More discussions in Intel® vPro™ Expert CenterWhere is this place located?
4 Replies Latest reply: May 12, 2011 8:13 AM by pearsonp RSS

Get "PKI configuration failed" error when provisioning vPro device

Pearson Peng Community Member
Pearson Peng Apr 22, 2011 4:24 AM
Currently Being Moderated

Hi,

 

We have built a testing environment to set up vPro using PKI mode. However, the vPro client is not provisioning properly with the following error messages in SCS console event log:

 

1214,ERROR!,Error Configuring Intel AMT device: Failed to connect to un-configured Intel AMT device at IP 16.178.122.130: Proper certificate that matches the pre loaded certificate was not found in the user certificate store. PKI configuration failed.,4/22/2011 5:27:07 PM,17410FFB-A956-11DC-BBDA-FE9DD0E9000F,2202,DEVHPCAE\Administrator,WPS2008,
1214,ERROR!,Proper certificate that matches the pre loaded certificate was not found in the user certificate store. PKI configuration failed.,4/22/2011 5:27:07 PM,17410FFB-A956-11DC-BBDA-FE9DD0E9000F,1205,,WPS2008,

 

 

  • Our testing  environment:

 

  1. Server A: Windows 2008 + IIS7.0 + SCS 5.3 + SQL Server 2005 + Domain Controller with DNS Server integrated
  2. Client A:  Windows 2003 + vPro 3.2.2 AMT version

 

  • The procedure to install and configure vPro testing environment is described below:

 

  1. We are using PKI mode so we install a Certificate Authority on Server A .
  2. Create a certificate template and issue the client certificate template on Server A
  3. On Server A, request a certificate. In the "Identifying Information For Offline Template, the Name:" field specifiy the fully qualified
    name of the Provisioning Server (Server A).
  4. Install the client certificate on Server A. Export the client certificate.
  5. Open the root certificate. On the Details tab, note down the certificate hash value in the Thumbprint field. Export the root certificate.
  6. On Server A, create new Profile in SCS Console. Enable TLS. Create a digest user and give it PT administration right.
  7. Start Client A, then press Ctrl+P during startup to enter the Intel MEBX. Manually  enter the matching certificate hash value which is obtained from step 5. Input other necessary fields in MEBX.
  8. vPro Client A is provisioning automatically. The target vPro device appear in SCS console but with its provisioning status "Not Configured".
  9. We are starting to get the above "PKI configuration failed" errors now.

 

Please help to check if I am doing anything wrong. Attached the event log file. Thanks!

  • 1. Re: Get "PKI configuration failed" error when provisioning vPro device
    Steve Lewis Community Member
    Steve Lewis Apr 22, 2011 12:25 PM (in response to Pearson Peng)
    Currently Being Moderated

    I don't have an Intel SCS 5.3 user guide, but the 5.2 version did not have a good description of how to add your own PKI certificate.  The Intel SCS 6.0 user guide does seem to provide detailed steps.  Take a look at the steps in the attached doc.  I'll check with the experts here to see if the Intel SCS 6.0 process is the same for Intel SCS 5.3.

  • 2. Re: Get "PKI configuration failed" error when provisioning vPro device
    Bruno Domingues Community Member
    Bruno Domingues Apr 25, 2011 7:49 AM (in response to Pearson Peng)
    Currently Being Moderated

    Peng,

     

         I have few comments and clues about why you are failing to provisioning your vPro machine (comments inline)

     

    • Our testing  environment:

     

    1. Server A: Windows 2008 + IIS7.0 + SCS 5.3 + SQL Server 2005 + Domain Controller with DNS Server integrated

        >> where is your DHCP, for PKI DHCP with option 15 and 81 is a requirement

    1. Client A:  Windows 2003 + vPro 3.2.2 AMT version

         >> why are you using a server OS instead o client (e.g. Win XP, Vista, 7)? do you have the HECI/LMS driver installed?

     

    • The procedure to install and configure vPro testing environment is described below:

     

    1. We are using PKI mode so we install a Certificate Authority on Server A .
    2. Create a certificate template and issue the client certificate template on Server A

        >> Did you follow this procedures to create the template?

    1. On  Server A, request a certificate. In the "Identifying Information For  Offline Template, the Name:" field specifiy the fully qualified
      name of the Provisioning Server (Server A).
    2. Install the client certificate on Server A. Export the client certificate.
    3. Open  the root certificate. On the Details tab, note down the certificate  hash value in the Thumbprint field. Export the root certificate.
    4. On Server A, create new Profile in SCS Console. Enable TLS.

        >> If you would like to use TLS, you must create also a web cliente template

               You must be aware that provisioning using PKI means use of one certificate for provisioning must be issues, but you don't need issue client certificates to establish TLS connection   

    Create a digest user and give it PT administration right.

    1. Start  Client A, then press Ctrl+P during startup to enter the Intel MEBX.  Manually  enter the matching certificate hash value which is obtained  from step 5. Input other necessary fields in MEBX.
    2. vPro  Client A is provisioning automatically. The target vPro device appear in  SCS console but with its provisioning status "Not Configured".
    3. We are starting to get the above "PKI configuration failed" errors now.

         >> DHCP is an important piece here, your client uses suffix DNS presented by DHCP to validate the certificate.

     

    Best Regards!

    -- Bruno Domingues

  • 3. Re: Get "PKI configuration failed" error when provisioning vPro device
    Pearson Peng Community Member
    Pearson Peng Apr 25, 2011 7:48 AM (in response to Steve Lewis)
    Currently Being Moderated

    Hi Steve,

     

    I enabled DHCP on Server A. On the client computer, set to get IP addresss automatically from DHCP server. After that, the client computer is provisioning correctly without any problems. Thanks!

  • 4. Re: Get "PKI configuration failed" error when provisioning vPro device
    pearsonp May 12, 2011 8:13 AM (in response to Bruno Domingues)
    Currently Being Moderated

    Hi Bruno,

     

    Sorry for the delay. We are very busy these days to deal with the issues. Regarding your commments, please see my answers in RED:

    • Our testing  environment:

    1. Server A: Windows 2008 + IIS7.0 + SCS 5.3 + SQL Server 2005 + Domain Controller with DNS Server integrated

        >> where is your DHCP, for PKI DHCP with option 15 and 81 is a requirement

    --We didn't enable DHCP before. Once it is enabled, everything is OK.

    1. Client A:  Windows 2003 + vPro 3.2.2 AMT version

         >> why are you using a server OS instead o client (e.g. Win XP, Vista, 7)? do you have the HECI/LMS driver installed?

    --We built another environment with Windows 7 client. Both Windows 7 and Windows 2003 are provisioned OK. HECI/LMS driver is installed on both client devices

    • The procedure to install and configure vPro testing environment is described below:

    1. We are using PKI mode so we install a Certificate Authority on Server A .
    2. Create a certificate template and issue the client certificate template on Server A

        >> Did you follow this procedures to create the template?

    --I created a client authentication template with "Client Authentication" policy and another policy with Oid 2.16.840.1.113741.1.2.1

     

    1. On  Server A, request a certificate. In the "Identifying Information For  Offline Template, the Name:" field specifiy the fully qualified
      name of the Provisioning Server (Server A).
    2. Install the client certificate on Server A. Export the client certificate.
    3. Open  the root certificate. On the Details tab, note down the certificate  hash value in the Thumbprint field. Export the root certificate.
    4. On Server A, create new Profile in SCS Console. Enable TLS.

        >> If you would like to use TLS, you must create also a web cliente template

               You must be aware that provisioning using PKI means use of one certificate for provisioning must be issues, but you don't need issue client certificates to establish TLS connection  

    --I didn't find any reference about the "web client template" . I just create another template with "Server Authentication" policy and another policy with Oid 2.16.840.1.113741.1.2.3

    --Now we use TLS mutual authentication

     

    Create a digest user and give it PT administration right.

    1. Start  Client A, then press Ctrl+P during startup to enter the Intel MEBX.  Manually  enter the matching certificate hash value which is obtained  from step 5. Input other necessary fields in MEBX.
    2. vPro  Client A is provisioning automatically. The target vPro device appear in  SCS console but with its provisioning status "Not Configured".
    3. We are starting to get the above "PKI configuration failed" errors now.

        >> DHCP is an important piece here, your client uses suffix DNS presented by DHCP to validate the certificate.

    --After DHCP is enabled, everything is fine.

    Best Regards!

    -- Bruno Domingues





Actions

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 4 points
  • Helpful Answers - 2 points