- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've gotten my vPro systems Provisioned and can connect and restart them in my SCCM OOB mgmt console. I can also open the workstation web pages. I cannot however get the Serial or IDE Redirect to be active. Is there a trick to activating them on the client-side for use with SCCM?
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something to Try...
http://communities.intel.com/docs/DOC-1627 http://communities.intel.com/docs/DOC-1627
Symptom: Not able to perform an IDER or SOL session on and AMT client from the SCCM Out Of Band Management Console.
Potential Root cause(s):
- The OOBConsole.log states the following error "IMR_SOLOpenTCPSession2 with user = <user> fail with result:0x20, description:Failed to Establish TLS Connection" and your AMT Web Certificates are being issued from a Subordinate Certificate Authority.
- Full certificate chain is not being pass correctly during a SOL/IDER session within SCCM. Place a copy of the Subordinate Certificate Authority certificate in the Local Computer - "Trusted Root Certificate Authorities" of the server or workstation that the Out Of Band Management Console is run from.
- Full certificate chain is not being pass correctly during a SOL/IDER session within SCCM. Place a copy of the Subordinate Certificate Authority certificate in the Local Computer - "Trusted Root Certificate Authorities" of the server or workstation that the Out Of Band Management Console is run from.
--Matt Royer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the link. I tried what it suggested and I'm still 'Inactive'. Here's a bit from my OOBConsole.log
[1][1/7/2009 1:13:11 PM] :Launch terminal with "127.0.0.1 49790 -t ansi" fail.
[1][1/7/2009 1:13:11 PM] :System.ComponentModel.Win32Exception\r\nThe system cannot find the file specified\r\n at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)
at System.Diagnostics.Process.Start()
at System.Diagnostics.Process.Start(ProcessStartInfo startInfo)
at Microsoft.ConfigurationManagement.AdminConsole.OobConsole.SerialConnectionPage.CreateTelnetClient()\r\n
[11][1/7/2009 1:13:11 PM] :System.Net.Sockets.SocketException\r\nA blocking operation was interrupted by a call to WSACancelBlockingCall\r\n at System.Net.Sockets.Socket.Accept()
at Microsoft.ConfigurationManagement.AdminConsole.OobConsole.Utilities.SolManager.Open()
at Microsoft.ConfigurationManagement.AdminConsole.OobConsole.Utilities.AmtDevice.RefreshAmtSerialOverLan(Object sender, DoWorkEventArgs e)
at System.ComponentModel.BackgroundWorker.OnDoWork(DoWorkEventArgs e)
at System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument)\r\n
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sandy,
There are issues with using the OOB management console on Windows Vista. Are you using this platform for the console?
Trevor Sullivan
Systems Engineer
OfficeMax Corporation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sandy,
Can you confirm that you have telent.exe installed on the OS you are running the OOBC from?
--Matt Royer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You know, it's not installed. Let me add it and see what happens! Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Installing the telnet client did not resolve my issues. I also just reimaged my laptop last Friday, and tried again, and it still didn't work. I have had a ticket open regarding this issue with Microsoft since November. I haven't had any recent activity on it though.
Additionally, the Intel AMT Commander tool included with the DTK does not work with Serial-over-LAN on Windows Vista.
Trevor Sullivan
Systems Engineer
OfficeMax Corporation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trevor,
Installing the Telnet Client got me the beautiful black SOL display, so got a bit further that where I was before. I did a plain Reboot and now I'm stuck at
I imagine I need to go one step further somehow. I saw your post on the Intel AMT Commander as well as the YouTube video which really intrigued me. I'd like to use RD to get this functionality.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sandy,
Interesting. I'm glad to see you got SoL working in Vista (is it Vista SP1 BTW?). If it's not SP1, that could be the difference between my problem, and your success.
Just FYI, Serial-over-LAN will only give you a text-based GUI, so once your AMT client boots into a graphical environment of any sort, SoL will be bypassed, as you see in your screenshot.
If you would like to get remote desktop working over Serial-over-LAN, you will have to take advantage of the TCP redirection feature. Download the Intel AMT Developer Toolkit to get started. You can get that here: http://www.intel.com/software/amt-dtk/ http://www.intel.com/software/amt-dtk/
Enabling Remote Desktop over SoLAMT System
1. Install the Intel AMT DTK on the AMT client
2. Run the AMT Outpost Control Panel tool
3. Install the Outpost Service
4. Enable serial-over-LAN functionality
Management Workstation
1. Install the Intel AMT DTK
2. Run the Intel AMT Commander tool
3. Connect to the AMT client (use the FQDN of the client, and Domain\User syntax for the userID)
4. Go to the remote control tab, and press "Take Control"
5. In the terminal window that opens, choose TCP Redirection from the menu on the right
6. Add a TCP Redirection rule using a random local port (eg. 65001), and 3389 as the destination port
7. Open the RDP client and connect to localhost:65001
The directions above are not exact, because I am not in front of my work laptop at the moment, but this should give you a good idea of how to get it done. If necessary, I will revise the directions when I'm on my work laptop again. Let me know if you need any more assistance to get this working.
Trevor Sullivan
Systems Engineer
OfficeMax Corporation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trevor,
Yes, it looks like I may have gotten lucky with enabling SOL. At least I feel good that it is working and that the screenshot is expected behavior. Yes, I'm on Vista SP1 and I had to add the Telnet Client this afternoon to get it running.
Thanks for the Intel AMT DTK info - I've downloaded it and installed on my Vista Workstation but have not had the chance to dive in. Your instructions will go a long way to help. So, installing the DTK on the AMT client.......do you have this going in production? Is there any noticable performance hit with it installed? Do you install the entire DTK or is there a basic subset of bits that will enable client functionality?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sandy,
The Intel AMT DTK is built on Microsoft .NET, and all of the tools are already compiled. The source code is available (as a separate download) too, and very helpful for understanding how the vPro technology is architected. Anyway, you shouldn't have to actually "install" the DTK on all your AMT systems. Simply install it on your own system, and then copy over the necessary tools (and supporting libraries) to the remote machine. They ought to work just fine, and in fact, that is how I'm using a couple tools on a server, in which I did not install the DTK. I just copied the files over, and they work fine.
Trevor Sullivan
Systems Engineer
OfficeMax Corporation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trevor,
Thanks, the footprint on an AMT sounds a bit better; I'd really like to consider this as an option for all our 900+ machines. I've loved the idea of an 'iLO-like' interface for our pcs and know that our support staff / Help Desk folks would too. Remote Desktop and SCCM Remote Tools only go so far for us.
With all the focus on getting SOL up, I still haven't solved the riddle of activating IDE-Redirect on my AMT clients. My guess, initially is that if I didn't have a Default *.ISO image configured in the AMT component in SCCM, perhaps IDE-Redirect would not show Activated. However, I plugged one in and it still doesn't show activated. I don't need to use it but it would be nice to have the option. Have you gotten it to work on your end?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sandy,
I'm not sure where your issue lies. Are you saying that you can't use IDE-Redirect using the Microsoft OOB Management Console from Windows Vista SP1? If that is correct, then please try performing the operation from a Windows XP SP2 or Windows Server 2003.
I have successfully used IDE-R with the Microsoft OOB Management console on Windows XP SP2 and Windows Server 2003. I just gave a demo yesterday, in fact, from a Windows Server 2003 SP2 ConfigMgr site server.
FYI, you do not need to configure a default ISO image in the OOB Mangement Component Configuration.
Trevor Sullivan
Systems Engineer
OfficeMax Corporation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trevor,
Yes, I'm not sure where my issue is either. I'll check an XP workstation and see that's the issue. My OOB Console window looks like the image.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are the messages I'm getting within my OOBconsole.log file in the AdminUiLog folder:
[11][1/9/2009 1:57:39 PM] :IMR_SOLOpenTCPSession2 with user = VPRODEMO\vprouser fail with result:0x20, description:Failed to Establish TLS Connection
[11][1/9/2009 1:57:39 PM] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[11][1/9/2009 1:57:41 PM] :IMR_SOLOpenTCPSession2 with user = VPRODEMO\vprouser fail with result:0x20, description:Failed to Establish TLS Connection
[11][1/9/2009 1:57:41 PM] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[11][1/9/2009 1:57:42 PM] :IMR_SOLOpenTCPSession2 with user = VPRODEMO\vprouser fail with result:0x20, description:Failed to Establish TLS Connection
[11][1/9/2009 1:57:42 PM] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[11][1/9/2009 1:57:44 PM] :IMR_SOLOpenTCPSession2 with user = VPRODEMO\vprouser fail with result:0x20, description:Failed to Establish TLS Connection
[11][1/9/2009 1:57:44 PM] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[11][1/9/2009 1:57:46 PM] :IMR_SOLOpenTCPSession2 with user = VPRODEMO\vprouser fail with result:0x20, description:Failed to Establish TLS Connection
[11][1/9/2009 1:57:46 PM] :IMR_SOLOpenTCPSession fail with result:0x00000020.
Trevor Sullivan
Systems Engineer
OfficeMax Corporation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is a dumb question, and I apologize for it, but did you copy the SCCM / AMT server cert to your workstation's local cert store?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sandy,
I don't fully understand your question. I think what you are asking is: Did I place the public key (and private key?) of my AMT Provisioning Certificate into the computer's Personal certificate store of the Vista system running the OOB console?
If so, that's not a dumb question. I wasn't aware that this needed to be done .... is it documented somewhere, and I just missed it, or what? Due to all the variables though, I'd appreciate a little clarification on exactly what needs to be done ... do I need the public key and the private key, and which certificate store do I put it in? The computer's personal store? The user's personal store?
BTW, just for reference ... and I can double-check if necessary, but ... I am relatively sure that I used the OOB console successfully on a Windows XP client without installing the provisioning certificate on it.
Thanks for your help!
Trevor Sullivan
Systems Engineer
OfficeMax Corporation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trevor,
Look at Matt's answer to my question in this thread, it's the second post in the thread. Here's what he says....
Potential Root cause(s):
- The OOBConsole.log states the following error "IMR_SOLOpenTCPSession2 with user = <user> fail with result:0x20, description:Failed to Establish TLS Connection" and your AMT Web Certificates are being issued from a Subordinate Certificate Authority.
- Full certificate chain is not being pass correctly during a SOL/IDER session within SCCM. Place a copy of the Subordinate Certificate Authority certificate in the Local Computer - "Trusted Root Certificate Authorities" of the server or workstation that the Out Of Band Management Console is run from.
- Full certificate chain is not being pass correctly during a SOL/IDER session within SCCM. Place a copy of the Subordinate Certificate Authority certificate in the Local Computer - "Trusted Root Certificate Authorities" of the server or workstation that the Out Of Band Management Console is run from.
Hope this helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only way I caught mine was to read Matt's post. I don't know about you but this whole AMT cert configuration has been quite a bit to get my head around. I've never been very cert-savvy and this has all been a wake-up call for me to become cert aware. I've been working with vPro now for about a year and a half and still don't seem to have gotten what-needs-to-go-where all down and figured out. I'm learning as I go.
This morning I just found one of my XP admin workstations that couldn't connect to a provisioned vPro system and with Matt's help I realized that the admin workstation did not have our domain root cert on it, in the Trusted Store. I always thought that was automatic in a Win2K domain but it looks like I'm still figuring all this stuff out!
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page