Intel Communities: Message List - Get "PKI configuration failed" error when provisioning vPro device

Re: Get "PKI configuration failed" error when provisioning vPro device

jing_peng@hotmail.com — Thu, 12 May 2011 09:58:49 GMT

Hi Bruno,

Sorry for the delay. We are very busy these days to deal with the issues. Regarding your commments, please see my answers in RED:

Our testing environment:

Server A: Windows 2008 + IIS7.0 + SCS 5.3 + SQL Server 2005 + Domain Controller with DNS Server integrated

>> where is your DHCP, for PKI DHCP with option 15 and 81 is a requirement

--We didn't enable DHCP before. Once it is enabled, everything is OK.

Client A: Windows 2003 + vPro 3.2.2 AMT version

>> why are you using a server OS instead o client (e.g. Win XP, Vista, 7)? do you have the HECI/LMS driver installed?

--We built another environment with Windows 7 client. Both Windows 7 and Windows 2003 are provisioned OK. HECI/LMS driver is installed on both client devices

The procedure to install and configure vPro testing environment is described below:

We are using PKI mode so we install a Certificate Authority on Server A .
Create a certificate template and issue the client certificate template on Server A

>> Did you follow this procedures to create the template?

--I created a client authentication template with "Client Authentication" policy and another policy with Oid 2.16.840.1.113741.1.2.1

On Server A, request a certificate. In the "Identifying Information For Offline Template, the Name:" field specifiy the fully qualified
name of the Provisioning Server (Server A).
Install the client certificate on Server A. Export the client certificate.
Open the root certificate. On the Details tab, note down the certificate hash value in the Thumbprint field. Export the root certificate.
On Server A, create new Profile in SCS Console. Enable TLS.

>> If you would like to use TLS, you must create also a web cliente template

You must be aware that provisioning using PKI means use of one certificate for provisioning must be issues, but you don't need issue client certificates to establish TLS connection

--I didn't find any reference about the "web client template" . I just create another template with "Server Authentication" policy and another policy with Oid 2.16.840.1.113741.1.2.3

--Now we use TLS mutual authentication

Create a digest user and give it PT administration right.

Start Client A, then press Ctrl+P during startup to enter the Intel MEBX. Manually enter the matching certificate hash value which is obtained from step 5. Input other necessary fields in MEBX.
vPro Client A is provisioning automatically. The target vPro device appear in SCS console but with its provisioning status "Not Configured".
We are starting to get the above "PKI configuration failed" errors now.

>> DHCP is an important piece here, your client uses suffix DNS presented by DHCP to validate the certificate.

--After DHCP is enabled, everything is fine.

Best Regards!

-- Bruno Domingues

Re: Get "PKI configuration failed" error when provisioning vPro device

webadmin@intel.com — Sat, 23 Apr 2011 01:17:55 GMT

Peng,

I have few comments and clues about why you are failing to provisioning your vPro machine (comments inline)

Our testing environment:

Server A: Windows 2008 + IIS7.0 + SCS 5.3 + SQL Server 2005 + Domain Controller with DNS Server integrated

>> where is your DHCP, for PKI DHCP with option 15 and 81 is a requirement

Client A: Windows 2003 + vPro 3.2.2 AMT version

>> why are you using a server OS instead o client (e.g. Win XP, Vista, 7)? do you have the HECI/LMS driver installed?

The procedure to install and configure vPro testing environment is described below:

We are using PKI mode so we install a Certificate Authority on Server A .
Create a certificate template and issue the client certificate template on Server A

>> Did you follow this procedures to create the template?

On Server A, request a certificate. In the "Identifying Information For Offline Template, the Name:" field specifiy the fully qualified
name of the Provisioning Server (Server A).
Install the client certificate on Server A. Export the client certificate.
Open the root certificate. On the Details tab, note down the certificate hash value in the Thumbprint field. Export the root certificate.
On Server A, create new Profile in SCS Console. Enable TLS.

>> If you would like to use TLS, you must create also a web cliente template

You must be aware that provisioning using PKI means use of one certificate for provisioning must be issues, but you don't need issue client certificates to establish TLS connection

Create a digest user and give it PT administration right.

Start Client A, then press Ctrl+P during startup to enter the Intel MEBX. Manually enter the matching certificate hash value which is obtained from step 5. Input other necessary fields in MEBX.
vPro Client A is provisioning automatically. The target vPro device appear in SCS console but with its provisioning status "Not Configured".
We are starting to get the above "PKI configuration failed" errors now.

>> DHCP is an important piece here, your client uses suffix DNS presented by DHCP to validate the certificate.

Best Regards!

-- Bruno Domingues

Re: Get "PKI configuration failed" error when provisioning vPro device

webadmin@intel.com — Mon, 25 Apr 2011 05:57:17 GMT

Hi Steve,

I enabled DHCP on Server A. On the client computer, set to get IP addresss automatically from DHCP server. After that, the client computer is provisioning correctly without any problems. Thanks!

Re: Get "PKI configuration failed" error when provisioning vPro device

webadmin@intel.com — Fri, 22 Apr 2011 17:57:20 GMT

I don't have an Intel SCS 5.3 user guide, but the 5.2 version did not have a good description of how to add your own PKI certificate. The Intel SCS 6.0 user guide does seem to provide detailed steps. Take a look at the steps in the attached doc. I'll check with the experts here to see if the Intel SCS 6.0 process is the same for Intel SCS 5.3.

Get "PKI configuration failed" error when provisioning vPro device

webadmin@intel.com — Fri, 22 Apr 2011 10:24:07 GMT

Hi,

We have built a testing environment to set up vPro using PKI mode. However, the vPro client is not provisioning properly with the following error messages in SCS console event log:

1214,ERROR!,Error Configuring Intel AMT device: Failed to connect to un-configured Intel AMT device at IP 16.178.122.130: Proper certificate that matches the pre loaded certificate was not found in the user certificate store. PKI configuration failed.,4/22/2011 5:27:07 PM,17410FFB-A956-11DC-BBDA-FE9DD0E9000F,2202,DEVHPCAE\Administrator,WPS2008,
1214,ERROR!,Proper certificate that matches the pre loaded certificate was not found in the user certificate store. PKI configuration failed.,4/22/2011 5:27:07 PM,17410FFB-A956-11DC-BBDA-FE9DD0E9000F,1205,,WPS2008,

Our testing environment:

Server A: Windows 2008 + IIS7.0 + SCS 5.3 + SQL Server 2005 + Domain Controller with DNS Server integrated
Client A: Windows 2003 + vPro 3.2.2 AMT version

The procedure to install and configure vPro testing environment is described below:

We are using PKI mode so we install a Certificate Authority on Server A .
Create a certificate template and issue the client certificate template on Server A
On Server A, request a certificate. In the "Identifying Information For Offline Template, the Name:" field specifiy the fully qualified
name of the Provisioning Server (Server A).
Install the client certificate on Server A. Export the client certificate.
Open the root certificate. On the Details tab, note down the certificate hash value in the Thumbprint field. Export the root certificate.
On Server A, create new Profile in SCS Console. Enable TLS. Create a digest user and give it PT administration right.
Start Client A, then press Ctrl+P during startup to enter the Intel MEBX. Manually enter the matching certificate hash value which is obtained from step 5. Input other necessary fields in MEBX.
vPro Client A is provisioning automatically. The target vPro device appear in SCS console but with its provisioning status "Not Configured".
We are starting to get the above "PKI configuration failed" errors now.

Please help to check if I am doing anything wrong. Attached the event log file. Thanks!