SCCM SP2 - OOB Management Certificates Problems

2

I have a vPro client computer with AMT 4.0. It was importeed successfully via the Import OOB Computers wizard, and after sending a "Hello- packet" it became provisioned. (The SCCM GUI displays AMT Status: Provisioned). But when I try to perform power operations on this machine, they always fail with the following lines in the log: AMT Operation Worker: Wakes up to process instruction files 7/29/2009 10:59:29 AM 2176 (0x0880) AMT Operation Worker: Wait 20 seconds... 7/29/2009 10:59:29 AM 2176 (0x0880) Auto-worker Thread Pool: Work thread 3884 started 7/29/2009 10:59:29 AM 3884 (0x0F2C) session params : https:/ / amt4.domaindemo.com:16993 , 11001 7/29/2009 10:59:29 AM 3884 (0x0F2C) ERROR: Invoke(invoke) failed: 80020009argNum = 0 7/29/2009 10:59:31 AM 3884 (0x0F2C) Description: A security error occurred 7/29/2009 10:59:31 AM 3884 (0x0F2C) Error: Failed to Invoke CIM_BootConfigSetting::ChangeBootOrder_INPUT action. 7/29/2009 10:59:31 AM 3884 (0x0F2C) AMT Operation Worker: AMT machine amt4.domaindemo.com can't be waken up. Error code: 0x80072F8F 7/29/2009 10:59:31 AM 3884 (0x0F2C) Auto-worker Thread Pool: Warning, Failed to run task this time. Will retry(1) it 7/29/2009 10:59:31 AM 3884 (0x0F2C)

After investigation, I've seen that the problem occurs already on the 2nd stage of the provisioning:

Start 2nd stage provision on AMT device amt4.domaindemo.com. 8/2/2009 4:55:12 PM 2944 (0x0B80) session params : https: / / amt4.domaindemo.com:16993 , 11001 8/2/2009 4:55:12 PM 2944 (0x0B80) Delete existing ACLs... 8/2/2009 4:55:12 PM 2944 (0x0B80) ERROR: Invoke(invoke) failed: 80020009argNum = 0 8/2/2009 4:55:14 PM 2944 (0x0B80) Description: A security error occurred 8/2/2009 4:55:14 PM 2944 (0x0B80) Error: Cannot Enumerate User Acl Entries. 8/2/2009 4:55:14 PM 2944 (0x0B80) Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::DeleteACLs 8/2/2009 4:55:14 PM 2944 (0x0B80) Error: Can not finish WSMAN call with target device. 1. Check if there is a winhttp proxy to block connection. 2. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection. 3. For greater than 3.x AMT, there is a known issue in AMT firmware that WSMAN will fail with FQDN longer than 44 bytes. (MachineId = 17) 8/2/2009 4:55:14 PM 2944 (0x0B80) STATMSG: ID=7208 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=JE-DEV-MS0 SITE=JR1 PID=1756 TID=2944 GMTDATE=Sun Aug 02 14:55:14.281 2009 ISTR0="amt4.domaindemo.com" ISTR1="amt4.domaindemo.com" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 8/2/2009 4:55:14 PM 2944 (0x0B80) This error is consistent with all the other 2nd stage provisioning tasks. (Add ACLs, Enable Web UI, etc.)

I've opened the certification authority, and I see that the certificates were issued to the SCCM Site server instead of the AMT client!

What could be the reason for this failure? What is the problematic definition for the certificate?

Thank you in advance!!!

windows-server-2003
certificate
sccm
asked on Server Fault Aug 4, 2009 by (unknown user)

2 Answers

1

I faced the same issue, the certificates installed in the AMT Client was actually issued to the SCCM Server.

The error was in the "Subject Name" tab of the "Web Server Certificate Template"; the option "Build from this Active Directory Information" should be checked and "Common Name" should be selected in the drop down for the option "Subject Name format".

If provisioning is successful, accessing the AMT Client using its FQDN from an IE browser should not give any certificate warnings or errors. The login prompt should be shown immediately.

answered on Server Fault Mar 21, 2011 by Abhisek Sanyal
0

In SCCM, AMT certs are issued by the CA to the OOB service point as a proxy, since AMT doesn't have any way to request certificates directly. The fact that you're seeing this is a good sign that your setup is at least partially correct.

By default, AMT is pre-loaded only with the thumprints of commercial Root CAs (e.g. Thawte, Verisign, etc.) If you are using an enterprise CA (which in this case it appears that you are), the certificate thumbprint of the Root CA must be pre-loaded in AMT before provisioning. Otherwise, AMT will reject the certificate that is assigned to it (since it doesn't have trust to root).

Your Root CA can be entered via custom configuration by your computer vendor (preferred) or via the MEBx control (which requires you to touch every machine you deploy). If you use MEBx, the thumbprint is loaded in MEBx at Intel(R) AMT Configuration | Setup and Configuration | TLS PKI | Manage Certificate Hases.

answered on Server Fault Dec 29, 2010 by newmanth

User contributions licensed under CC BY-SA 3.0