6 Replies Latest reply on May 12, 2011 4:25 PM by dbrunton

    ws-man translator certificates on IIS7

    stepland

      Hi, i can find the instructions in the intel amt guide on how to generate a certificate request on sccm server for ws-man translator on IIS 6 but cannot find the instructions on how to generate one in IIS7.

       

      My sccm server sits on ms server 2008 IIS7

       

      Also, once generated do i need to purchase a certificate for the ws-man translator to run?

       

      can someone provide complete instructions on how to do this with scmm/server08/IIS7 combo?

       

      thanks

       

      Stéphane

        • 1. Re: ws-man translator certificates on IIS7
          dbrunton

          So certificates work with the WS-MAN translator in a couple of ways.

           

          1) You can use a cert to secure the web server that the WS-MAN translator is running from.

          2) You will need to provide the WS-MAN translator with a copy of the provisioning cert that you either generated yourself, or purchased.

           

          As for number one above, the cert for securing your website, you would typically request that from an internal CA following a process like the one documented here: http://technet.microsoft.com/en-us/library/cc731014(WS.10).aspx.  You will choose this cert when you see the "Select TLS/Forwarding Options" screen in the WS-MAN setup.

           

          For number two, when you run through the configuration for the WS-MAN translator, it will prompt you to supply your current provisioning cert on the "Import Common Setup Certificate" screen.  You do not need a separate one.

           

          Does this help?

          • 2. Re: ws-man translator certificates on IIS7

            ok,  installed it with option 2 as you mentionned as i have a  provisioning cert already installed and working, all amt versions i have  3.2 and up are provisioned.

             

            after installing ws-man translator, most of my clients with amt version 3.2 and lower come up as detected??

             

            is there another log besides the oobmgmt log that i can check if so where is it?

             

            one of the clients that are under 3.2 are HP dc7800 (amt version 3.0.1) the others are dc7700 (amt version 2.1.4)

             

            also,  should the ws-man translotator service be running all the time. after  installing it was set to automatic...does it just start as needed?

             

            here is the oob log on the dc7700 with a failed to call checkcertificate provider method message

             

            <![LOG[BEGIN]LOG]!><time="16:35:55.143+180"  date="05-03-2011" component="oobmgmt" context="" type="1" thread="3052"  file="amtprovisionendpoint.cpp:825">

            <![LOG[Retrying to  activate the device.]LOG]!><time="16:35:55.268+180"  date="05-03-2011" component="oobmgmt" context="" type="1" thread="3052"  file="amtprovisionendpoint.cpp:398">

            <![LOG[Raising event:

            [SMS_CodePage(850), SMS_LocaleID(4105)]

            instance of SMS_OOBMgmt_StartConfig_Failure

            {

                        ClientID = "GUID:8A52E3D9-2301-404C-8BC4-492DE941E685";

                        DateTime = "20110503193555.299000+000";

                        ErrorCode = "1";

                        FailureCategory = "Failed to enumerate certificate hash, please check if the BIOS contains valid certificates.";

                        MachineName = "WLAB105094E";

                        ProcessID = 280;

                        SiteCode = "LAB";

                        ThreadID = 3052;

            };

            ]LOG]!><time="16:35:55.299+180"  date="05-03-2011" component="oobmgmt" context="" type="1" thread="3052"  file="event.cpp:525">

            <![LOG[Successfully submitted event  to the Status Agent.]LOG]!><time="16:35:55.315+180"  date="05-03-2011" component="oobmgmt" context="" type="0" thread="3052"  file="event.cpp:543">

            <![LOG[Failed to Call CheckCertificate provider method,  80041001]LOG]!><time="16:35:55.315+180" date="05-03-2011"  component="oobmgmt" context="" thread="3052"  file="amtprovisionendpoint.cpp:412">

            <![LOG[END]LOG]!><time="16:35:55.346+180"  date="05-03-2011" component="oobmgmt" context="" type="1" thread="3052"  file="amtprovisionendpoint.cpp:881">

             

             

            let me know

             

            many thanks

            • 3. Re: ws-man translator certificates on IIS7
              dbrunton

              Lets focus on your DC7700's first.  They will need to have their firmware updated to AMT 2.2+ to support SCCM.  You should be able to find the appropriate firmware package at HP's website.

               

              As for your DC7800 running 3.0.1 I recomend updating to the latest firmware version available from HP as well.  It resolves known compatability problems with AMT 3.x and SCCM.

               

              The WS-MAN translator should always be running.

              • 4. Re: ws-man translator certificates on IIS7
                stepland

                ok, i am starting to update the amt versions tonight...i have about 700 total of 7700 an 7800. This might take a few days as i am doing this in stages and next week I am on the operational queue and not on projects so if i don't reply for a week or so i will get back to you eventually

                 

                in the mean time i have 3 small questions

                 

                1. can you fully un-provision a pc and reset the mebx pwd remotely with vbs, powershell or something else?

                 

                2. do you have documentation on how the auto un-provision should work when a pc is removed from AD, sccm db...does the AD object get deleted..the web cert issued to that pc etc...?

                 

                3.When testing in the lab how can you force the provisioning process to start on a particular pc?

                 

                many thanks

                 

                Stéphane

                • 5. Re: ws-man translator certificates on IIS7
                  stepland

                  Hi Dan, can you or someone else answer my 3 questions i posted a while back while i finish updating the amt version on all my 7700 and 7800?

                   

                  thanks man

                   

                  Stéphane

                  • 6. Re: ws-man translator certificates on IIS7
                    dbrunton

                    My apologies for the delay in getting back to you.

                     

                    1. can you fully un-provision a pc and reset the mebx pwd remotely with vbs, powershell or something else?

                     

                    The MEBx password can only be changed remotely when you are provisioning the system.

                     

                    2. do you have documentation on how the auto un-provision should work when a pc is removed from AD, sccm db...does the AD object get deleted..the web cert issued to that pc etc...?

                     

                    If a provisioned system's record is deleted from SCCM, it's AD object will remain in place.  It should only be deleted if you unprovision the system from SCCM.  If the system is deleted from SCCM, the remote admin password will be deleted with it, preventing SCCM from being able to remotely manage AMT.  If this occurs you can use the unprovision utilityalong with a Kerberos account to unprovision AMT remotely.

                     

                    3.When testing in the lab how can you force the provisioning process to start on a particular pc?

                     

                    Yes, you can use a WMI call to the SCCM agent to accelerate the process.  Take a look at this blog entry for details.