14 Replies Latest reply on Jun 22, 2009 9:12 AM by Trevor.Sullivan

    WS-MAN translator and SCCM 2007

    mdebekker

      We have trouble configuring Out of Band management in SCCM SP1

       

      We have 400 HP DC7700p computers with AMT version 2.2.1. HP doesn’t have a firmware with version 3.2.1 for this system. We installed the Intel WS-MAN translator and configured it.

       

      The environment:

       

      ·         SCCM 2007 SP1 server with hotfix KB960804

      ·         1 Single Primary Site with one SCCM server and the OOB component installed

      ·         Windows 2008 x64

      ·         Intel WS-MAN translator version 1.0 build 00552

      ·         Provisioning certificate: GoDaddy

       

      We are unable to automatically provision an AMT client. When I configure the PSK in the BIOS of the client the provisioning succeeds, but I cannot connect with the OOB console.

       

      The computer object is created in the Active Directory Container Intel(R) Client Setup Certificate and an webcertificate is enrolled for the AMT client.

       

      Once provisioned I am able to send a reboot and power down command, but a power on command fails.

       

      A portion of the amtopmgr.log

       

      >>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<<    SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22       4204 (0x106C)

      Provision target is indicated with SMS resource id. (MachineId = 3362 172.23.16.64)       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   4204 (0x106C)

      Found valid basic machine property for machine id = 3362.   SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22       7508 (0x1D54)

      Warning: Currently we don't support mutual auth. Change to TLS server auth mode. SMS_AMT_OPERATION_MANAGER       3-6-2009 15:29:22   7508 (0x1D54)

      The provision mode for device 172.23.16.64 is 1.      SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Attempting to establish connection with target device using SOAP.  SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22     7508 (0x1D54)

      Warning: We don't have an provision certificate with indicated hash either from hello message or client agent. SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Attempting to try all provision certificate to connect target device.     SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22 7508 (0x1D54)

      Create provisionHelper with (Hash: 9B1A915A893E4B5AC39B0483272515F6C8EA8E7F)     SMS_AMT_OPERATION_MANAGER       3-6-2009 15:29:22   7508 (0x1D54)

      Set credential on provisionHelper...    SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Try to use provisioning account to connect target machine 172.23.16.64... SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22 7508 (0x1D54)

      Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      **** Error 0x4a2b8ac returned by ApplyControlToken    SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Fail to connect and get core version of machine 172.23.16.64 using provisioning account #0.       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Try to use default factory account to connect target machine 172.23.16.64...     SMS_AMT_OPERATION_MANAGER       3-6-2009 15:29:22   7508 (0x1D54)

      Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      **** Error 0x4a2b8ac returned by ApplyControlToken    SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Fail to connect and get core version of machine 172.23.16.64 using default factory account.       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Try to use provisioned account (random generated password) to connect target machine 172.23.16.64...       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      **** Error 0x4a2b8ac returned by ApplyControlToken    SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Fail to connect and get core version of machine 172.23.16.64 using provisioned account (random generated password).   SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Error: Device internal error. Check Schannel, provision certificate, network configuration, device. (MachineId = 3362)  SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Error: Can NOT establish connection with target device. (MachineId = 3362)       SMS_AMT_OPERATION_MANAGER       3-6-2009 15:29:22   7508 (0x1D54)

      Attempting to establish connection with target device using WSMAN. SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22     7508 (0x1D54)

      Try to use provisioning account to connect target machine 172.23.16.64... SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22 7508 (0x1D54)

      Using translator for version *.   SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      session params : https://AM019.AM.LAN/wstrans/dsc/eoi20/172.23.16.64/wsman   ,  41001       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Succeed to connect target machine 172.23.16.64 and core version with 2.2.1 using provisioning account #0.       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Get device TLS mode is 0.  SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Get device provisioning state is In Provisioning.     SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Using translator for version 2.2.1.     SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      session params : https://AM019.AM.LAN/wstrans/setup/eoi20/172.23.16.64/wsman   ,  41001       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Machine 172.23.16.64 will be added and published to AD and OU is LDAP://OU=Intel(R) Client Setup Certificate,DC=AM,DC=LAN.  SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Send request to AMT proxy component to add machine 172.23.16.64 to AD.    SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22 7508 (0x1D54)

      Successfully created instruction file for AMT proxy task: C:\Program Files (x86)\Microsoft Configuration Manager\inboxes\amtproxymgr.box   SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Processing provision on AMT device 172.23.16.64...    SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Send request to AMT proxy component to generate client certificate. (MachineId = 3362)       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Successfully created instruction file for AMT proxy task: C:\Program Files (x86)\Microsoft Configuration Manager\inboxes\amtproxymgr.box   SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      Wait 20 seconds to find client certificate for AMT device 172.23.16.64 being generated again...       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:22   7508 (0x1D54)

      AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:42       4204 (0x106C)

      AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:42   4204 (0x106C)

      RETRY(1) - Validate client certificate for AMT device 172.23.16.64 being generated.       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:42   7508 (0x1D54)

      Found client certificate already being generated for AMT device 172.23.16.64.    SMS_AMT_OPERATION_MANAGER       3-6-2009 15:29:42   7508 (0x1D54)

      Start 1st stage provision on AMT device 172.23.16.64. (WSMAN)      SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:42     7508 (0x1D54)

      Clean Certificate store... SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:42   7508 (0x1D54)

      Clean Key store...  SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:43   7508 (0x1D54)

      Sync time... SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:43   7508 (0x1D54)

      Set Host Name...    SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:43   7508 (0x1D54)

      Set Domain Name...  SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:43   7508 (0x1D54)

      Create Certificate store...       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:44   7508 (0x1D54)

      Set TLS Enabled...  SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:44   7508 (0x1D54)

      Set Admin Password...      SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:44   7508 (0x1D54)

      Using translator for version 2.2.1.     SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:44   7508 (0x1D54)

      session params : https://AM019.AM.LAN/wstrans/setup/eoi20/172.23.16.64/wsman   ,  41001       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:44   7508 (0x1D54)

      Set MEBX password...       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:44   7508 (0x1D54)

      Error: Failed to set MEBx Password,Password was already changed.   SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:44     7508 (0x1D54)

      Error: Failed to set MEBx Password,return value:16.   SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:44   7508 (0x1D54)

      We can't set MEBx password at this time. Admin may have already changed this.    SMS_AMT_OPERATION_MANAGER       3-6-2009 15:29:44   7508 (0x1D54)

      Commit Changes...   SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:44   7508 (0x1D54)

      Finished 1st stage provision on AMT device 172.23.16.64. Sleep 5 seconds for 2nd stage provision.       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:45   7508 (0x1D54)

      Start 2nd stage provision on AMT device 172.23.16.64. SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:50   7508 (0x1D54)

      Using translator for version 2.2.1.     SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:50   7508 (0x1D54)

      session params : https://AM019.AM.LAN/wstrans/pro/eoi20/172.23.16.64/wsman   ,  41001       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:50   7508 (0x1D54)

      Delete existing ACLs...    SMS_AMT_OPERATION_MANAGER  3-6-2009 15:29:50   7508 (0x1D54)

      AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:02       4204 (0x106C)

      AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:02   4204 (0x106C)

      ERROR: Invoke(invoke) failed: 80020009argNum = 0      SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:03   7508 (0x1D54)

      Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig".       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:03   7508 (0x1D54)

      Error: Cannot Enumerate User Acl Entries.      SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:03   7508 (0x1D54)

      Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::DeleteACLs       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:03   7508 (0x1D54)

      Error: Can not finish WSMAN call with target device. Check if there is a winhttp proxy to block connection. (MachineId = 3362)    SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:03   7508 (0x1D54)

      STATMSG: ID=7208 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=AM019 SITE=AM1 PID=4208 TID=7508 GMTDATE=Wed Jun 03 13:30:03.072 2009 ISTR0="172.23.16.64" ISTR1="pc-080080.AM.LAN" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:03   7508 (0x1D54)

      Add ACLs..   SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:03   7508 (0x1D54)

      ERROR: Invoke(invoke) failed: 80020009argNum = 0      SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:15   7508 (0x1D54)

      Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig".       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:15   7508 (0x1D54)

      Error: failed to Add User Acl.    SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:15   7508 (0x1D54)

      Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::AddACLs   SMS_AMT_OPERATION_MANAGER       3-6-2009 15:30:15   7508 (0x1D54)

      Set Ping Response with true...    SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:15   7508 (0x1D54)

      AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:22       4204 (0x106C)

      AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:22   4204 (0x106C)

      ERROR: Invoke(get) failed: 80020009argNum = 0  SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:28   7508 (0x1D54)

      Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig".       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:28   7508 (0x1D54)

      Error: Failed to put changes to AMT_GeneralSettings instance.      SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:28     7508 (0x1D54)

      Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::SetPingResponse       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:28   7508 (0x1D54)

      Set Kerberos options...    SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:28   7508 (0x1D54)

      ERROR: Invoke(get) failed: 80020009argNum = 0  SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:41   7508 (0x1D54)

      Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig".       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:41   7508 (0x1D54)

      Error: Failed to get AMT_KerberosSettingData instance.      SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:41       7508 (0x1D54)

      Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::SetKerberosOptions       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:41   7508 (0x1D54)

      Set active power schema to  5..   SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:41   7508 (0x1D54)

      AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:42       4204 (0x106C)

      AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:42   4204 (0x106C)

      ERROR: Invoke(invoke) failed: 80020009argNum = 0      SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:53   7508 (0x1D54)

      Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig".       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:53   7508 (0x1D54)

      Error: Failed to Set Active Power Scheme.      SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:53   7508 (0x1D54)

      Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::SetActivePowerScheme       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:53   7508 (0x1D54)

      Enable WebUI with true..   SMS_AMT_OPERATION_MANAGER  3-6-2009 15:30:53   7508 (0x1D54)

      AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER  3-6-2009 15:31:02       4204 (0x106C)

      AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER  3-6-2009 15:31:02   4204 (0x106C)

      ERROR: Invoke(invoke) failed: 80020009argNum = 0      SMS_AMT_OPERATION_MANAGER  3-6-2009 15:31:06   7508 (0x1D54)

      Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig".       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:31:06   7508 (0x1D54)

      Error: Failed to Invoke AMT_WebUIService::RequestStateChange_INPUT Action.       SMS_AMT_OPERATION_MANAGER       3-6-2009 15:31:06   7508 (0x1D54)

      Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::EnabledWebUI       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:31:06   7508 (0x1D54)

      Enable SOL with true and IDER with true..      SMS_AMT_OPERATION_MANAGER  3-6-2009 15:31:06   7508 (0x1D54)

      ERROR: Invoke(invoke) failed: 80020009argNum = 0      SMS_AMT_OPERATION_MANAGER  3-6-2009 15:31:19   7508 (0x1D54)

      Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig".       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:31:19   7508 (0x1D54)

      Error: AMT_RedirectionService Invoke RequestStateChange failed: hr = 0x80338012  SMS_AMT_OPERATION_MANAGER       3-6-2009 15:31:19   7508 (0x1D54)

      Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::SetEnabledInterfaceSOLIDER. Check and enable IDER/SOL option in ME BIOS settings.       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:31:19   7508 (0x1D54)

      Finished 2nd stage provision on AMT device 172.23.16.64.    SMS_AMT_OPERATION_MANAGER  3-6-2009 15:31:19       7508 (0x1D54)

      Finished provision on AMT device 172.23.16.64 with configuration code (254)!     SMS_AMT_OPERATION_MANAGER       3-6-2009 15:31:19   7508 (0x1D54)

      CStateMsgReporter::DeliverMessages - Queued message: TT=1201 TIDT=0 TID='Link provisioned AMT machine with current profile' SID=2 MUF=0 PCNT=5, P1='33' P2='2009-06-03 13:31:19' P3='1' P4='1' P5='2.2.1'       SMS_AMT_OPERATION_MANAGER  3-6-2009 15:31:19   7508 (0x1D54)

      CStateMsgReporter::DeliverMessages - Created state message file: C:\Program Files (x86)\Microsoft Configuration Manager\inboxes\auth\statesys.box\incoming\if1o86gg.SMX     SMS_AMT_OPERATION_MANAGER  3-6-2009 15:31:19 7508 (0x1D54)

      >>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<<      SMS_AMT_OPERATION_MANAGER  3-6-2009 15:31:19   7508 (0x1D54)

        • 1. Re: WS-MAN translator and SCCM 2007
          Trevor.Sullivan

          Hello,

           

          Sorry to hear about your provisioning troubles. Keep in mind that, while troubleshooting this situation, first-stage AMT provisioning is actually handled by ConfigMgr. What this means is that you should see a successful connection to the AMT device, and first-stage provisioning should complete, before you ever see the WS-MAN Translator come into play.

           

          With that in mind, could you please validate the following?

           

          • Forward (A) and reverse (PTR) DNS records for the client with IP 172.23.16.64
          • DHCP option 15 configuration

           

          You will need an A record that contains the client's hostname, and this record should exist in the DNS zone that matches up with the domain that your ConfigMgr OOB service point is in. (eg. sccmsp1.childdomain.domain1.com, and vproclient.childdomain.domain1.com)

           

          Likewise, the PTR record representing the client's IP address should point to the client's FQDN (vproclient.childdomain.domain1.com)

           

          Your DHCP configuration should include option 15, whose value should match the DNS name of your Active Directory domain where the ConfigMgr OOB service point is installed. (eg. childdomain.domain1.com).

           

          From my experience, these are two common configuration problems that have caused the InitializeSecurityContext and ApplyControlToken errors that you're seeing in your amtopmgr.log file.

           

          Please post back with your results!

           

          Thanks,

           

          Trevor Sullivan

          Systems Engineer

          OfficeMax Corporation

          • 2. Re: WS-MAN translator and SCCM 2007
            mdebekker

            Hi Trevor,

             

            Thank you for your reply. DHCP is configured with option 15 and DNS is configured correctly. The client has an A record and an PTR record.

             

            Any other ideas?

             

            Merijn

            • 3. Re: WS-MAN translator and SCCM 2007
              Trevor.Sullivan

              Hi Merijn,

               

              If you have already messed around with provisioning one of these devices, I would suggest trying a factory reset of the firmware. This can be achieved by removing power and the CMOS battery from the system.

               

              Are all of your systems experiencing this behavior, and if so, are they all experiencing the same symptoms? From your log file, it appears that at least one system got farther than the one with the errors.

               

              Trevor Sullivan

              Systems Engineer

              OfficeMax Corporation

              • 4. Re: WS-MAN translator and SCCM 2007
                miroyer

                From your post it sound like you enabled PSK (setting a PID/PPS pair in the MEBx), but then tried to provision the AMT client using the SCCM client Agent. 

                 

                PSK provisioning is not natively supported by ConfigMgr and must depend on the Intel WS-MAN translator.  Because PSK provisioning is not natively support, Agent based provisioning (which only supports PKI provisioning) will not work.  If you are trying to provision the AMT client using PSK, you must provision the client through Out of Band provisioning; this can be accomplished by importing the client through "Import Out of Band Computers" and then having the Out of Band Service Point receive a PSK hello packet from the AMT client.

                 

                In terms of Trevor’s comment on first stage provision...  Independent of AMT firmware version, SCCM will perform first stage provisioning natively when using PKI; however, when trying to provision with PSK, SCCM will forward the first stage provisioning request to the Intel WS-MAN Translator.

                 

                Looking at your AMTOpMgr.log, it appears that first stage provisioning did complete; however, since it was kicked over to the translator I would need to see the translator log for more clarification; second stage provisioning is full of errors, which make me believe first stage did not complete successfully.  If Second Stage provisioning did not complete sucessfull, you will have trouble with the AMT use cases.

                 

                Since you have a PKI provisioning certificate from GoDaddy, I would recommend the following….

                 

                1.     On the AMT client you are testing, Perform a Full Unprovision within the MEBx.

                2.     Ensure the AMT client is set to PKI provisioning.  PKI provisioning is the default provisioning mode.

                3.     Using the SCCM agent with Auto Provisioning enabled, try provisioning again.

                 

                 

                --Matt Royer

                • 5. Re: WS-MAN translator and SCCM 2007
                  mdebekker

                  I tried to provision a machine, which has never been configured before.

                  I'm unable to connect to the machine. Attached are the logs.

                   

                  When I try to discover the management controller of a client, the AMT version is not detected.

                   

                  Any ideas??

                  • 6. Re: WS-MAN translator and SCCM 2007
                    miroyer

                    Does not appear that you are getting past the initial authentication, which the remote configuration certificate is critical to that step.  The first thing i would recommend is validating your remote configurationing certificate using the process identified here http://blogs.msdn.com/steverac/archive/2009/05/18/tool-to-verify-amt-certificates.aspx.  Use the "cscript CertValidator.vbs 1 <certificatefile> <certificatepasswod>".

                     

                    I'm also assuming that your option 15 in your environment is set to AM.LAN and this is the domain the certificate was issued to?  AMT will use option 15 to validate the provisioning certificate.

                     

                    --Matt Royer

                    • 7. Re: WS-MAN translator and SCCM 2007
                      Trevor.Sullivan

                      Agreed with Matt about first-stage authentication.

                       

                      The critical things to check are:

                       

                      • DHCP option 15
                      • Forward/reverse lookup records
                      • Root CA hash of your provisioning certificate (not to be confused with the hash of the provisioning certificate itself)

                       

                      Also, does your firewall configuration allow ports 16992 - 16995 and 9971?

                       

                      Trevor Sullivan

                      Systems Engineer

                      OfficeMax Corporation

                      • 8. Re: WS-MAN translator and SCCM 2007
                        mdebekker

                        When I check the certificate I get:

                         

                        Copyright (C) Microsoft Corporation. All rights reserved.

                        ERROR:  Expected server auth value was NOT found
                        in the certificate.  Server auth value should be
                        (1.3.6.1.5.5.7.3.1) in order for the certificate
                        to be valid.

                        ERROR:  Expected OID AND expected Subject fields
                        NOT found in the certificate

                        ERROR:  Expected Key Length value was NOT found in
                        the certificate.  Key length should be either 1024,
                        1536 or 2048 bits to be valid

                        Thumbprint check:  PASSED!

                        Certificate Starting Date Validity check:  PASSED!

                        Certificate Expiration check:  PASSED!

                        ERROR:  Private key NOT found in certificate!

                         

                        When I open the certificate I see Server and Client Authentication is listed under Enhanced Ket Usage

                        I'm sure that I selected "export private key" when creating the pfx file

                        The subject - OU contains: Intel(R) Client Setup Certificate

                        Key lenght is: 1024

                         

                        DNS Option 15 is configured to: AM.LAN

                        No ports on the firewall are closed between the server and the client

                        • 9. Re: WS-MAN translator and SCCM 2007
                          Trevor.Sullivan

                          Are you absolutely sure that the certificate OU name is spelled correctly? Can you double and triple check it? Are there any spaces in it at all? This is absolutely critical for remote provisioning through ConfigMgr to occur properly.

                           

                          Perhaps you could post some screenshots of the certificate properties? At least the certificate chain appears to be validating, otherwise you wouldn't be returned a validated hash.

                           

                          Trevor Sullivan

                          Systems Engineer

                          OfficeMax Corporation

                          • 10. Re: WS-MAN translator and SCCM 2007
                            mdebekker

                            Attached the screenshots.

                            • 11. Re: WS-MAN translator and SCCM 2007
                              mdebekker

                              When manually provisioning an AMT client an warning message is logged in the event log of the OOB service point:

                               

                              Log Name:      System
                              Source:        Schannel
                              Date:          10-6-2009 11:09:07
                              Event ID:      36875
                              Task Category: None
                              Level:         Warning
                              Keywords:      Classic
                              User:          N/A
                              Computer:      AM019.AM.LAN
                              Description:
                              The remote server has requested SSL client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted. This SSL connection request may succeed or fail, depending on the server's policy settings.
                              Event Xml:
                              <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
                                <System>
                                  <Provider Name="Schannel" />
                                  <EventID Qualifiers="32768">36875</EventID>
                                  <Level>3</Level>
                                  <Task>0</Task>
                                  <Keywords>0x80000000000000</Keywords>
                                  <TimeCreated SystemTime="2009-06-10T09:09:07.000Z" />
                                  <EventRecordID>69279</EventRecordID>
                                  <Channel>System</Channel>
                                  <Computer>AM019.AM.LAN</Computer>
                                  <Security />
                                </System>
                                <EventData>
                                </EventData>
                              </Event>

                              • 12. Re: WS-MAN translator and SCCM 2007
                                Trevor.Sullivan

                                Merijn,

                                 

                                From your screenshots, the provisioning certificate does appear to be correct, assuming there isn't any white space after the verbage in the OU name (I don't know if this is even possible, or if it's truncated).

                                 

                                As a next step, I would suggest that you reset the CMOS on the client by pulling power and the CMOS battery for roughly 10 seconds. This will reset the firmware to factory defaults, and may resolve the issue.

                                 

                                Trevor Sullivan

                                Systems Engineer

                                OfficeMax Corporation

                                • 13. Re: WS-MAN translator and SCCM 2007
                                  mdebekker

                                  Hi Trevor,

                                   

                                  I was out of the Office last week, so I couldn't reply to you r post.

                                  I already tried to reset the machine to the factory defaults, but no results. The provisioning still fails.

                                  I also opend a case with Microsoft, I hope they can help.

                                   

                                  Any other idea's?

                                  • 14. Re: WS-MAN translator and SCCM 2007
                                    Trevor.Sullivan

                                    Merijn,

                                     

                                    During a provisioning attempt, what are you seeing in your oobmgmt.log file on the AMT client? This log file should be in your %WINDIR%\System32\ccm\logs folder, if you have not changed the logging location from the default.


                                    I'm afraid I'm starting to run out of suggestions. Without having had experience on the 64-bit platform, I really don't know whether or not there could be some sort of compatibility issue with AMT provisioning in ConfigMgr.

                                     

                                    Trevor Sullivan

                                    Systems Engineer

                                    OfficeMax Corporation