Home > Intel Communities > Open Port IT Community > Intel® vPro™ Expert Center > Discussions
Up to Discussions in Intel® vPro™ Expert Center
10 Replies Last post: Oct 20, 2008 11:18 PM by Matt Royer  
Jean McCabe  
Jean McCabe
11 posts since
Aug 11, 2008
Currently Being Moderated

Aug 12, 2008 2:01 AM

Second stage provisioning fails because there is a Winhttp proxy

 

Does anyone have any ideas on how to resolve the following issue?

 

 

The status of a client (AMT 3.2.1) system shows provisioned in the SCCM console. I can also open the Out Of Band console by right clicking on the client in the SCCM console (could not do this previously). However connection to the client still fails. I have discovered that the 2nd stage provision on AMT device fails. Please refer to the extract of the amtopmgr.log file.

 

 

The PKI infrastructure is in place (AMT client has certificate and AMT status on client also shows provisioned) and I have created the OU for OOBM in AD and granted the SCCM computer account full control in AD OOBM OU and child objects . In addition the SCCM AMT Operations Manager component logged the following: Provisioning failed because there is a winhttp proxy.

 

 

We are running the SCCM Primary site server on a VM in Hyper-V. I had the Out of Band service point configured on the Primary site server. Thinking that this might be a problem (because of the VM environment), I relocated the Out of Band service point role to another Physical W2K8 host. This system has the Hyper-V role installed which implies that it has a virtual network adapter. The out of band service point is not located in a VM though. I attempted the process again, however same result. Hyper-V creates a separate virtual network... not sure whether this is the problem. Obviously this is a lab/testing environment.

 

 

Any assistance will be appreciated.

 

 

Provision task begin<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 4872 (0x1308)

Provision target is indicated with SMS resource id. (MachineId = 49 XV.bcxhpw.lcl) SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 4872 (0x1308)

STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=HPW-HOST1 SITE=C01 PID=6852 TID=6764 GMTDATE=Mon Aug 11 08:05:44.817 2008 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 6764 (0x1A6C)

Found valid basic machine property for machine id = 49. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 4872 (0x1308)

The provision mode for device XV.bcxhpw.lcl is 1. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 4872 (0x1308)

Attempting to establish connection with target device using SOAP. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 4872 (0x1308)

Found matched certificate hash in current memory of provisioning certificate SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 4872 (0x1308)

Create provisionHelper with (Hash: 01E12F9F096DF5995D4DA60EDC2C786DD2458D37) SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 4872 (0x1308)

Set credential on provisionHelper... SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 4872 (0x1308)

Try to use provisioned account (random generated password) to connect target machine XV.bcxhpw.lcl... SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:44 AM 4872 (0x1308)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:45 AM 6764 (0x1A6C)

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:45 AM 6764 (0x1A6C)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:45 AM 6764 (0x1A6C)

Succeed to connect target machine XV.bcxhpw.lcl and core version with 3.2.1 using provisioned account (random generated password). SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:48 AM 4872 (0x1308)

GeneralInfo.GetProvisioningState finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

Get device provisioning state is Post Provisioning SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

Machine XV.bcxhpw.lcl will be added and published to AD and OU is LDAP://HPW-DC.bcxhpw.lcl/OU=Out of Band Management Controllers,DC=bcxhpw,DC=lcl. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

Send request to AMT proxy component to add machine XV.bcxhpw.lcl to AD. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

Successfully created instruction file for AMT proxy task: C:\SMS\MP\OUTBOXES\amtproxy.box SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

Processing provision on AMT device XV.bcxhpw.lcl... SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

Start 2nd stage provision on AMT device XV.bcxhpw.lcl. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

session params : https://XV.bcxhpw.lcl:16993 , 11001 SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

Delete existing ACLs... SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)

ERROR: Invoke(invoke) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

Error: Cannot Enumerate User Acl Entries. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::DeleteACLs SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

Error: Can not finish WSMAN call with target device. Check if there is a winhttp proxy to block connection. (MachineId = 49) SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

STATMSG: ID=7208 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=HPW-HOST1 SITE=C01 PID=6852 TID=4872 GMTDATE=Mon Aug 11 08:05:53.382 2008 ISTR0="XV.bcxhpw.lcl" ISTR1="XV.bcxhpw.lcl" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

Add ACLs.. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

ERROR: Invoke(invoke) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

Error: failed to Add User Acl. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::AddACLs SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

Set Ping Response with true... SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:53 AM 4872 (0x1308)

ERROR: Invoke(get) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Error: Failed to put changes to AMT_GeneralSettings instance. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::SetPingResponse SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Set Kerberos options... SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

ERROR: Invoke(get) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Error: Failed to get AMT_KerberosSettingData instance. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::SetKerberosOptions SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Set active power schema to 5.. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

ERROR: Invoke(Enumerate) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Error: Failed to enumerate AMT_SystemPowerScheme instance. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::SetActivePowerScheme SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Enable WebUI with true.. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

ERROR: Invoke(invoke) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Error: Failed to Invoke AMT_WebUIService::RequestStateChange_INPUT Action. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::EnabledWebUI SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Enable SOL with true and IDER with true.. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

ERROR: Invoke(invoke) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Error: AMT_RedirectionService Invoke RequestStateChange failed: hr = 0x80072f8f SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::SetEnabledInterfaceSOLIDER. Check and enable IDER/SOL option in ME BIOS settings. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Finished 2nd stage provision on AMT device XV.bcxhpw.lcl. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Finished provision on AMT device XV.bcxhpw.lcl with configuration code (0)! SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

CStateMsgReporter::DeliverMessages - Queued message: TT=1201 TIDT=0 TID='Link provisioned AMT machine with current profile' SID=2 MUF=0 PCNT=5, P1='24' P2='2008-08-11 08:05:55' P3='1' P4='2' P5='3.2.1' SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

CStateMsgReporter::DeliverMessages - Created state message file: C:\SMS\MP\OUTBOXES\StateMsg.box\2bghyng1.SMX SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

Provision task end<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:55 AM 4872 (0x1308)

 

Average User Rating
(0 ratings)




Matt Royer  
Matt Royer
154 posts since
Aug 31, 2007
Currently Being Moderated
1. Aug 12, 2008 5:22 PM in response to: Jean McCabe
Re: Second stage provisioning fails because there is a Winhttp proxy

 

I'm assuming your SCCM Server is...

 

 

--Matt Royer

 

 

Report Abuse
Jean McCabe  
Jean McCabe
11 posts since
Aug 11, 2008
Currently Being Moderated
2. Aug 13, 2008 12:00 AM in response to: Matt Royer
Re: Second stage provisioning fails because there is a Winhttp proxy

 

Yes that is correct.

 

 

OS = Windows 2003 Server R2 Standard with Service Pack 2

 

 

WinRM - KB936059 installed

 

 

Hotfix KB 942841 installed

 

 

The DC with Ent Root CA is installed on seperate VM running W2K8 Ent with SP1

 

 

Thanx

 

 

Jean

 

 

 

 

 

 

 

 

Report Abuse
Matt Royer  
Matt Royer
154 posts since
Aug 31, 2007
Currently Being Moderated
3. Aug 13, 2008 2:28 AM in response to: Jean McCabe
Re: Second stage provisioning fails because there is a Winhttp proxy

You mentioned that AMT Client has a certificate; however, taking a closer look at the log files you posted, I am not seeing any reference to the SCCM creating the AMT Web Certificate on behalf of the AMT client.

 

 

Your log

 

 

Machine XV.bcxhpw.lcl will be added and published to AD and OU is LDAP://HPW-DC.bcxhpw.lcl/OU=Out of Band Management Controllers,DC=bcxhpw,DC=lcl. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)
Send request to AMT proxy component to add machine XV.bcxhpw.lcl to AD. SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)
Successfully created instruction file for AMT proxy task: C:\SMS\MP\OUTBOXES\amtproxy.box SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)
Processing provision on AMT device XV.bcxhpw.lcl... SMS_AMT_OPERATION_MANAGER 2008/08/11 10:05:51 AM 4872 (0x1308)
Start 2nd stage provision on AMT device XV.bcxhpw.lcl.

Successful Provision I have done (sniplet)

 

Machine vPro-Client.vprodemo.com will be added and published to AD and OU is LDAP://vprodemodc.vprodemo.com/OU=Out of Band Management Controllers,DC=vprodemo,DC=com. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:29:51 AM 1428 (0x0594)
Send request to AMT proxy component to add machine vPro-Client.vprodemo.com to AD. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:29:51 AM 1428 (0x0594)
Successfully created instruction file for AMT proxy task: C:\Program Files\Microsoft Configuration Manager\inboxes\amtproxymgr.box SMS_AMT_OPERATION_MANAGER 8/10/2008 11:29:51 AM 1428 (0x0594)
Processing provision on AMT device vPro-Client.vprodemo.com... SMS_AMT_OPERATION_MANAGER 8/10/2008 11:29:51 AM 1428 (0x0594)
Send request to AMT proxy component to generate client certificate. (MachineId = 3) SMS_AMT_OPERATION_MANAGER 8/10/2008 11:29:51 AM 1428 (0x0594)
Successfully created instruction file for AMT proxy task: C:\Program Files\Microsoft Configuration Manager\inboxes\amtproxymgr.box SMS_AMT_OPERATION_MANAGER 8/10/2008 11:29:51 AM 1428 (0x0594)
Wait 20 seconds to find client certificate for AMT device vPro-Client.vprodemo.com being generated again... SMS_AMT_OPERATION_MANAGER 8/10/2008 11:29:51 AM 1428 (0x0594)
AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 8/10/2008 11:29:59 AM 5688 (0x1638)
AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 8/10/2008 11:29:59 AM 5688 (0x1638)
RETRY(1) - Validate client certificate for AMT device vPro-Client.vprodemo.com being generated. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:11 AM 1428 (0x0594)
Found client certificate already being generated for AMT device vPro-Client.vprodemo.com. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:11 AM 1428 (0x0594)
Start 1st stage provision on AMT device vPro-Client.vprodemo.com. (SOAP) SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:11 AM 1428 (0x0594)
SecurityAdministration.ClearTLSCredentials finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:15 AM 1428 (0x0594)
NetworkTime.GetLowAccuracyTimeSynch finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:18 AM 1428 (0x0594)
AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:19 AM 5688 (0x1638)
AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:19 AM 5688 (0x1638)
NetworkTime.SetHighAccuracyTimeSynch finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:20 AM 1428 (0x0594)
NetworkAdmin.SetHostName finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:24 AM 1428 (0x0594)
NetworkAdmin.SetDomainName finished with HResult = 0x0, status = 0x0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:28 AM 1428 (0x0594)
SecurityAdministration.SetTLSCertificateWithKeyPair finished with HResult = 0x0, status = 0x0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:37 AM 1428 (0x0594)
AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:39 AM 5688 (0x1638)
AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:39 AM 5688 (0x1638)
SecurityAdministration.SetTlsServerAuthentication finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:40 AM 1428 (0x0594)
SecurityAdministration.GetDigestRealm finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:44 AM 1428 (0x0594)
SecurityAdministration.SetAdminAclEntryEx finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:48 AM 1428 (0x0594)
SecurityAdministration.SetMEBxPassword finished with HResult = 0x0, status = 0x10, clientError = 0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:52 AM 1428 (0x0594)
We can't set MEBx password at this time. Admin may have already changed this. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:52 AM 1428 (0x0594)
SecurityAdministration.CommitChanges finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:56 AM 1428 (0x0594)
Finished 1st stage provision on AMT device vPro-Client.vprodemo.com. Sleep 5 seconds for 2nd stage provision. SMS_AMT_OPERATION_MANAGER 8/10/2008 11:30:56 AM 1428 (0x0594)
Start 2nd stage provision on AMT device XV.bcxhpw.lcl

It looks like in your case, it gets right before to the step of "send request to AMT proxy component to generate client certificate" and jumps to second stage provision.

 

 

I'm assuming you have configured the "Certificate Template" in the SCCM Out of Band Management Properties? If so, was the certificate for the AMT client generated on Certificate Authority? Can you also double check to see if the AMT Object was created in the Out of Band Management Controllers OU. What does the Amtproxymgr.log have to say?

 

 

--Matt Royer

Report Abuse
Jean McCabe  
Jean McCabe
11 posts since
Aug 11, 2008
Currently Being Moderated
4. Aug 13, 2008 3:44 AM in response to: Matt Royer
Re: Second stage provisioning fails because there is a Winhttp proxy

 

Hi Matt,

 

 

I did configure/import the AMT provisioning cert pfx file in the OOBM component in SCCM. However I also selected the AMT provisioning template instead of the Web cert template. I corrected this and it works 100% now.

 

 

Many thanx

 

 

Jean

 

 

 

 

 

 

Report Abuse
Matt Royer  
Matt Royer
154 posts since
Aug 31, 2007
Currently Being Moderated
5. Aug 13, 2008 1:42 PM in response to: Jean McCabe
Re: Second stage provisioning fails because there is a Winhttp proxy

 

Jean,

 

 

 

 

To Confirm... You selected the AMT Web certificate template ( that you created on your certificate authority) under "Certificate Template" in the SCCM Out of Band Management Properties and this resolved your issue?

 

 

 

 

--Matt Royer

 

 

Report Abuse
Jean McCabe  
Jean McCabe
11 posts since
Aug 11, 2008
Currently Being Moderated
6. Aug 14, 2008 12:09 AM in response to: Matt Royer
Re: Second stage provisioning fails because there is a Winhttp proxy

Correct

Report Abuse
Jtech138  
Jtech138
2 posts since
Oct 17, 2008
Currently Being Moderated
7. Oct 17, 2008 3:37 PM in response to: Matt Royer
Re: Second stage provisioning fails because there is a Winhttp proxy

 

Hi Matt, Can you post log for 2nd stage provisioning. I got all the same log you posted for stage 1 provisioning but still getting that WINHTTP proxy error.

 

 

Here is my log

 

 

>>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

Provision target is indicated with SMS resource id. (MachineId = 33 CMLAB-NY-PX19.cmlab.com) SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

Start to send a basic machine property creation request to FDM. (MachineId = 33) SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

CStateMsgReporter::DeliverMessages - Queued message: TT=1201 TIDT=0 TID='Fill Machine Property' SID=1 MUF=0 PCNT=5, P1='CMLAB-NY-PX19' P2='8913000059B0DD3A8AC4EE5F39479699EFEA23F1438FD88915B21931ABE914224B1DB14F6BB9E7845FC91EFB1400000042000000480000000366000000000000B8217190F8E72BE55816450AD3F561AF898303C775F2A58D6D520BFC5079D7C91629CE8A05CDF70DAEE50FED0CA458EB1420307D8CC72968907DAF4A9EB832C0137BFECD11111C580043' P3='CMLAB-NY-PX19.cmlab.com' P4='admin' P5='D23C3E23DF17A188E1DF45AB328E8DF1C4519523' SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

CStateMsgReporter::DeliverMessages - Created state message file: D:\Microsoft Configuration Manager\inboxes\auth\statesys.box\incoming\iphmyk1r.SMX SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

Warning: Currently we don't support mutual auth. Change to TLS server auth mode. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

The provision mode for device CMLAB-NY-PX19.cmlab.com is 1. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

Attempting to establish connection with target device using SOAP. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

Found matched certificate hash in current memory of provisioning certificate SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

Create provisionHelper with (Hash: 02F11146224794187F0664971630BDB5CCB0A0AC) SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

Set credential on provisionHelper... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

Try to use provisioning account to connect target machine CMLAB-NY-PX19.cmlab.com... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:09 PM 5480 (0x1568)

Succeed to connect target machine CMLAB-NY-PX19.cmlab.com and core version with 3.2.1 using provisioning account #0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:13 PM 5480 (0x1568)

GeneralInfo.GetProvisioningState finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:16 PM 5480 (0x1568)

Get device provisioning state is In Provisioning SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:16 PM 5480 (0x1568)

Passed OTP check on AMT device CMLAB-NY-PX19.cmlab.com. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:20 PM 5480 (0x1568)

Machine CMLAB-NY-PX19.cmlab.com will be added and published to AD and OU is LDAP://OU=Out of Band Management Controllers,OU=NewYork,OU=Americas,OU=AllOffices,DC=cmlab,DC=com. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:20 PM 5480 (0x1568)

Send request to AMT proxy component to add machine CMLAB-NY-PX19.cmlab.com to AD. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:20 PM 5480 (0x1568)

Successfully created instruction file for AMT proxy task: D:\Microsoft Configuration Manager\inboxes\amtproxymgr.box SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:20 PM 5480 (0x1568)

Processing provision on AMT device CMLAB-NY-PX19.cmlab.com... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:20 PM 5480 (0x1568)

Send request to AMT proxy component to generate client certificate. (MachineId = 33) SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:20 PM 5480 (0x1568)

Successfully created instruction file for AMT proxy task: D:\Microsoft Configuration Manager\inboxes\amtproxymgr.box SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:20 PM 5480 (0x1568)

Wait 20 seconds to find client certificate for AMT device CMLAB-NY-PX19.cmlab.com being generated again... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:20 PM 5480 (0x1568)

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:29 PM 2816 (0x0B00)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:29 PM 2816 (0x0B00)

RETRY(1) - Validate client certificate for AMT device CMLAB-NY-PX19.cmlab.com being generated. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:40 PM 5480 (0x1568)

Found client certificate already being generated for AMT device CMLAB-NY-PX19.cmlab.com. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:40 PM 5480 (0x1568)

Start 1st stage provision on AMT device CMLAB-NY-PX19.cmlab.com. (SOAP) SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:40 PM 5480 (0x1568)

SecurityAdministration.ClearTLSCredentials finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:44 PM 5480 (0x1568)

NetworkTime.GetLowAccuracyTimeSynch finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:47 PM 5480 (0x1568)

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:49 PM 2816 (0x0B00)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:49 PM 2816 (0x0B00)

NetworkTime.SetHighAccuracyTimeSynch finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:49 PM 5480 (0x1568)

NetworkAdmin.SetHostName finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:53 PM 5480 (0x1568)

NetworkAdmin.SetDomainName finished with HResult = 0x0, status = 0x0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:48:56 PM 5480 (0x1568)

SecurityAdministration.SetTLSCertificateWithKeyPair finished with HResult = 0x0, status = 0x0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:05 PM 5480 (0x1568)

SecurityAdministration.SetTlsEnabled finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:09 PM 5480 (0x1568)

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:09 PM 2816 (0x0B00)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:09 PM 2816 (0x0B00)

SecurityAdministration.GetDigestRealm finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:13 PM 5480 (0x1568)

SecurityAdministration.SetAdminAclEntryEx finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:17 PM 5480 (0x1568)

SecurityAdministration.SetMEBxPassword finished with HResult = 0x0, status = 0x10, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:21 PM 5480 (0x1568)

We can't set MEBx password at this time. Admin may have already changed this. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:21 PM 5480 (0x1568)

SecurityAdministration.CommitChanges finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:25 PM 5480 (0x1568)

Finished 1st stage provision on AMT device CMLAB-NY-PX19.cmlab.com. Sleep 5 seconds for 2nd stage provision. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:25 PM 5480 (0x1568)

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:29 PM 2816 (0x0B00)

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:29 PM 2816 (0x0B00)

Start 2nd stage provision on AMT device CMLAB-NY-PX19.cmlab.com. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:30 PM 5480 (0x1568)

session params : https://CMLAB-NY-PX19.cmlab.com:16993 , 11001 SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:30 PM 5480 (0x1568)

Delete existing ACLs... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:30 PM 5480 (0x1568)

ERROR: Invoke(invoke) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Error: Cannot Enumerate User Acl Entries. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::DeleteACLs SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Error: Can not finish WSMAN call with target device. Check if there is a winhttp proxy to block connection. (MachineId = 33) SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

STATMSG: ID=7208 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=CMLAB-NY-PRI SITE=NYL PID=2472 TID=5480 GMTDATE=Fri Oct 17 19:49:32.258 2008 ISTR0="CMLAB-NY-PX19.cmlab.com" ISTR1="CMLAB-NY-PX19.cmlab.com" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Add ACLs.. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

ERROR: Invoke(invoke) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Error: failed to Add User Acl. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::AddACLs SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Set Ping Response with true... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

ERROR: Invoke(get) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Error: Failed to put changes to AMT_GeneralSettings instance. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::SetPingResponse SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Set Kerberos options... SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

ERROR: Invoke(get) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Error: Failed to get AMT_KerberosSettingData instance. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::SetKerberosOptions SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Set active power schema to 5.. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

ERROR: Invoke(Enumerate) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Error: Failed to enumerate AMT_SystemPowerScheme instance. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::SetActivePowerScheme SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Enable WebUI with false.. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

ERROR: Invoke(invoke) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Error: Failed to Invoke AMT_WebUIService::RequestStateChange_INPUT Action. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::EnabledWebUI SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Enable SOL with true and IDER with true.. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

ERROR: Invoke(invoke) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Error: AMT_RedirectionService Invoke RequestStateChange failed: hr = 0x80072f8f SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::SetEnabledInterfaceSOLIDER. Check and enable IDER/SOL option in ME BIOS settings. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Finished 2nd stage provision on AMT device CMLAB-NY-PX19.cmlab.com. SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

Finished provision on AMT device CMLAB-NY-PX19.cmlab.com with configuration code (254)! SMS_AMT_OPERATION_MANAGER 10/17/2008 3:49:32 PM 5480 (0x1568)

 

 

 

 

Thank you.

 

 

Report Abuse
Matt Royer  
Matt Royer
154 posts since
Aug 31, 2007
Currently Being Moderated
8. Oct 20, 2008 9:39 PM in response to: Jtech138
Re: Second stage provisioning fails because there is a Winhttp proxy

 

Jtech,

 

 

I'm assuming that you have installed the following hotfixes?

 

 

 

 

Windows Server 2003 WinRM 1.1:

 

  • Description: Windows Remote Management improves hardware management in a network environment in which various devices run various operating systems. Windows Remote Management uses an interoperable standard protocol to help you monitor and manage computers.

  • URL: http://support.microsoft.com/kb/936059

 

 

 

Windows Server 2003 Hotfix (KB942841):

 

  • Description: A Windows Server 2003-based computer cannot make an SSL connection or a TLS connection to the out-of-band interface on an Intel Active Management Technology (AMT)-enabled computer

  • URL: http://support.microsoft.com/kb/942841

 

Complete list of SCCM OOB releated Hotfixes and required software bundles: Required Software Bundles and HotFixes (KB’s) for System Center Configuration Manager SP1

 

 

 

 

--Matt Royer

 

 

Report Abuse
Jtech138  
Jtech138
2 posts since
Oct 17, 2008
Currently Being Moderated
9. Oct 20, 2008 10:18 PM in response to: Matt Royer
Re: Second stage provisioning fails because there is a Winhttp proxy

I am running SCCM R2 on WINDOWS 2008? Are there a different set of hot fixes? thanks.

Report Abuse
Matt Royer  
Matt Royer
154 posts since
Aug 31, 2007
Currently Being Moderated
10. Oct 20, 2008 11:18 PM in response to: Jtech138
Re: Second stage provisioning fails because there is a Winhttp proxy

 

Those Hotfixes should already be included within windows 2008.

 

 

During stage 1 provisioning, SCCM uses a combination of the Remote Configuration certificate (PKI) and the default remote admin password to authenticate with the vPro client. The communication between the SCCM Out Of Band Service Point and the vPro client is secured through SSL with the AMT self Signed certificate on the vPro Client. During this process an AD object is created, TLS certificate for the securing future AMT manageability is issued & pushed to the client, setting remote admin password (which SCCM scrables), and then committing the changes. At this point, the device is technically "provisioned". From the log this appears to be functioning just fine.

 

 

For second stage provisioning, the SCCM Out Of Band Service Point connects to the AMT client URL (via SSL using the PKI certificate issued during stage1 provisioning) and authenticates with the remote admin password (which was scrambled and set during stage one provisioning). Once it has properly authenticated, it will set the ACLs, power policy, etc; typically known as the "profile" configuration. This is the part that is failing for you.

 

 

So with that... If second stage provisioning is failing and you have all the required hotfixes, I would recommend checking the following.

 

  1. Ensure that your TLS certificate that was requested for the vPro client was properly generated.

    1. Verify that you have created the Web Server Certificates template on your Certificate Authority and that your SCCM Primary Site Servers has the appropriate permission. SCCM SP1 Help File Article: "[Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management|http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx]"; Section: "Preparing the Web Server Certificates for AMT-Based Computers".

    2. Verify that you have configured the certificate template in the Out of Band Management Properties: General Tab. SCCM SP1 Help File Article: "[How to Configure AMT Provisioning|http://technet.microsoft.com/en-us/library/cc161966(TechNet.10).aspx]"; Section: "To configure the out of band management component for AMT provisioning"; Steps: 7-8.

    3. Open up the certificate on the issuing CA and confirm that it was issued to the FQDN of the vPro Client.

    4. Using a web browser, connect to https://<fqdn_of_vpro_client>:16993/ (i.e. https://cmlab-ny-px19.cmlab.com:16993/) and ensure that you do not get any certificate errors when you connect to the vpro client manageability URL. It should appears as a valid secure website; look at the SSL connection in the web browser (quickest way is to double click on that lock icon in the bottom right hand corner of the web browser windows) and ensure certificate chains back to a root certificate authority in your SCCM trusted root CA store.

  2. The remote admin password may not have been set correctly during the provisioning process.

    1. Try provisioning the vPro client again and see if you get the same error; however, I would ensure your certificate for the vPro client is correct first.

 

On another note, sccm R2 still requires the SCCM related hotfixes listed on Required Software Bundles and HotFixes (KB’s) for System Center Configuration Manager SP1

 

 

 

 

 

--Matt Royer

Report Abuse

More Like This

  • Retrieving data ...