Certificate Error Provisioning All AMT Devices
Trevor.Sullivan Jan 14, 2009 5:33 PMHey guys,
I have a brand new Dell Optiplex 755 running BIOS A11 and AMT Firmware 3.2.1. I'm having trouble provisioning it. Everything works up until the certificate request is made from out certificate server, however. I'm getting the below messages in the amtproxymgr.log (not amtopmgr.log) on the ConfigMgr site server.
I had one of the guys on our server team check out the certificate server, and it is creating multiple certificates for the same client, and automatically approving them (as is proper), but for some reason, the site server is rejecting the certificate during the verification of the certificate chain. Our internal root CA certificate is in the Trusted Root CA store on the site server, and I have successfully provisioned other clients before.
I have also verified that this is not the self-signed certificate issue, because I have manually unprovisioned the device in SMB mode, and also pulled the CMOS battery to reset back to factory defaults. The same behavior is persisting.
DNS also is not a problem, as I have verified the forward and reverse records for the client from the site server. DHCP option 15 is also set properly. If either of these were the issue, we wouldn't be getting as far as we are in the provisioning process.
Found instruction file: D:\SMS\inboxes\amtproxymgr.box\{50830F19-8E2D-410A-A75B-EC5F0A32F96E}.apx
Processing Instruction: RCT 1;1;62151;3.2.1;vproclient.vprodemo.com;SMS_AMT_OPERATION_MANAGER_PROV;
Request certificate task begin to read Site Control File.
Changes to the site control file settings detected.
Request certificate task success to read parameters from Site Control File.
Request certificate task success to connect to the SQL database.
ERROR: CertCreateCertificateContext failed: 0x80093102, msg=ASN1 unexpected end of data.~
Error: CTaskRequestClientCert::RevokeExistedCertificate failed to get serial number from the certificate binary.
Request certificate task disConnected to the SQL database.
INFO: Enter process request 1
INFO: Save Request
INFO: Add new request
Certificate for vproclient.vprodemo.com has been retrieved.
ERROR: CertGetCertificateChain(...) failed: 0x1000040
ERROR: HandleDisposition failed: the root certificate of the CA is not at the Trust List!
INFO: Enter process request 3
INFO: Delete Request
INFO: Request to delete found
STATMSG: ID=7601 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AMT_PROXY_COMPONENT" SYS=PROVSERVER SITE=123 PID=8536 TID=2220 GMTDATE=Thu Jan 08 21:28:22.411 2009 ISTR0="vproclient.vprodemo.com" ISTR1="certserver.vprodemo.com" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
Failed to run instruction: RCT 1;1;62151;3.2.1;vproclient.vprodemo.com;SMS_AMT_OPERATION_MANAGER_PROV;
Finished Executing Instruction: RCT 1;1;62151;3.2.1;vproclient.vprodemo.com;SMS_AMT_OPERATION_MANAGER_PROV;
Thanks,
Trevor Sullivan
Systems Engineer
OfficeMax Corporation