6 Replies Latest reply on Aug 23, 2013 3:48 PM by

    Certificate Problem with SCS 8.2

    TKremer

      _8.2 Hello,

      after having some difficulty implementing Oob with SCCM 2012 i tried SCS 8.2.
      I used the Intel SCS 8 and MS ConfigMgr v40 Guide and SCS 8.2 User-Guide to build my solution.

      It started to work but ends with the following error:

      Initial connection to the Intel(R) AMT device failed. A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target. The SSL handshake failed because of an unsupported, unverified, or corrupt certificate.

      We use the AMC_Configure_SCCM.bat for client configuration.
      The client machine is provisioned after that and the Mebx has all the data it needs.
      The oobmgmt.log on the machine states that the Device is already provisioned and the Intel Std Mgt shows me also that the client is provisioned.
      I checked the webserver Template and the AMT Provisioning certificate to sort out the error.
      After that had no effect i revoked and deleted them.
      I then replaced them with newly created certificates using the Microsoft guide to build the Templates for Server 2012. After a new enrollment the error still looks the same.
      I'm not sure, which certificate should go wrong cause the first contact works and the cliend get's his provisoning data.
      The xml file for the provisioning shows the right Certification Issuer and the complete data.
      A computer object is created in the AD-OU.

      Has anyone an idea where i could look to solve this error?

        • 1. Re: Certificate Problem with SCS 8.2

          Questions:

          1. Can you state what vendor you purchased your provisioning certificate from?
          2. Was the issue that some systems are being provisioned without issue, but some are failing…or that all began failing…or that systems appear to be provisioned successfully, but configuration logs just have mysterious errors?
          3. The certificate template needed to provision with SCCM 2012 is incompatible with the template needed to provision with SCS. Specifically, SCCM 2012 requires the subject names to be built from AD. For SCS the template must be configured for ‘Supply in the request’.
          4. If you are using ACM_Confiugure_SCCM.bat, you don’t need an XML.
          5. Please paste the output of ACM_Configure_SCCM.bat showing the error.
          • 2. Re: Certificate Problem with SCS 8.2

            Questions:

            1. Can you state what vendor you purchased your provisioning certificate from?
            2. Was the issue that some systems are being provisioned without issue, but some are failing…or that all began failing…or that systems appear to be provisioned successfully, but configuration logs just have mysterious errors?
            3. The certificate template needed to provision with SCCM 2012 is incompatible with the template needed to provision with SCS. Specifically, SCCM 2012 requires the subject names to be built from AD. For SCS the template must be configured for ‘Supply in the request’.
            4. If you are using ACM_Confiugure_SCCM.bat, you don’t need an XML.
            5. Please paste the output of ACM_Configure_SCCM.bat showing the error.
            • 3. Re: Certificate Problem with SCS 8.2
              TKremer

              Hello Kyle,
              thank's for your answer.

               

              1. We purchased our provisioning certificate from Verisign. The OU Field is in the correct format and states
              Intel(R) Client Setup Certificate.

              2. We are not able to provision any system. I tried it with three Testclients but none of the worked.

               

              3. Do you mean the AMT Provisioning Template or the Webserver Template? I checked the Webserver-Template, it had the 'Supply in request' setting. I changed the setting in the AMT Provisioning Template but that led to another error.

               

              Failed to submit the certificate request to the Certification Authority. template-ConfigMgrAMTWebServerCertificate: Certificate request failed with error -2147024809- The parameter is incorrect..Intel(R) AMT Operation failed. (Request Certificate).

               

              I changed it back to 'build from AD-User principal name' settings.

               

              Now i get a new error.

               

              Final status of Intel(R) AMT is unknown because a failure occurred when configuring the system. The RCS failed to validate the supplied One Time Password (OTP) for PKI configuration against the Intel(R) AMT system. Please make sure that the supplied OTP is the OTP that is configured in the Intel AMT system.


              We have disabled the 'OTP required' setting in the SCS Console so i don't know why the system is looking for this password. The clients are standart machines without any special Bios settings.

               

              4. The XML File is automaticly created by the ACM_Configure_SCCM Script we don't use it for provisioning. It seems more like a log file to me.

               

              5. Here comes the error that is shown in the SCM_Configure_SCCM.bat cmd window at the moment.

               

              Connected to the Intel(R) Management Engine Interface driver, version 5.2.0.1008

              Activate Intel(R) AMT configuration: (0xc0000050) (Success. )
              Waiting for FW to move to In-Provision state(0)...
              The Start configuration operation completed successfully.
              ***** END StartConfigurationInt ******

              RCSaddress=Testserver10.Testumgebung.Testingen.de, RCSMIUser=, RCSProfileName=
              SCCM_AMT_PROFILE
              Success. (0) ((ExecMethod WMI_GetNetworkSettings) Success. )
              TestWS4275.Testumgebung.Testingen.de
              RCSaddress=Testserver10.Testumgebung.Testingen.de, RCSMIUser=, UUID=6F3DB970-5
              698-DE7B-5060-00199985160B, ConfigMode=2, PID=, RCSProfileName=SCCM_AMT_PROFILE,
              AMTVersion=5.0.1, OldADOU=, Configure AMT Name= True. Configure AMT IPv4= True.
              Source For AMT Name= Host Name- TestWS4275 Domain Name- Testumgebung.Testingen
              .de . Default OS Name= Host Name- TestWS4275 Domain Name- Testumgebung.Testingen
              n.de . Configure AMT IPv4 to DHCP mode= True. AMT IPv4= IPv4 Address- 10.37.135.
              86 .
              Final status of Intel(R) AMT is unknown because a failure occurred when configur
              ing the system. (0xc000271b) ((ExecMethod WMI_ConfigAMT) Final status of Intel(R
              ) AMT is unknown because a failure occurred when configuring the system.  (0xc00
              0271b). The RCS failed to validate the supplied One Time Password (OTP) for PKI
              configuration against the Intel(R) AMT system. Please make sure that the supplie
              d OTP is the OTP that is configured in the Intel AMT system.  (0xc00007db).  (0x
              c000271b). )
              ***** END RemoteConfiguration ******


              ***********

              Exit with code 75.
              Details: Failed to complete remote configuration of this Intel(R) AMT device. Fi
              nal status of Intel(R) AMT is unknown because a failure occurred when configurin
              g the system.  (0xc000271b). The RCS failed to validate the supplied One Time Pa
              ssword (OTP) for PKI configuration against the Intel(R) AMT system. Please make
              sure that the supplied OTP is the OTP that is configured in the Intel AMT system
              .  (0xc00007db). The RCS failed to process the request.

               

              The certificate error from before hasn't appeared again cause it seems to get some problems with the OTP now. The only thing i tried between the two errors was the change in the certificate.

              • 4. Re: Certificate Problem with SCS 8.2
                Your reply was rejected by a moderator. Please edit your reply and resubmit it for approval.

                Sorry for the delay.

                1. I don’t follow your post. This is for the AMT TLS certificate NOT for the provisioning certificate.  In the beginning you had ‘supply in the request’ or ‘build from AD’ set? What is set now?
                2. OTP errors can be hard to fix.  They are valid for a certain amount of time, so waiting a day can make it work. Also doing an unconfigure operation from MEBX can work.  Do you get OTP errors on all your test clients?
                • 5. Re: Certificate Problem with SCS 8.2
                  Your reply was rejected by a moderator. Please edit your reply and resubmit it for approval.

                  Sorry for the delay.

                  1. I don’t follow your post. This is for the AMT TLS certificate NOT for the provisioning certificate.  In the beginning you had ‘supply in the request’ or ‘build from AD’ set? What is set now?
                  2. OTP errors can be hard to fix.  They are valid for a certain amount of time, so waiting a day can make it work. Also doing an unconfigure operation from MEB
                  • 6. Re: Certificate Problem with SCS 8.2

                    Sorry for the delay.

                    1. I don’t follow your post.   This is for the AMT TLS certificate NOT for the provisioning certificate.  In the beginning you had ‘supply in the request’ or ‘build from AD’ set? What is set now?
                    2. OTP errors can be hard to fix.  They are valid for a certain amount of time, so waiting a day can make it work. Also doing an unconfigure operation from MEBX can work.  Do you get OTP errors on all your test clients?
                    • 7. Re: Certificate Problem with SCS 8.2
                      TKremer

                      Hi Kyle,

                       

                      1. To be sure i'm talking about the right certificate. The AMT TLS certificate is created from the Webserver Template, is that right? If that's the case the Subject Name is set to 'supply in the request' at the moment. It was set to 'Build from...DNS name' before but we changed it.

                      If the TLS certificate is created from another template please let me know.

                      Up to now we have the Verisign Server certificate for the first contact, the Webserver Template and the AMT Provisioning template. We build them after the instructions for SCCM 2007.

                      Are there any more certificates or templates we need?

                      Under SCCM 2007 it worked great with these templates. SCCM 2012 generated some unusual errors so we tried to provision the clients with SCS 8.2.


                      2. We get the OTP Error from two clients, the third seems to have had some problems with the unprovisioning under SCCM 2007 and gives us a Hash error cause the Servername and Certificate changed.

                      The OTP error stays even after some days of waiting.


                      Actually the provisioning seems to start cause the AD object is being generated and we find the proper data in the Mbex after the error occured. But managing the client afterwards is not possible because SCS counts the provisioning as an error.

                      • 8. Re: Certificate Problem with SCS 8.2

                        Ok good.

                        You have it right: Verisign certificate for initial contact, then AMT's TLS certificate will use the WebServer template.

                         

                        SCCM 2007 requires supply in the request. SCCM 2012 requires build from AD...so it makes sense you got errors.

                         

                        Its strange that you're seeing OTP errors, but the system is provisioned. If you provisioned these systems, the MEBX password will remain set after unprovisioning, so you might have a false positive. The AD objects may have been left over from SCCM.  Verify the creation\modify dates and make sure they match.

                         

                        I'll try to get you a better solution for OTP issues. In the meantime, forward me the RCS log segment matching the provisioning time.  Its located on the RCS server at Program Data\Intel_Corporation\RCSServer.

                        • 9. Re: Certificate Problem with SCS 8.2
                          TKremer


                          Sorry for the late answer, i was away for some days.


                          After the weekend i tried to configure the clients again to have a fresh RCS-Log.

                          Surprisingly it worked on two of my clients and they are now shown with the status configured in the SCS console. Perhaps the OTP Error really needed some time to resolve.

                          Now i only have to get SCCM 2012 to recognize the clients to manage them.

                          On the other clients i found that the unprovisioning under SCCM 2007 must have gone wrong and they are partly provisioned with an old certificate from a Server that dosen't exist anymore. The ACM_Unconfigure_SCCM Task isn't working either.
                          Do you probably know a way to reset the Clients without logging manually into the MEBX? I fear that there are some more around.

                          • 10. Re: Certificate Problem with SCS 8.2

                            OTPs: Good to see that they're gone.

                             

                            SCCM 2012 discovery:  Insure that the clients are configured in TLS mode and make sure the SCCM 2012 machine account has admin privileges to AMT.

                             

                            ACM_Unconfigure_SCCM.bat failure:  Please send me command output and we can see if we can get them unconfigured without a physical visit.