3 Replies Latest reply on Aug 26, 2011 11:58 AM by jhans

    Server unexpectedly disconnected when TLS handshaking.

    jhans

      Hi

       

      I'm searching for a solution regarding the above error. I crawled already through a lot of threads. We use SCCM to do an in-bound provisioning.

       

      DHCP is setup with option 6 and 15 in place

      Provisioning certificate and also the web certificate is prepared

      AMT is detected but not provisioned.

      PC was unprovised multiple times

      CMOS reset tested

      We use our own certificate root so hash was added.

      OOBM server is Windows 2008 R2

       

       

      Here is the provisioning log. Original domain name is replaced by X.Y.Z. !!!!

       

      >>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<<    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      Provision target is indicated with SMS resource id. (MachineId = 306 PC1167466W7.X.Y.Z)    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      Found valid basic machine property for machine id = 306.    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      Warning: Currently we don't support mutual auth. Change to TLS server auth mode.    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      The provision mode for device PC1167466W7.X.Y.Z is 1.    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      AMT Provision Worker: 1 task(s) are sent to the task pool successfully.    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    39124 (0x98D4)
      AMT Provision Worker: Wait 20 seconds...    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    39124 (0x98D4)
      Check target machine (version 5.2.10) is a SCCM support version. (TRUE)    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      The IP addresses of the host PC1167466W7.X.Y.Z are 140.100.4.20.    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      Attempting to establish connection with target device using SOAP.    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      Found matched certificate hash in current memory of provisioning certificate    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      Create provisionHelper with (Hash: 966D32ADFEE1F8A52CD0E36D27EDDEEC251BC2DD)    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      Set credential on provisionHelper...    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      Try to use provisioning account to connect target machine PC1167466W7.X.Y.Z...    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      Server unexpectedly disconnected when TLS handshaking.    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      **** Error 0x4e5b1f0 returned by ApplyControlToken    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      Fail to connect and get core version of machine PC1167466W7.X.Y.Z using provisioning account #0.    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      Try to use default factory account to connect target machine PC1167466W7.X.Y.Z...    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      Server unexpectedly disconnected when TLS handshaking.    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      **** Error 0x4e5b1f0 returned by ApplyControlToken    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      Fail to connect and get core version of machine PC1167466W7.X.Y.Z using default factory account.    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      Try to use provisioned account (random generated password) to connect target machine PC1167466W7.X.Y.Z...    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      Server unexpectedly disconnected when TLS handshaking.    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      **** Error 0x4e5b1f0 returned by ApplyControlToken    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      Fail to connect and get core version of machine PC1167466W7.X.Y.Z using provisioned account (random generated password).    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      Error: Device internal error. This may be caused by: 1. Schannel hotfix applied that can send our root certificate in provisioning certificate chain. 2. incorrect network configuration(DHCP option 6 and 15 required for AMT firmware). 3. AMT firmware self signed certificate issue(date zero). 4. AMT firmware is not ready for PKI provisioning. Check network interface is opening and AMT is in PKI mode. 5. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection. (MachineId = 306)    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      Error: Can NOT establish connection with target device. (MachineId = 306)    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:49    63016 (0xF628)
      >>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<<    SMS_AMT_OPERATION_MANAGER    17.01.2011 13:30:50    63016 (0xF628)

       

       

      Any ideas how to solve this issue or maybe an idea how to further troubleshoot this issue.

       

      Thanks in advance

      Joachim

        • 1. Re: Server unexpectedly disconnected when TLS handshaking.
          kdharber

          In the context that you are seeing it, this error is usually the result of a problem with the provisioning certificate. However, from the log it looks like that part was successful.  The failure happened when attempting to connect with provisioning account.  When you added the custom certificate hash for your network into MEBX, did you change the password to something that matches the SCCM provisioning account?  It looks like there might be a password mismatch.

           

          Does this happen with just this client or does it happen with all clients?

           

          Did you make any changes to SCCM during the successful and unsucessful provisioning attempts?

          • 2. Re: Server unexpectedly disconnected when TLS handshaking.

            Were you guys able to solve this. I am having the Exact same scenario with the exacy same issue. PLease help.

            • 3. Re: Server unexpectedly disconnected when TLS handshaking.
              jhans

              Hi

               

              it's solved in our environment but I can't remember exactly what solved this issue. The whole AMT stuff is let's say quite complex.I changed so many settings that at the end I am unable to provide a solution for this dedicated issue

               

              Because we use SCCM and Intel AMT it's offen a time issue. If the certificates are correct and also the user/password is set up correctly in SCCM it can take a while because the client creates a one time password which is used by sccm to connect to the machine. The one time password is created on the client side, has to be updated in the database and the provisioning process has to be initiated. The process is initiated once a day as I remember but you can force it via sendsched and the code {00000000-0000-0000-0000-000000000120}.

               

              My recommendation would be:

               

              1) double check the certifcates

              2) double check the password entered in sccm if you use sccm

              3) take a break for at least one day

              4) use the sensched script or exe to inititate the AMT cycle

               

               

              Regards

              Joachim