Certificate Error Provisioning All AMT Devices

More discussions in Intel® vPro™ Expert Center Where is this place located?

1 2 Previous Next 20 Replies Latest reply: Feb 16, 2009 6:14 AM by Trevor Sullivan Go to original post

15. Re: Error Provisioning Dell Optiplex 755

Trevor Sullivan Jan 13, 2009 11:48 AM (in response to Trevor Sullivan)

Currently Being Moderated

We're getting an error on our subordinate certificate authority logged very frequently (probably for each provisioning attempt).

The "Windows default" Exit Module "Notify" method returned an error. The requested property value is empty. The returned status code is 0x80094004 (-2146877436). The Certification Authority was unable to send an email notification for EXITEVENT_CERTISSUED to ???.

Trevor Sullivan
Systems Engineer
OfficeMax Corporation
Report Abuse

Like (0)

Reply
16. Re: Error Provisioning Dell Optiplex 755

Trevor Sullivan Jan 13, 2009 12:46 PM (in response to Trevor Sullivan)

Currently Being Moderated

I just found a thread over on the Microsoft Technet forums from October 2008 by some guy named Matt Royer It sounds like he knows what he's talking about.

http://social.technet.microsoft.com/Forums/en-US/configmgrgeneral/thread/91580f69-2007-4070-bf89-99c4d7d120ef/

Matt, could you possibly expand on what your issue was back then? What exactly did you mean by an "expired CRL"?

The errors that you and I have experienced are slightly different, but it appears that there may be an issue related to our subordinate CA configuration somehow.

Trevor Sullivan
Systems Engineer
OfficeMax Corporation
Report Abuse

Like (0)

Reply
17. Re: Error Provisioning Dell Optiplex 755

Matt Royer Jan 13, 2009 4:39 PM (in response to Trevor Sullivan)
Currently Being Moderated

For this issues...

Error: CTaskRequestClientCert::RevokeExistedCertificate failed to get serial number from the certificate binary.

... the CRL or Certificate Revocation List was expired on the Subordinate/Issuing CA.

I would take a look at the following TechNet Articles.

Revoking certificates and publishing CRLs
Renewing a certification authority

--Matt Royer
Report Abuse

Like (0)

Reply
18. Re: Error Provisioning Dell Optiplex 755

Trevor Sullivan Jan 13, 2009 9:26 PM (in response to Matt Royer)

Currently Being Moderated

Matt,

I actually had the server team check this out, and our CRL isn't expired (still not sure what that means).

I opened a ticket with Microsoft earlier today on this issue.

Trevor Sullivan
Systems Engineer
OfficeMax Corporation
Report Abuse

Like (0)

Reply
19. Re: Error Provisioning Dell Optiplex 755

Trevor Sullivan Feb 2, 2009 2:00 PM (in response to Trevor Sullivan)

Currently Being Moderated

FYI, this is still an issue. I could use some recommendations ...

Trevor Sullivan
Systems Engineer
OfficeMax Corporation
Report Abuse

Like (0)

Reply
20. Re: Error Provisioning Dell Optiplex 755

Trevor Sullivan Feb 16, 2009 6:14 AM (in response to Trevor Sullivan)
Currently Being Moderated

So, the issue was related to an expired CRL on the subordinate CA. There are two locations on the subordinate CA that the CRL is stored, and one of them was out of date. The CRL is stored in c:\inetpub\wwwroot\certsrv (I think), and also c:\windows\system32\certsrv\certenroll. The copy of the CRL in the former location was correct, but for some reason, the CRL was being pulled from the System32 location. This was validated by using the command: certutil -urlfetch -verify vProClientCert.cer.

I've attached two log files with the output from the certutil command, before and after fixing the problem. In the badlog.txt file, you'll see a lot more errors about failing the revocation check than in the goodlog.txt.

Trevor Sullivan
Systems Engineer
OfficeMax Corporation

GoodLog.txt (7.6 K)

BadLog.txt (7.5 K)
Report Abuse

Like (0)

Reply

1 2 Previous Next

Go to original post

Hey guys,

I have a brand new Dell Optiplex 755 running BIOS A11 and AMT Firmware 3.2.1. I'm having trouble provisioning it. Everything works up until the certificate request is made from out certificate server, however. I'm getting the below messages in the amtproxymgr.log (not amtopmgr.log) on the ConfigMgr site server.

I had one of the guys on our server team check out the certificate server, and it is creating multiple certificates for the same client, and automatically approving them (as is proper), but for some reason, the site server is rejecting the certificate during the verification of the certificate chain. Our internal root CA certificate is in the Trusted Root CA store on the site server, and I have successfully provisioned other clients before.

I have also verified that this is not the self-signed certificate issue, because I have manually unprovisioned the device in SMB mode, and also pulled the CMOS battery to reset back to factory defaults. The same behavior is persisting.

DNS also is not a problem, as I have verified the forward and reverse records for the client from the site server. DHCP option 15 is also set properly. If either of these were the issue, we wouldn't be getting as far as we are in the provisioning process.

Found instruction file: D:\SMS\inboxes\amtproxymgr.box\{50830F19-8E2D-410A-A75B-EC5F0A32F96E}.apx
Processing Instruction: RCT 1;1;62151;3.2.1;vproclient.vprodemo.com;SMS_AMT_OPERATION_MANAGER_PROV;
Request certificate task begin to read Site Control File.
Changes to the site control file settings detected.
Request certificate task success to read parameters from Site Control File.
Request certificate task success to connect to the SQL database.
ERROR: CertCreateCertificateContext failed: 0x80093102, msg=ASN1 unexpected end of data.~
Error: CTaskRequestClientCert::RevokeExistedCertificate failed to get serial number from the certificate binary.
Request certificate task disConnected to the SQL database.
INFO: Enter process request 1
INFO: Save Request
INFO: Add new request
Certificate for vproclient.vprodemo.com has been retrieved.
ERROR: CertGetCertificateChain(...) failed: 0x1000040
ERROR: HandleDisposition failed: the root certificate of the CA is not at the Trust List!
INFO: Enter process request 3
INFO: Delete Request
INFO: Request to delete found
STATMSG: ID=7601 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AMT_PROXY_COMPONENT" SYS=PROVSERVER SITE=123 PID=8536 TID=2220 GMTDATE=Thu Jan 08 21:28:22.411 2009 ISTR0="vproclient.vprodemo.com" ISTR1="certserver.vprodemo.com" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
Failed to run instruction: RCT 1;1;62151;3.2.1;vproclient.vprodemo.com;SMS_AMT_OPERATION_MANAGER_PROV;
Finished Executing Instruction: RCT 1;1;62151;3.2.1;vproclient.vprodemo.com;SMS_AMT_OPERATION_MANAGER_PROV;

Thanks,

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Reply to original post

15. Re: Error Provisioning Dell Optiplex 755

16. Re: Error Provisioning Dell Optiplex 755

17. Re: Error Provisioning Dell Optiplex 755

18. Re: Error Provisioning Dell Optiplex 755

19. Re: Error Provisioning Dell Optiplex 755

20. Re: Error Provisioning Dell Optiplex 755

Actions

More Like This