7 Replies Latest reply on Sep 10, 2008 11:27 PM by billc

    SCCM SP1 (6221) provision account question

    billc

       

      Matt:

       

       

           I met 1 issue on provision account. Below is log data from AMTOPMGR.LOG. It indicate that SCCM use "provisioning account" to connect target machine. What is it meaning? ME admin or SCCM account?

       

       

      >>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<<  $$<SMS_AMT_OPERATION_MANAGER><星期三 九月 03 16:10:07.107 2008 中国标准时间><thread=4488 (0x1188)>

      The provision mode for device 192.168.10.35 is 1.  $$<SMS_AMT_OPERATION_MANAGER><星期三 九月 03 16:10:07.220 2008 中国标准时间><thread=4488 (0x1188)>

      Attempting to establish connection with target device using SOAP.  $$<SMS_AMT_OPERATION_MANAGER><星期三 九月 03 16:10:07.220 2008 中国标准时间><thread=4488 (0x1188)>

      Set credential on provisionHelper...  $$<SMS_AMT_OPERATION_MANAGER><星期三 九月 03 16:10:07.220 2008 中国标准时间><thread=4488 (0x1188)>

      Try to use provisioning account to connect target machine 192.168.10.35...  $$<SMS_AMT_OPERATION_MANAGER><星期三 九月 03 16:10:07.220 2008 中国标准时间><thread=4488 (0x1188)>

      Try to use provisioning account to connect target machine 192.168.10.35...  $$<SMS_AMT_OPERATION_MANAGER><星期三 九月 03 16:10:07.220 2008 中国标准时间><thread=4488 (0x1188)>

      Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.~  $$<SMS_AMT_OPERATION_MANAGER><星期三 九月 03 16:10:07.252 2008 中国标准时间><thread=4488 (0x1188)>

            • Error 0x92bb95c returned by ApplyControlToken~  $$<SMS_AMT_OPERATION_MANAGER><星期三 九月 03 16:10:07.252 2008 中国标准时间><thread=4488 (0x1188)>

      Fail to connect and get core version of machine 192.168.10.35 using provisioning account #0.  $$<SMS_AMT_OPERATION_MANAGER><星期三 九月 03 16:10:07.252 2008 中国标准时间><thread=4488 (0x1188)>

       

       

       

       

       

      Thanks!

       

       

      Bill

       

       

        • 1. Re: SCCM SP1 (6221) provision account question
          miroyer

          Bill,

           

          What make, model, and firmware version are you trying to provision? It is hard for me to assess the situation since I'm not seeing all the error codes in your post. Have you referenced the following thread to see if this is your issue? Is the AMT status coming back as detected?

           

           

          http://communities.intel.com/openport/blogs/microsoft-vpro/2008/08/19/intel-amt-321-selfsigned-certificate-issue-and-working-around-it-for-microsoft-system-configuration-manager-sp1

           

           

          --Matt Royer

           

           

          • 2. Re: SCCM SP1 (6221) provision account question
            billc

             

            firmware is 3.2.1 and provisioning model is Enterprise/PKI. It seems AMT get connnection with SCCM SP1 because client shows a provisiong record, but there are not successful complete all operations and SCCM SP1 only detected AMT. what's mean provisioning accont?

             

             

             

             

             

            Thanks!

             

             

            Bill

             

             

            • 3. Re: SCCM SP1 (6221) provision account question
              billc

               

              Hi Matt:

               

               

                   I checked your link, It seems that the instruction is under AMT SMB model with MS SCCM SP1+Intel WS-translator. But my customer use enterprise PKI model. Does it help?

               

               

               

               

               

              Thanks!

               

               

              Bill

               

               

              • 4. Re: SCCM SP1 (6221) provision account question
                miroyer

                 

                Bill,

                 

                 

                 

                 

                 

                In regards to the "Provisioning Accont" question, please reference the following from Microsoft: http://technet.microsoft.com/en-us/library/cc431409.aspx

                 

                 

                The instruction listed in the previous post show you how to provision / unprovision to fix the self signed certificate issue either locally using SMB mode or remote with a VB Script through the WS-MAN Translator.

                 

                 

                 

                 

                 

                --Matt Royer

                • 5. Re: SCCM SP1 (6221) provision account question
                  billc

                  Below is detail error log and see redmark error, the error code has a little different with your link.

                   

                   

                   

                   

                   

                  AMT Provision Worker: 1 task(s) are sent to the task pool successfully.~  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.316 2008 中国标准时间><thread=684 (0x2AC)>

                  Provision target is indicated with SMS resource id. (MachineId = 6502 192.168.10.66)  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.316 2008 中国标准时间><thread=7176 (0x1C08)>

                  AMT Provision Worker: Wait 20 seconds...  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.316 2008 中国标准时间><thread=684 (0x2AC)>

                  Found valid basic machine property for machine id = 6502.  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.316 2008 中国标准时间><thread=7176 (0x1C08)>

                  Warning: Currently we don't support mutual auth. Change to TLS server auth mode.  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.316 2008 中国标准时间><thread=7176 (0x1C08)>

                  The provision mode for device 192.168.10.66 is 1.  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.332 2008 中国标准时间><thread=7176 (0x1C08)>

                  Attempting to establish connection with target device using SOAP.  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.332 2008 中国标准时间><thread=7176 (0x1C08)>

                  Found matched certificate hash in current memory of provisioning certificate  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.332 2008 中国标准时间><thread=7176 (0x1C08)>

                  Create provisionHelper with (Hash: BB43E326CF5E7B41B132F91626B254F0D4FFC57A)  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.332 2008 中国标准时间><thread=7176 (0x1C08)>

                  Set credential on provisionHelper...  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.332 2008 中国标准时间><thread=7176 (0x1C08)>

                  Try to use provisioning account to connect target machine 192.168.10.66...  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.332 2008 中国标准时间><thread=7176 (0x1C08)>

                  Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.~  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.363 2008 中国标准时间><thread=7176 (0x1C08)>

                        • Error 0x457b95c returned by ApplyControlToken~  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.363 2008 中国标准时间><thread=7176 (0x1C08)>

                  Fail to connect and get core version of machine 192.168.10.66 using provisioning account #0.  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.363 2008 中国标准时间><thread=7176 (0x1C08)>

                  Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.~  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.379 2008 中国标准时间><thread=7176 (0x1C08)>

                        • Error 0x457b95c returned by ApplyControlToken~  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.379 2008 中国标准时间><thread=7176 (0x1C08)>

                  Fail to connect and get core version of machine 192.168.10.66 using provisioning account #1.  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.394 2008 中国标准时间><thread=7176 (0x1C08)>

                  Try to use default factory account with MEBX password to connect target machine 192.168.10.66...  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.394 2008 中国标准时间><thread=7176 (0x1C08)>

                  Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.~  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.410 2008 中国标准时间><thread=7176 (0x1C08)>

                        • Error 0x457b95c returned by ApplyControlToken~  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.410 2008 中国标准时间><thread=7176 (0x1C08)>

                  Fail to connect and get core version of machine 192.168.10.66 using default factory account with MEBX password.  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.410 2008 中国标准时间><thread=7176 (0x1C08)>

                  Try to use default factory account to connect target machine 192.168.10.66...  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.410 2008 中国标准时间><thread=7176 (0x1C08)>

                  Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.~  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.441 2008 中国标准时间><thread=7176 (0x1C08)>

                        • Error 0x457b95c returned by ApplyControlToken~  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.441 2008 中国标准时间><thread=7176 (0x1C08)>

                  Fail to connect and get core version of machine 192.168.10.66 using default factory account.  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.441 2008 中国标准时间><thread=7176 (0x1C08)>

                  Try to use provisioned account (random generated password) to connect target machine 192.168.10.66...  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.441 2008 中国标准时间><thread=7176 (0x1C08)>

                  Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.~  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.473 2008 中国标准时间><thread=7176 (0x1C08)>

                        • Error 0x457b95c returned by ApplyControlToken~  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.473 2008 中国标准时间><thread=7176 (0x1C08)>

                  Fail to connect and get core version of machine 192.168.10.66 using provisioned account (random generated password).  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.473 2008 中国标准时间><thread=7176 (0x1C08)>

                  Error: Device internal error. Check Schannel, provision certificate, network configuration, device. (MachineId = 6502)  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.473 2008 中国标准时间><thread=7176 (0x1C08)>

                  Error: Can NOT establish connection with target device. (MachineId = 6502)  $$<SMS_AMT_OPERATION_MANAGER><Fri Sep 05 13:36:17.473 2008 中国标准时间><thread=7176 (0x1C08)>

                  • 6. Re: SCCM SP1 (6221) provision account question
                    billc

                     

                    Just check the difference between lab (Lab environment is successful provisioning with vPro machine) and real environment and find 2 differences. English SCCM SP1 include KB955355 and KB956337, but Chinese SCCM SP1 does not include it and only include KB94xxxx. But we checked the MS web and did not find chinese hotfix and MS only provide english version. Can we use EN hotfix in simpflied chinese windows2003+chinese SCCM 2007 SP1? Customer is worry it and stick at it. So does the hotfix can solve the provisioning issue?

                     

                     

                     

                     

                     

                    Thanks!

                     

                     

                    Bill

                     

                     

                     

                     

                     

                     

                     

                     

                    • 7. Re: SCCM SP1 (6221) provision account question
                      billc

                       

                      the problem was solved. We need open DNS scope 006 and 015 DNS Domain Name port.

                       

                       

                       

                       

                       

                      Thanks!@

                       

                       

                      bill