3 Replies Latest reply on Jun 16, 2011 9:57 AM by dbrunton

    SCCM 2007 R2, AMT vPRO

    braddo

      Private certificate installed 2008 CA

      Certs installed and OOB configured in SCCM

       

      Windows 7 machine, HP DC7800

      Exists in AD in Out of Band Management OU

       

      Added Hash into BIOS, and set mebx password to match SCCM setup

      Log from PC - oobmgmt.log

      BEGIN oobmgmt 2/06/2011 4:07:44 PM 3684 (0x0E64)
      Retrying to activate the device. oobmgmt 2/06/2011 4:07:44 PM 3684 (0x0E64)
      Resending last OTP oobmgmt 2/06/2011 4:07:44 PM 3684 (0x0E64)
      Upload provisioning data state message sent successfully. TopicType = STATE_TOPICTYPE_AMT_CLIENT_DATA_SYNCHRONIZE, OTPHash = 99C6D88E95C1ABCEA8EB593C6E633AA99CC404C1, RetryCount = 1 oobmgmt 2/06/2011 4:07:44 PM 3684 (0x0E64)
      Successfully activated the device. oobmgmt 2/06/2011 4:07:44 PM 3684 (0x0E64)
      Upload manufacturing data state message sent successfully. TopicType = STATE_TOPICTYPE_AMT_CLIENT_DATA_SYNCHRONIZE, Root Certificate Hash = BBB207F3734D31182FC72EA24E4675C31764D4F4, AMT Core Version = 3.0.1 oobmgmt 2/06/2011 4:07:44 PM 3684 (0x0E64)
      END oobmgmt 2/06/2011 4:07:44 PM 3684 (0x0E64)

       

      Log from server amtopmgr.log

      RETRY(5) - Validate client certificate for AMT device TAC8205.site.tomago.com.au being generated. SMS_AMT_OPERATION_MANAGER 2/06/2011 4:21:51 PM 6288 (0x1890)
      Error: Missed device certificate. To provision device with TLS server or Mutual authentication mode, device certficate is required. (MachineId = 4194) SMS_AMT_OPERATION_MANAGER 2/06/2011 4:21:51 PM 6288 (0x1890)
      Error: Can't finish provision on AMT device TAC8205.site.tomago.com.au with configuration code (0)! SMS_AMT_OPERATION_MANAGER 2/06/2011 4:21:52 PM 6288 (0x1890)

        • 1. Re: SCCM 2007 R2, AMT vPRO
          dbrunton

          Which cert hash did you enter into the MEBx?  The hash for the actual provisioning cert, or the hash for your root CA that issued the cert?  In order for everything to work, you have to enter the has of the root CA.

           

          -Dan

          • 2. Re: SCCM 2007 R2, AMT vPRO

            the CA Hash has been entered

            we have the machines in AD

            and they show provisioned in SCCM, but cannot connect to the management console

            • 3. Re: SCCM 2007 R2, AMT vPRO
              dbrunton

              Have you tried power control operations?

               

              Right click on a provisioned system, select "Out of Band Management" then "Power Control".

               

              While the OOB Management Console uses Kerberos authentication, these power control commands use the digest user.  If the power control commands work, that tells us that there's a problem with Kerberos authentication.  If the power controls commands do not work, that's usually a sign that there's something wrong with the TLS cert assigned to AMT.

               

              If the power control command does work, I recommend checking the AMT OU you are using in Active Directory to make sure that there are objects there for your provisioned systems.

               

              -Dan