Here are some things to double check.
Within "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management", ensure you have granted the Kerberos user that you are trying to connect with has appropriate rights.
On your certificate Authority that issues AMT certs for provisioning, make sure a cert was issued to your AMT clients. If it's not, ensure that "Out of Band Management" component configuration is set to use that CA and template along with having the appropriate permission to request the cert.
Ensure the client object was created in the AD OU you specified in the "Out of Band Management" component configuration. If it not there, you need to adjust your permissions on the OU so that the SCCM computer (what sms exec runs under) object has access to add items to that OU.
Either one of these can give you that symptom. Double check for me and let me know what you find.
Thanks your help. Would clarify where to add Kerberos user in SCCM? Original, I only add "domain/administrator" user in "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management->AMT settings->AMT user accounts". Do I need add "Doman/admin" user into the list? Originally, I added administrator and admin into "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management->Provisioning settings->AMT provisioning and Discovery Accounts". Would you clarify where to add AMT users.
The second, I checked AMT machine and found that provisioning is successfully and SCCM indicated it's provisioned. I can see remote menu in SCCM. When I use IE to connect AMT machine with https://<ip/ address>:16993, AMT machine response logon homepage. When I logon on with admin user, it always asky "<IP address/admin" password to me. Does it mean that certificate Authority that issues AMT certs for provisioning was not issued to my AMT clients? How to check whether CA issued the certification to AMT client?
last question is about Kerberos clock tolerance (minutes). I saw "kerberos clock tolerance(minutes)" items in botton of "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management->AMT settings". Its default value is 5. What means it?
For the TLS connection to work correctly, you should be connecting through the web browser with the FQDN and not the IP address of the vpro client (https://client.domain.com:16993). Although it should not matter, try adding a digest account via "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management" -> "Provisioning Settings". Once you do that, right client on the vPro client and select "Out of Band Management" -> "Update Provisioning Data in Management Controller Memory". After you update the management controller, try running the OOB Console again.
To give us little more error reporting, change the error level of the Out of Band Console to "Verbose". This can be done by modify the "Error" to "Verbose" in the following file c:\Program Files\Microsoft Configuration Manager\AdminUI\bin\oobconsole.exe.config
I met same issue , Here is log info. please tell me the reason why oob console can not connet to AMT.Thanks.
[2008-5-21 16:37:18] :Executing WQL: 'SELECT SMS_R_System.NetbiosName, SMS_R_System.AMTFullVersion, SMS_R_System.ResourceNames from SMS_R_System where SMS_R_System.AMTStatus=3 and SMS_R_System.ResourceId=87'
[2008-5-21 16:37:18] :IMR_Init with C:\Program Files\Microsoft Configuration Manager\AdminUI\bin\imrsdk.ini success with Microsoft.ConfigurationManagement.AdminConsole.OobConsole.Utilities.IMRVersion.
liuxpa, can you try the following...
Add a seporate provisioning account by going to "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management" -> "Provisioning Settings" tab; just create an account something like "testaccount" with a password. Once you do that, right click on the vPro client and select "Out of Band Management" -> "Update Provisioning Data in Management Controller Memory". After waiting about a minute, try running the OOB Console again.
Like I mentioned above, this should not be necessary; however, would like to see if this makes any difference for you.
I follow your guide and double check "Site Database"->"Site Manager"->"Site Server Name"->"Site Settings"->"Component Configuration"->"Out of Band Management"->"Provisioning settings" and add admin, administrator and AMTtest users into the accounts, "Update the Provisioning Data in Management Controller Memory", but I still can't see any AMT information in OOB console. I can remote power-on/off/restart the machine, but I can't see the AMT data in console. Does it kerberos user issue?
On the other hand, I used IE to connect AMt machine with FDQN <https://amt-01.vprodemo.com;16993>. I can see logon homepage, but it always ask me logon on with user and password. I sure I type-in correctly user (I try admin, AMTtest), but it still does not work. The situtation same as <https://192.168.0.100;16993>. I consider the issue is same as above console problem. Do you have any suggestion for setting. what I can check in setup.
There are 2 additional things I would recommend double checking.
The first is that a certificate for the vPro client (in your case amt-01.vprodemo.com) was issued by the Certification Authority defined within "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management" and is not expired. If you are able to connect to https://amt-01.vprodemo.com:16993 (or the FQDN of the client having the issues) without being issued a warming by internet explorer that the certificate is invalid, the certification should be fine; however, I would double check on your CA that the certificate was actually issued for the FQDN of your vPro client (make sure you view the certificate detail and confirm). If it wasn't, you need ensure that your Enterprise CA is configured within Out of Band Management Component Configuration and that the computer account (the computer name object) that the Site Server is running under has Read, Enroll, and Auto Enroll for the Certificate Template that is used to issue the cert. Note that I have seen issues where a cert was generated but was given the FQDN of the SCCM site server if the permissions where not set correctly and then this cert is then pushed to the vPro client with the wrong FQDN in the certificate.
The Second thing is to validate that the vPro objects (computer object) are being created in the OU that you configured in "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management" during the provisioning process. You should be able to see that the object was created by using "Active Directory Users and Computers" and browsing to the OU and then the object; you should be able to see that the vPro Client object is in a healthy (no red X) state. If vPro object is not being created in the OU, I would double check the permissions. This can be done by opening "Active Directory Users and Computers" for your domain, right clicking on the OU you are using to store the vPro client object, and select Properties (make sure your "Advanced Features" under view is checked prior to selecting Properties). Click on the security tab and click add; when the window appears search for the SCCM site server computer object and select it. Give the computer object of the SCCM Site Server full control. Depending on your domain configuration, you may also need to click on the advance button for the SCCM site server computer object and ensure that the "Apply onto" is set to "this object and all child objects".
Let me know if that helps.
It seems it's security permissions issue. I follow your guide and check again. Acutally, I can't see computers in OU (Out of band management Controllers), the computers was located in Computers Contrainers. Even I moved the computers into OU, the phenomenon is same. I configure the permission with below. Would you help me check which one is wrong?
OU: Out of Band Management Controllers:
SCCMSP1$(VPRODEMO\SCCMSP1$): Full Control, add "This object and child objects" into "Apply onto" list
ConfigMgr AMT Provisioning:
ConfigMgr Out of Band Service Points: Read, Enroll, Autoenroll
ConfigMgr AMT Web Service Certificate
ConfigMgr Primiary Site Servers: Read, Enroll, Autoenroll
Hi vPro experts!! I have a similar problem with a Dell Optiplex 755 client, I checked all the requises and are OK, permissions, CA, OU... but nothing happens, client id provisioned but I can't turn on/off/restart the client and I can't open the OOB Management Console.
What was the steps that you followed to solve this thread, please?
Thanks in advance!!
I have the same problem!
I have a vPro lab with SCCM SP1 and a Dell Optiplex 755 client, with 3.2.1 MEBx version, the client is provisioned without SCCM agent, but when y try to power on,off,restart nothing happens!
The OOB console try to connect but appears as disconnected.
Were you able to resolve it?
Help me, please?
Can you provide your error messages you are seeing in <ConfigMgrInstallationPath>\Logs\amtopmgr.log and <ConfigMgrInstallationPath>\AdminUI\AdminUILog\Oobconsole.log.
If you are not able to perform collection based power or connect via the Out Of Band Console, there is a high potential that you certificate was not created problem. On your issuing CA, make sure you see a certificate for the vPro client and that the FQDN that the certificate was issued to is the FQDN of the vPro Client.
Symptom: SCCM provisions a vPro Client successfully, but you are not able to invoke Collection power control operations or the Out of Band Console (does not connect)
Potential Root cause(s):
The current user logged on to the SCCM Console does not have sufficient right to perform the desired operation.
Verify that the user you are logged on with is listed or in a Kerberos group that is listed in the AMT User Account list. SCCM SP1 Help File Article: "[How to Configure AMT Settings and AMT User Accounts|http://technet.microsoft.com/en-us/library/cc161918(TechNet.10).aspx]"; Section: "To configure AMT settings and AMT User Accounts".
SCCM was unable to request or issue a Web Server Certificate on behalf of the vPro client during provision or the Web Server Certificates was issued to a different FQDN then the vPro Client.
Verify that you have created the Web Server Certificates template on your Certificate Authority and that your SCCM Primary Site Servers has the appropriate permission. SCCM SP1 Help File Article: "[Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management|http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx]"; Section: "Preparing the Web Server Certificates for AMT-Based Computers".
Verify that you have configured the certificate template in the Out of Band Management Properties: General Tab. SCCM SP1 Help File Article: "[How to Configure AMT Provisioning|http://technet.microsoft.com/en-us/library/cc161966(TechNet.10).aspx]"; Section: "To configure the out of band management component for AMT provisioning"; Steps: 7-8.