1 2 Previous Next 21 Replies Latest reply: Oct 3, 2008 2:54 PM by mamason RSS

    OOB Management Console Connects to AMT-Based Computers but Does Not Display Information

    billc

       

      I used SCCMSP1 (build 4.00.6181.1000) provision with AMT 3.2.1 successfully and can remote power on/off AMT machine. When the out of band management console connects to the selected

      AMT-based computer but console does not display any information. I check <ConfigMgrInstallationPath>\AdminUI\AdminUILog\Oobconsole.log. It indicate below reason: "GetAMTPowerState fail with result:0x80070035."  This

      could be a configuration issue in the AMT-based computer's BIOS extensions for

      serial over LAN and IDE redirection. But I double check the setting and make sure enable "user name and password" for the serial over LAN and IDE redirection. Any wrong on the setting?

       

       

       

       

       

       

       

      Thanks!

       

       

       

      Bill

       

       

        • 1. Re: OOB Management Console Connects to AMT-Based Computers but Does Not Display Information
          miroyer

           

          Here are some things to double check.

           

          • Within  "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management", ensure you have granted the Kerberos user that you are trying to connect with has appropriate rights.

          • On your certificate Authority that issues AMT certs for provisioning, make sure a cert was issued to your AMT clients.  If it's not, ensure that "Out of Band Management" component configuration is set to use that CA and template along with having the appropriate permission to request the cert.

          • Ensure the client object was created in the AD OU you specified in the "Out of Band Management" component configuration.  If it not there, you need to adjust your permissions on the OU so that the SCCM computer (what sms exec runs under) object has access to add items to that OU.

           

          Either one of these can give you that symptom.  Double check for me and let me know what you find.

           

           

          Matt Royer

           

           

          • 2. Re: OOB Management Console Connects to AMT-Based Computers but Does Not Display Information
            billc

             

            Hi Matt:

             

             

                Thanks your help. Would clarify where to add Kerberos user in SCCM? Original, I only add "domain/administrator" user in "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management->AMT settings->AMT user accounts". Do I need add "Doman/admin" user into the list? Originally, I added administrator and admin into "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management->Provisioning settings->AMT provisioning and Discovery Accounts". Would you clarify where to add AMT users.

             

             

               The second, I checked AMT machine and found that provisioning is successfully and SCCM indicated it's provisioned. I can see remote menu in SCCM. When I use IE to connect AMT machine with https://<ip/ address&gt;:16993, AMT machine response logon homepage. When I logon on with admin user, it always asky "&lt;IP address/admin" password to me. Does it mean that certificate Authority that issues AMT certs for provisioning was not issued to my AMT clients? How to check whether CA issued the certification to AMT client?

             

             

                last question is about Kerberos clock tolerance (minutes). I saw "kerberos clock tolerance(minutes)" items in botton of "Site Database"-&gt; "Site Manager" -&gt; Site server Name -&gt; "Site Settings" -&gt; "Component Configuration" -&gt; "Out of Band Management-&gt;AMT settings". Its default value is 5. What means it?

             

             

             

             

             

            Thanks!

             

             

            Bill

             

             

            • 3. Re: OOB Management Console Connects to AMT-Based Computers but Does Not Display Information
              miroyer

               

              For the TLS connection to work correctly, you should be connecting through the web browser with the FQDN and not the IP address of the vpro client (https://client.domain.com:16993).  Although it should not matter, try adding a digest account via "Site Database"-&gt; "Site Manager" -&gt; Site server Name -&gt; "Site Settings" -&gt; "Component Configuration" -&gt; "Out of Band Management" -&gt; "Provisioning Settings".  Once you do that, right client on the vPro client and select "Out of Band Management" -&gt; "Update Provisioning Data in Management Controller Memory".  After you update the management controller, try running the OOB Console again.

              To give us little more error reporting, change the error level of the Out of Band Console to "Verbose".  This can be done by modify the "Error" to "Verbose" in the following file c:\Program Files\Microsoft Configuration Manager\AdminUI\bin\oobconsole.exe.config

               

               

               

               

               

              Matt Royer

               

               

              • 4. Re: OOB Management Console Connects to AMT-Based Computers but Does Not Display Information
                liuxpa

                 

                I met same issue , Here is log info. please tell me the reason why oob console can not connet to AMT.Thanks.

                 

                 

                [2008-5-21 16:37:16] :OOBConsole: Trace started

                [2008-5-21 16:37:16] :Create AmtClientManager.

                [2008-5-21 16:37:18] :Executing WQL: 'SELECT * FROM SMS_Site WHERE ReportingSiteCode = '''

                [2008-5-21 16:37:18] :ResultObject: 'a21e57d8-5ec2-4275-bf3c-3eb069eae8b9'

                [2008-5-21 16:37:18] :Executing static method SMS_Identification.GetProviderVersion()

                [2008-5-21 16:37:18] :No method parameters specified

                [2008-5-21 16:37:18] :Executing static method SMS_SiteControlFile.GetSessionHandle()

                [2008-5-21 16:37:18] :No method parameters specified

                [2008-5-21 16:37:18] :SCF session handle {6c809fc9-f9bd-425f-912c-4f1b884ff689} successfully aquired

                [2008-5-21 16:37:18] :Executing static method SMS_SiteControlFile.RefreshScf()

                [2008-5-21 16:37:18] :Refresh of SCF successful

                [2008-5-21 16:37:18] :Initializer '{3F32691E-24B1-4b1e-9915-37B633F39392}', will no be run, unsupported application type

                [2008-5-21 16:37:18] :Executing static method SMS_SiteControlFile.RefreshScf()

                [2008-5-21 16:37:18] :Refresh of SCF successful

                [2008-5-21 16:37:18] :Found Site code 'XYZ' for RefreshScf

                [2008-5-21 16:37:18] :Executing static method SMS_SiteControlFile.RefreshScf()

                [2008-5-21 16:37:18] :Refresh of SCF successful

                [2008-5-21 16:37:18] :Adding key 'Default Floppy Path'

                [2008-5-21 16:37:18] :Adding key 'Default CD Path'

                [2008-5-21 16:37:18] :Adding key 'Enable WebUI'

                [2008-5-21 16:37:18] :Adding key 'Enable SOL'

                [2008-5-21 16:37:18] :Adding key 'Enable IDER'

                [2008-5-21 16:37:18] :Adding key 'Admin User Name'

                [2008-5-21 16:37:18] :Adding key 'Use Random Password'

                [2008-5-21 16:37:18] :Adding key 'VLan Mode'

                [2008-5-21 16:37:18] :Adding key 'Kerberos Max Clock Tolerance'

                [2008-5-21 16:37:18] :Adding key 'VLan Tag'

                [2008-5-21 16:37:18] :Adding key 'Enable Ping'

                [2008-5-21 16:37:18] :Adding key 'Max Partner Storage Size'

                [2008-5-21 16:37:18] :Adding key 'Max Non Partner Storage Size'

                [2008-5-21 16:37:18] :Adding key 'Bios10 Password'

                [2008-5-21 16:37:18] :Adding key 'Tls Encryption'

                [2008-5-21 16:37:18] :Adding key 'Nac Enabled'

                [2008-5-21 16:37:18] :Adding key 'Nac Cert'

                [2008-5-21 16:37:18] :Adding key 'New MEBx Password'

                [2008-5-21 16:37:18] :Adding key 'Enable Kerberos'

                [2008-5-21 16:37:18] :Adding key 'Provisioning Account'

                [2008-5-21 16:37:18] :Adding key 'Provisioning Account PWD'

                [2008-5-21 16:37:18] :Adding key 'TCP Provisioning Port'

                [2008-5-21 16:37:18] :Adding key 'Enable Hello Listener'

                [2008-5-21 16:37:18] :Adding key 'CA FQDN'

                [2008-5-21 16:37:18] :Adding key 'CS Name'

                [2008-5-21 16:37:18] :Adding key 'CS Type'

                [2008-5-21 16:37:18] :Adding key 'Cert Template'

                [2008-5-21 16:37:18] :Adding key 'Console Cert Template'

                [2008-5-21 16:37:18] :Adding key 'Bypass BIOS Password'

                [2008-5-21 16:37:18] :Adding key 'Register Provisioning Server'

                [2008-5-21 16:37:18] :Adding key 'Active Directory Container'

                [2008-5-21 16:37:18] :Adding key 'Translators'

                [2008-5-21 16:37:18] :Adding key 'Maintenance Schedule'

                [2008-5-21 16:37:18] :Adding key 'Enable CRL Checking'

                [2008-5-21 16:37:18] :Adding key 'Use Proxy'

                [2008-5-21 16:37:18] :Adding key 'Proxy Server Address'

                [2008-5-21 16:37:18] :Adding key 'Proxy Port'

                [2008-5-21 16:37:18] :Adding key 'Default Floppy Path'

                [2008-5-21 16:37:18] :Adding key 'Default CD Path'

                [2008-5-21 16:37:18] :Adding key 'Enable WebUI'

                [2008-5-21 16:37:18] :Adding key 'Enable SOL'

                [2008-5-21 16:37:18] :Adding key 'Enable IDER'

                [2008-5-21 16:37:18] :Adding key 'Admin User Name'

                [2008-5-21 16:37:18] :Adding key 'Use Random Password'

                [2008-5-21 16:37:18] :Adding key 'VLan Mode'

                [2008-5-21 16:37:18] :Adding key 'Kerberos Max Clock Tolerance'

                [2008-5-21 16:37:18] :Adding key 'VLan Tag'

                [2008-5-21 16:37:18] :Adding key 'Enable Ping'

                [2008-5-21 16:37:18] :Adding key 'Max Partner Storage Size'

                [2008-5-21 16:37:18] :Adding key 'Max Non Partner Storage Size'

                [2008-5-21 16:37:18] :Adding key 'Bios10 Password'

                [2008-5-21 16:37:18] :Adding key 'Tls Encryption'

                [2008-5-21 16:37:18] :Adding key 'Nac Enabled'

                [2008-5-21 16:37:18] :Adding key 'Nac Cert'

                [2008-5-21 16:37:18] :Adding key 'New MEBx Password'

                [2008-5-21 16:37:18] :Adding key 'Enable Kerberos'

                [2008-5-21 16:37:18] :Adding key 'Provisioning Account'

                [2008-5-21 16:37:18] :Adding key 'Provisioning Account PWD'

                [2008-5-21 16:37:18] :Adding key 'TCP Provisioning Port'

                [2008-5-21 16:37:18] :Adding key 'Enable Hello Listener'

                [2008-5-21 16:37:18] :Adding key 'CA FQDN'

                [2008-5-21 16:37:18] :Adding key 'CS Name'

                [2008-5-21 16:37:18] :Adding key 'CS Type'

                [2008-5-21 16:37:18] :Adding key 'Cert Template'

                [2008-5-21 16:37:18] :Adding key 'Console Cert Template'

                [2008-5-21 16:37:18] :Adding key 'Bypass BIOS Password'

                [2008-5-21 16:37:18] :Adding key 'Register Provisioning Server'

                [2008-5-21 16:37:18] :Adding key 'Active Directory Container'

                [2008-5-21 16:37:18] :Adding key 'Translators'

                [2008-5-21 16:37:18] :Adding key 'Maintenance Schedule'

                [2008-5-21 16:37:18] :Adding key 'Enable CRL Checking'

                [2008-5-21 16:37:18] :Adding key 'Use Proxy'

                [2008-5-21 16:37:18] :Adding key 'Proxy Server Address'

                [2008-5-21 16:37:18] :Adding key 'Proxy Port'

                [2008-5-21 16:37:18] :Executing static method SMS_SecuredObject.GetCollectionsWithResourcePermissions()

                [2008-5-21 16:37:18] :Executing WQL: 'SELECT SMS_R_System.NetbiosName, SMS_R_System.AMTFullVersion, SMS_R_System.ResourceNames from SMS_R_System where SMS_R_System.AMTStatus=3 and SMS_R_System.ResourceId=87'

                [2008-5-21 16:37:18] :ResultObject: '894f21a2-cb1c-47b9-b49c-0ff3ddf17f34'

                [2008-5-21 16:37:18] :status message Type:Audit, ID:0x000000004000765C, User:AMTDEMO\administrator, Machine:SCCM2007, Target:m57p100.amtdemo.com add to queue, waiting for report.

                [2008-5-21 16:37:18] :Resouceid(87).get AMT machine: name:m57p100;ip:m57p100.amtdemo.com;user:AMTDEMO\administrator

                [2008-5-21 16:37:18] :IMR_Init with C:\Program Files\Microsoft Configuration Manager\AdminUI\bin\imrsdk.ini success with Microsoft.ConfigurationManagement.AdminConsole.OobConsole.Utilities.IMRVersion.

                [2008-5-21 16:37:18] :Executing static method SMS_SiteControlFile.ReleaseSessionHandle()

                [2008-5-21 16:37:18] :SCF session handle {6c809fc9-f9bd-425f-912c-4f1b884ff689} has successfully released

                [2008-5-21 16:37:18] :IMR_AddClient with ip=m57p100.amtdemo.com and useTLS = True success with 0.

                [2008-5-21 16:37:18] :status message Type:Audit, ID:0x0000000040007665, User:AMTDEMO\administrator, Machine:SCCM2007, Target:m57p100.amtdemo.com add to queue, waiting for report.

                [2008-5-21 16:37:22] :GetAMTPowerState fail with result:0x80070005

                [2008-5-21 16:37:35] :GetAMTPowerState fail with result:0x80070005

                [2008-5-21 16:37:49] :GetAMTPowerState fail with result:0x80070005

                 

                 

                • 5. Re: OOB Management Console Connects to AMT-Based Computers but Does Not Display Information
                  miroyer

                   

                  liuxpa, can you try the following...

                   

                   

                  Add a seporate provisioning account by going to "Site Database"-&gt; "Site Manager" -&gt; Site server Name -&gt; "Site Settings" -&gt; "Component Configuration" -&gt; "Out of Band Management" -&gt; "Provisioning Settings" tab; just create an account something like "testaccount" with a password.  Once you do that, right click on the vPro client and select "Out of Band Management" -&gt; "Update Provisioning Data in Management Controller Memory".  After waiting about a minute, try running the OOB Console again.

                   

                   

                  Like I mentioned above, this should not be necessary; however, would like to see if this makes any difference for you.

                   

                   

                  Matt Royer

                   

                   

                  • 6. Re: OOB Management Console Connects to AMT-Based Computers but Does Not Display Information
                    billc

                     

                    Hi Matt:

                     

                     

                        I follow your guide and double check "Site Database"-&gt;"Site Manager"-&gt;"Site Server Name"-&gt;"Site Settings"-&gt;"Component Configuration"-&gt;"Out of Band Management"-&gt;"Provisioning settings" and add admin, administrator and AMTtest users into the accounts, "Update the Provisioning Data in Management Controller Memory", but I still can't see any AMT information in OOB console. I can remote power-on/off/restart the machine, but I can't see the AMT data in console. Does it kerberos user issue?

                     

                     

                        On the other hand, I used IE to connect AMt machine with FDQN &lt;https://amt-01.vprodemo.com;16993>. I can see logon homepage, but it always ask me logon on with user and password. I sure I type-in correctly user (I try admin, AMTtest), but it still does not work. The situtation same as &lt;https://192.168.0.100;16993>. I consider the issue is same as above console problem. Do you have any suggestion for setting. what I can check in setup.

                     

                     

                     

                     

                     

                     

                     

                     

                    Thanks!

                     

                     

                    Bill

                     

                     

                    • 7. Re: OOB Management Console Connects to AMT-Based Computers but Does Not Display Information
                      miroyer

                       

                      Bill,

                       

                       

                      There are 2 additional things I would recommend double checking.

                       

                       

                      The first is that a certificate for the vPro client (in your case amt-01.vprodemo.com) was issued by the Certification Authority defined within "Site Database"-&gt; "Site Manager" -&gt; Site server Name -&gt; "Site Settings" -&gt; "Component Configuration" -&gt; "Out of Band Management" and is not expired.  If you are able to connect to https://amt-01.vprodemo.com:16993 (or the FQDN of the client having the issues) without being issued a warming by internet explorer that the certificate is invalid, the certification should be fine; however, I would double check on your CA that the certificate was actually issued for the FQDN of your vPro client (make sure you view the certificate detail and confirm).  If it wasn't, you need ensure that your Enterprise CA is configured within Out of Band Management Component Configuration and that the computer account (the computer name object) that the Site Server is running under has Read, Enroll, and Auto Enroll for the Certificate Template that is used to issue the cert.  Note that I have seen issues where a cert was generated but was given the FQDN of the SCCM site server if the permissions where not set correctly and then this cert is then pushed to the vPro client with the wrong FQDN in the certificate.

                       

                       

                      The Second thing is to validate that the vPro objects (computer object) are being created in the OU that you configured in "Site Database"-&gt; "Site Manager" -&gt; Site server Name -&gt; "Site Settings" -&gt; "Component Configuration" -&gt; "Out of Band Management" during the provisioning process.  You should be able to see that the object was created by using "Active Directory Users and Computers"  and browsing to the OU and then the object; you should be able to see that the vPro Client object is in a healthy (no red X) state.  If vPro object is not being created in the OU, I would double check the permissions.  This can be done by opening "Active Directory Users and Computers" for your domain, right clicking on the OU you are using to store the vPro client object, and select Properties (make sure your "Advanced Features" under view is checked prior to selecting Properties).  Click on the security tab and click add; when the window appears search for the SCCM site server computer object and select it.  Give the computer object of the SCCM Site Server full control.  Depending on your domain configuration, you may also need to click on the advance button for the SCCM site server computer object and ensure that the "Apply onto" is set to "this object and all child objects".

                       

                       

                      Let me know if that helps.

                       

                       

                      Matt Royer

                       

                       

                       

                      • 8. Re: OOB Management Console Connects to AMT-Based Computers but Does Not Display Information
                        billc

                         

                        Hi Matt:

                         

                         

                            It seems it's security permissions issue. I follow your guide and check again. Acutally, I can't see computers in OU (Out of band management Controllers), the  computers was located in Computers Contrainers. Even I moved the computers into OU, the phenomenon is same. I configure the permission with below. Would you help me check which one is wrong?

                         

                         

                         

                         

                         

                        OU: Out of Band Management Controllers:

                         

                         

                        SCCMSP1$(VPRODEMO\SCCMSP1$): Full Control, add "This object and child objects" into "Apply onto" list

                         

                         

                         

                         

                         

                        CA Templates

                         

                         

                        ConfigMgr AMT Provisioning:

                         

                         

                        ConfigMgr Out of Band Service Points: Read, Enroll, Autoenroll

                         

                         

                         

                         

                         

                        ConfigMgr AMT Web Service Certificate

                         

                         

                        ConfigMgr Primiary Site Servers: Read, Enroll, Autoenroll

                         

                         

                         

                         

                         

                        Thanks!

                         

                         

                        Bill

                         

                         

                        • 9. Re: OOB Management Console Connects to AMT-Based Computers but Does Not Display Information
                          billc

                           

                          Hi Matt:

                           

                           

                              Thanks your supporting, I upgrade to new 6222 build version, change Web Server permission to Read and Enroll in {font:Verdana}{size:8.5pt}{color:red}Authenticated Users{color}{size}{font}(The  Default is Read only) , add Primiary site server into OU. Then it works now.

                           

                           

                           

                           

                           

                          Thanks!

                           

                           

                          Bill

                           

                           

                          • 10. Re: OOB Management Console Connects to AMT-Based Computers but Does Not Display Information
                            miroyer

                            Glad to hear Bill.  Thanks for working through it.

                             

                             

                             

                             

                             

                            Matt Royer

                            • 11. Re: OOB Management Console Connects to AMT-Based Computers but Does Not Display Information
                              XtrMnIO

                               

                              Hi vPro experts!! I have a similar problem with a Dell Optiplex 755 client, I checked all the requises and are OK, permissions, CA, OU... but nothing happens, client id provisioned but I can't turn on/off/restart the client and I can't open the OOB Management Console.

                               

                               

                              What was the steps that you followed to solve this thread, please?

                               

                               

                              Thanks in advance!!

                               

                               

                               

                               

                               

                               

                               

                               

                              • 12. Re: OOB Management Console Connects to AMT-Based Computers but Does Not Display Information
                                MaraS

                                I have the same problem!

                                I have a vPro lab with SCCM SP1 and a Dell Optiplex 755 client, with 3.2.1 MEBx version, the client is provisioned without SCCM agent, but when y try to power on,off,restart nothing happens!

                                The OOB console try to connect but appears as disconnected.

                                 

                                 

                                Were you able to resolve it?

                                 

                                Help me, please?

                                 

                                 

                                Tks.

                                • 13. Re: OOB Management Console Connects to AMT-Based Computers but Does Not Display Information
                                  miroyer

                                   

                                  Maras,

                                   

                                   

                                  Can you provide your error messages you are seeing in &lt;ConfigMgrInstallationPath&gt;\Logs\amtopmgr.log and &lt;ConfigMgrInstallationPath&gt;\AdminUI\AdminUILog\Oobconsole.log.

                                   

                                   

                                  If you are not able to perform collection based power or connect via the Out Of Band Console, there is a high potential that you certificate was not created problem. On your issuing CA, make sure you see a certificate for the vPro client and that the FQDN that the certificate was issued to is the FQDN of the vPro Client.

                                   

                                   

                                   

                                   

                                   

                                  http://communities.intel.com/openport/docs/DOC-1627

                                   

                                   

                                  Symptom: SCCM provisions a vPro Client successfully, but you are not able to invoke Collection power control operations or the Out of Band Console (does not connect)

                                   

                                   

                                  Potential Root cause(s):

                                   

                                  • The current user logged on to the SCCM Console does not have sufficient right to perform the desired operation.

                                  • SCCM was unable to request or issue a Web Server Certificate on behalf of the vPro client during provision or the Web Server Certificates was issued to a different FQDN then the vPro Client.

                                    • Verify that you have created the Web Server Certificates template on your Certificate Authority and that your SCCM Primary Site Servers has the appropriate permission. SCCM SP1 Help File Article: "[Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management|http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx]"; Section: "Preparing the Web Server Certificates for AMT-Based Computers".

                                    • Verify that you have configured the certificate template in the Out of Band Management Properties: General Tab. SCCM SP1 Help File Article: "[How to Configure AMT Provisioning|http://technet.microsoft.com/en-us/library/cc161966(TechNet.10).aspx]"; Section: "To configure the out of band management component for AMT provisioning"; Steps: 7-8.

                                   

                                  • 14. Re: OOB Management Console Connects to AMT-Based Computers but Does Not Display Information
                                    MaraS

                                     

                                    Hi Miroyer,

                                     

                                     

                                    I checked the permissions and are OK.

                                     

                                    How to check whether CA issued the certification to AMT client?

                                     

                                     

                                    Is necessary to generate and install a certificate for each client AMT?

                                     

                                     

                                    Tks,

                                     

                                     

                                    Maras

                                     

                                     

                                    1 2 Previous Next