-09-24 10:06:41: Thread:16264(DETAIL) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ADInterfaceInternal Source: ADInterfaceInternal.cpp : ADInterfaceNamespace::ADInterfaceInternal::UpdateADObjectPassword Line: 480: padsUser->SetInfo 0
2015-09-24 10:06:41: Thread:16264(ERROR) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ADInterfaceInternal error Source: ADInterfaceInternal.cpp : ADInterfaceNamespace::ADInterfaceInternal::UpdateADObjectPassword Line: 494: An Active Directory interface internal error occurred. Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).
2015-09-24 10:06:41: Thread:16264(DETAIL) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ADInterfaceInternal Source: ADInterfaceInternal.cpp : ADInterfaceNamespace::ADInterfaceInternal::UpdateADObjectPassword Line: 521: Step out UpdateADObjectPassword
2015-09-24 10:06:41: Thread:16264(DETAIL) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ADInterfaceInternal Source: ADInterfaceInternal.cpp : ADInterfaceNamespace::ADInterfaceInternal::CreateADObject Line: 394: Step out CreateADObject
2015-09-24 10:06:41: Thread:16264(ERROR) : COMPUTERNAME.internal.domain.com, Category: Configure Profile Source: ADUtils.cpp : ADUtils::BindCreateADObject Line: 309: AD object creation failed. An Active Directory interface internal error occurred. Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).
2015-09-24 10:06:41: Thread:16264(ERROR) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: Operation Error Source: Src\ConfigThread.cpp : ConfigThread::runConfigure Line: 674: An Active Directory interface internal error occurred. Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).
2015-09-24 10:06:41: Thread:16264(DETAIL) : COMPUTERNAME.internal.domain.com, Category: Delete Key Pairs Source: vProConfigurationInternal.cpp : vProConfigurationNamespace::vProConfigurationInternal::DeleteKeyPairs Line: 4345:
2015-09-24 10:06:41: Thread:16264(DETAIL) : COMPUTERNAME.internal.domain.com, Category: AMTCommunicator Source: WSMANCommunicator.cpp : AMTInterfaceNamespace::WSMANCommunicator::RemoveKeyFromStore Line: 5174: WS-Management call RemoveKeyFromStore (AMT_PublicPrivateKeyPair.Delete) ok
2015-09-24 10:06:41: Thread:16264(DETAIL) : RCS Server , Category: End function: Status Source: Src\Activator_Impl.cpp : RCS_ActivatorService_WMIProviderImpl::SetupConfigureAMT Line: 896: 0xc0003a99
2015-09-24 10:06:41: Thread:16264(ERROR) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ConfigAMT request failed. Source: Src\Activator_Impl.cpp : RCS_ActivatorService_WMIProviderImpl::handleStatusAfterRun Line: 221: An Active Directory interface internal error occurred. Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0). (0xc0003a99).
2015-09-24 10:06:41: Thread:16264(DETAIL) : RCS Server , Category: Source: vProDataAccessorDB.cpp : AMTRepositoryNameSpace::vProDataAccessorDB::GetAmtByUuid Line: 260: Begin GetAmtByUuid AMTSystem
2015-09-24 10:06:41: Thread:16264(DETAIL) : RCS Server , Category: Source: vProDataAccessorDB.cpp : AMTRepositoryNameSpace::vProDataAccessorDB::GetAmtByUuid Line: 236: Begin GetAmtByUuid DBAmt
2015-09-24 10:06:41: Thread:16264(DETAIL) : RCS Server , Category: Source: vProDataAccessorDB.cpp : AMTRepositoryNameSpace::vProDataAccessorDB::UpdateAmt Line: 340: Begin UpdateAmt
2015-09-24 10:06:41: Thread:16264(DETAIL) : RCS Server , Category: Source: vProDataAccessorDB.cpp : AMTRepositoryNameSpace::vProDataAccessorDB::UpdateAmt Line: 345: End UpdateAmt
2015-09-24 10:06:41: Thread:16264(DETAIL) : RCS Server , Category: Source: Src\RCSServer.cpp : CServiceModule::Log Line: 1289: Finish Configuration; (ERROR) AMT details: UUID: 72182101-5389-11CB-B9F9-A772781A1EDB, FQDN: Empty, IP: 10.0.122.45 . Return code: 0xc0003a99 . Details: An Active Directory interface internal error occurred. Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).
2015-09-24 10:06:41: Thread:16264(ERROR) : WMI Protocol, Category: ConfigAMT Source: C:\TeamCity.BuildAgent\work\ef8d7e613e373c5c\Components\RCSServer\MethodCallData.h : SCS_WMI::WMICallDetails::SendErrorReport Line: 92: Finished operation with Error. (0xc0001c89). An Active Directory interface internal error occurred. Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0). (0xc0003a99).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don, could you check your AD Object?
I discovered that the acuconfig.exe creates a Computer Object (so it seems) but if you look in the Attribute Editor the Fields
PrimaryGroupID Points to (Group_RID_Users)
and the sAMAccountType is set to (Normal_User_Account).
Also the UserAccountControl is set to 0x220 (Passwd_NotReqd | Normal_Account) instead of 0x11000 (Workstation_Trust_Account...) like all the other Clients.
In our case it seems, that the provisioning is not working with this object type.
Why it creates this kinda broken Object Type is still in Question.
It would be great to know if you have the same changes in the AD Attribute Editor after updating your computer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The attributes are the same for me.
I went over last patch tuesday patch list and this seems suspicious https://technet.microsoft.com/library/security/ms15-096 Microsoft Security Bulletin MS15-096 - Important
It specifically mentions changes to behavior when creating (and editing?) computer accounts. There are no details though.
Intel?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure if Intel can answer this.
The Problem occured shortly after the mentioned update was installed to our DC's.
Now we have opened a call with Microsoft to verify the problem.
Hope we get some answers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is right. MS15-096 security bulletin is preventing a computer account of create/delete/update AD objects. There are some workarounds: 1. If you are running with ACUConfig.exe security context with LocalSystem, such as used by SCCM agent, you have to define a domain user account with permission over ADOU to create/delete. 2. In case that you are using RCS as proxy, you should change NETWORK SERVICE to a user domain account, also with permission over ADOU and in case that you are using with SQL Server, also you need to give dbowner role to this account on IntelSCS database.
Best Regards!
-Bruno Domingues
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do we need both workarounds?
Because we already run ACUConfig under custom user account with privileges to AMT Computer account OU.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You only need follow one. In your case that is working with a custom account, you must be sure that profile exported with option "The user running the Configuration":
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have been following this thread as we are having the same issue. Does this mean that remote configuration is broken as a whole due to MS15-096 patch? We are unable to remotely configure a device using our RCS server. I uninstalled RCS and re-installed as the service account and we are still getting the AD error. We are using database mode. If configure it locally with an exported profile it works fine. If I run an un-configure job from the console, it does un-configure the device but fails to remove the AD object out of AD. If un-configure it locally it works and removes the object out of AD.
Thanks!
Nick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Bruno,
we have the Intel RCS Service running with a Service Account that has full Rights on the ADOU.
Same user is DBOwner on the IntelSCS database and also we use him with the Acuconfig.exe to provision the clients.
The problem is still there.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are right! Doing some tests I discovered that it works if user is domain admin, but fail with permissions only on OU and permission to join machines to domain. Working at this moment with Microsoft to discover the best approach. Stay tuned.
Best Regards!
-Bruno Domingues
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same issue... awaiting a your response from your discussion with Microsoft.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
We have the same error when trying to provision new devices. We also suspected Update MS15-096 because of the text "he security update addresses the vulnerability by correcting by correcting how machine accounts are created" in the description. Tests in our lab environment showed, that it was the installation of this update on the DCs which caused the issue.
Removing MS-15-096 on the RCS server did not solve the problem.
Since we still use RCS in version 9.0 we will try updating the server software.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update to SCS/RCS 10 will not help. I was on 10 already before the probleem started.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, there are three possible workarounds (I know that none is acceptable - technically speaking ): 1. Give Domain Admin permission to service account that is creating the object into AD; 2. Do not install MS15-096 patch; 3. remote AD integration from your profile - The definitive solution should be implemented in SCS 11, that we are expecting to be released soon.
Best Regards!
-Bruno Domingues
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have had the same problem. Just for the information I have uninstalled discussed patch and everything works as before.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Bruno,
do you have any update? Is there any patch for SCS 10 or new SCS 11 available?
Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page