1 2 Previous Next 15 Replies Latest reply on Nov 27, 2014 6:32 AM by zeglory

    Error provisioning new machines

    zeglory

      Hi,

               We have configured RCS and a basicProfile on the server side, but when we run the configurator we keep on hitting this error

       

       

      2014-11-21 15:36:15: Thread:2584(ERROR) : ACU Configurator, Category: Exit Source: Src\ActivatorMain.cpp : wmain Line: 1254: ***********Exit with code 75. Details: Failed to complete remote configuration of this Intel(R) AMT device. An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target. Valid certificate for PKI configuration not found.

       

      We have tried, at least 15 different combinations of Certificate template but no luck!

       

      - We are running RCS as a domain user and it has been issued a certificate, which has been added to its local store.

      - We have issued a TLS certificate for the mutual server part, it has been added to the machines local store.

      - We have added the Enterprise CA thumbprint to Intel Mbex manually and reconfirmed that its ok.

       

      We have followed the user guide and have added the custom OIDs as well. Reading a blog post, or discussion forum I saw that we had to use OU = Intel(R) Client Setup Certificate on the webserver template while creating the request. But it seems like the problem is occuring with the Provisioning certificate.  On the server we are seeing

       

      2014-11-21 15:36:15: Thread:3024(DETAIL) : RCS Server , Category: Finish Configuration; (ERROR) AMT details: UUID: 4C4C4544-0057-5A10-8031-B5C04F4D3132, FQDN: PC142592.placetobe.local, IP: 10.11.12.64 . Return code: 0xc000521f . Details: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target. Valid certificate for PKI configuration not found.  Source: Src\RCSServer.cpp : CServiceModule::Log Line: 1270:

       

      Hope someone can help us by pointing us in the right direction.

       

      Best regards,

      Sean

        • 1. Re: Error provisioning new machines
          brunodom

          Can you share the command line that you are using to trigger the provisioning process?

          Usually, I recommend use NETWORK SERVICE as service account for RCSServer due security concerns, and in this case to add the certificate into NETWORK SERVICE context, you can use this command line: RCSutils.exe /Certificate Add c:\certificate.pfx <password>

           

          About certificate template itself, you may use OID and/or OU attribute to identify as Provisioning certificate for vPro machine.

           

          I hope that it may help you move forward.

           

          Best Regards!

          -Bruno Domingues

          • 2. Re: Error provisioning new machines
            zeglory

            Hi Bruno,

                       We are using

             

            ACUConfig.exe /LowSecurity /Verbose /output file C:\Config.log ConfigViaRCSOnly intelscs.placetobe.local BasicProfile on the Client.

             

            We are using a service account to run RCS service, which has been given local admin rights on RCS server, as well as full permissions on SQL DB. It seems like there are problems with the certificates, but not able to figure out which one. On the RCS we are sein


            RCS Server , Category: Finish Configuration; (ERROR) AMT details: UUID: 4C4C4544-0057-5A10-8031-B5C04F4D3132, FQDN: PC142592.placetobe.local, IP: 10.11.12.64 . Return code: 0xc000521f . Details: Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. Valid certificate for PKI configuration not found.  Source: Src\RCSServer.cpp : CServiceModule::Log Line: 1270: 

            • 3. Re: Error provisioning new machines
              brunodom

              It looks like that provision certificate that you are using is not been seen or there is an error, try/check these points:

              - As far you are using an user domain account, you must log-in in RCS using this same account and add the provision certificate in User Context, i.e. MMC -> Certificates -> User;

              - Also, double check OU and/or OID is present in the certificate, because OU, for instance, it may be supplied in request instead of template.

               

              Best Regards!

              -Bruno Domingues

              • 4. Re: Error provisioning new machines
                zeglory

                Hi again,

                              Imported the certificate under personal store for RCS service account user, and also verified that both OU and OID are present, by the way we are using 2.16.840.1.113741.1.2.3 but have also tried with the ones that end with .1 and .2. Just for the sake of testing we have also tried to add all three and even tried to issue certificate with all purposes. But we seem to get the same error. We have tripple checked that the Root CA has  been added with thumbprint values. The errors we are seing on the RCS are

                 

                2014-11-22 00:06:56: Thread:2168(DETAIL) : PC142592.placetobe.local, Category: DiscoverAMTConnectionMode Source: vProConfigurationInternal.cpp : vProConfigurationNamespace::vProConfigurationInternal::TestConnection Line: 889: Connection Info-PC142592.placetobe.local admin PKI: 73bdf90538fc97febaba7797371bdc35a79f999a

                2014-11-22 00:06:56: Thread:2168(DETAIL) : PC142592.placetobe.local, Category: AMTCommunicator Source: WSMANCommunicator.cpp : AMTInterfaceNamespace::WSMANCommunicator::GetAmtVersion Line: 119: Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable.

                2014-11-22 00:06:56: Thread:2168(ERROR) : PC142592.placetobe.local, Category: AMT Interface error Source: vProConfigurationInternal.cpp : vProConfigurationNamespace::vProConfigurationInternal::TestConnection Line: 997: Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. , error in discover 0xc000521f

                2014-11-22 00:06:56: Thread:2168(ERROR) : 4C4C4544-0057-5A10-8031-B5C04F4D3132, Category: Operation Error Source: Src\ConfigThread.cpp : ConfigThread::runConfigure Line: 190: Initial connection to the Intel(R) AMT device failed. Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. Valid certificate for PKI configuration not found.

                2014-11-22 00:06:56: Thread:2168(ERROR) : 4C4C4544-0057-5A10-8031-B5C04F4D3132, Category: Operation Error Source: Src\ConfigThread.cpp : ConfigThread::runConfigure Line: 654: Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. Valid certificate for PKI configuration not found.

                2014-11-22 00:06:56: Thread:2168(DETAIL) : RCS Server , Category: End function: Status Source: Src\Activator_Impl.cpp : RCS_ActivatorService_WMIProviderImpl::SetupConfigureAMT Line: 878: 0xc000521f

                2014-11-22 00:06:56: Thread:2168(ERROR) : 4C4C4544-0057-5A10-8031-B5C04F4D3132, Category: ConfigAMT request failed.  Source: Src\Activator_Impl.cpp : RCS_ActivatorService_WMIProviderImpl::handleStatusAfterRun Line: 221: Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable.  (0xc000521f).

                2014-11-22 00:06:56: Thread:2168(DETAIL) : RCS Server , Category:  Source: vProDataAccessorDB.cpp : AMTRepositoryNameSpace::vProDataAccessorDB::GetAmtByUuid Line: 260: Begin GetAmtByUuid AMTSystem

                2014-11-22 00:06:56: Thread:2168(DETAIL) : RCS Server , Category:  Source: vProDataAccessorDB.cpp : AMTRepositoryNameSpace::vProDataAccessorDB::GetAmtByUuid Line: 236: Begin GetAmtByUuid DBAmt

                2014-11-22 00:06:56: Thread:2168(DETAIL) : RCS Server , Category:  Source: vProDataAccessorDB.cpp : AMTRepositoryNameSpace::vProDataAccessorDB::UpdateAmt Line: 340: Begin UpdateAmt

                2014-11-22 00:06:56: Thread:2168(DETAIL) : RCS Server , Category:  Source: vProDataAccessorDB.cpp : AMTRepositoryNameSpace::vProDataAccessorDB::UpdateAmt Line: 345: End UpdateAmt

                2014-11-22 00:06:56: Thread:2168(DETAIL) : RCS Server , Category: Finish Configuration; (ERROR) AMT details: UUID: 4C4C4544-0057-5A10-8031-B5C04F4D3132, FQDN: PC142592.placetobe.local, IP: 10.11.12.51 . Return code: 0xc000521f . Details: Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. Valid certificate for PKI configuration not found.  Source: Src\RCSServer.cpp : CServiceModule::Log Line: 1270:

                2014-11-22 00:06:56: Thread:2168(ERROR) : WMI Protocol, Category: ConfigAMT Source: C:\TeamCity\BuildAgent\work\5f8e22057159680a\Components\RCSServer\MethodCallData.h : SCS_WMI::WMICallDetails::SendErrorReport Line: 93: Finished operation with Error.   (0xc0001c89).

                2014-11-22 00:07:31: Thread:2880(INFO) : ExecQueryAsync, Category: SELECT * FROM RCS_AMTFilter Source: Src\InstProv.cpp : CInstProv::ExecQueryAsync Line: 503:

                2014-11-22 00:07:31: Thread:2880(DETAIL) : RCS Server , Category: Start function Source: Src\RCS_AMTCollection_WMIProvider.cpp : RCS_AMTFilter::Enumerate Line: 44:

                2014-11-22 00:07:31: Thread:2880(INFO) : RCS AMTFilter, Category: Enumerate started Source: Src\RCS_AMTCollection_WMIProvider.cpp : RCS_AMTFilter::Enumerate Line: 45:

                2014-11-22 00:07:31: Thread:2880(DETAIL) : RCS Server , Category: Start function Source: Src\AMTCollection_Impl.cpp : RCS_AMTCollection_WMIProviderImpl::Enumerate_AMTCollection Line: 18:

                2014-11-22 00:07:31: Thread:2880(DETAIL) : RCS Server , Category: End function: Status Source: Src\AMTCollection_Impl.cpp : RCS_AMTCollection_WMIProviderImpl::Enumerate_AMTCollection Line: 42: Success.

                2014-11-22 00:07:31: Thread:2880(INFO) : CS GeneralSettings data, Category: Enumerate finished request finished successfully Source: Src\RCS_AMTCollection_WMIProvider.cpp : RCS_AMTFilter::Enumerate Line: 90:

                2014-11-22 00:07:31: Thread:2880(DETAIL) : RCS Server , Category: Start function Source: Src\RCS_AMT_WMIProvider.cpp : CRCS_AMT::GetElementCount Line: 121:

                2014-11-22 00:07:31: Thread:2880(INFO) : RCS_AMT, Category: Get GetElementCount started Source: Src\RCS_AMT_WMIProvider.cpp : CRCS_AMT::GetElementCount Line: 122:

                2014-11-22 00:07:31: Thread:2880(DETAIL) : RCS Server , Category: Start function Source: Src\AMT_Impl.cpp : RCS_AMT_WMIProviderImpl::GETAMT_CountByQuery Line: 62:

                2014-11-22 00:07:31: Thread:2880(DETAIL) : RCS Server , Category:  Source: vProDataAccessorDB.cpp : AMTRepositoryNameSpace::vProDataAccessorDB::GetAggregateByQuery Line: 128: Begin GetAggregateByQuery

                2014-11-22 00:07:31: Thread:2880(DETAIL) : RCS Server , Category: End function: Status Source: Src\AMT_Impl.cpp : RCS_AMT_WMIProviderImpl::GETAMT_CountByQuery Line: 94: Success.

                2014-11-22 00:07:31: Thread:2880(INFO) : GetRCS_AMT  data, Category: GetElementCount finished successfully Source: Src\RCS_AMT_WMIProvider.cpp : CRCS_AMT::GetElementCount Line: 163:

                2014-11-22 00:07:31: Thread:2880(DETAIL) : RCS Server , Category: Start function Source: Src\RCS_AMT_WMIProvider.cpp : CRCS_AMT::GetElementCount Line: 121:

                2014-11-22 00:07:31: Thread:2880(INFO) : RCS_AMT, Category: Get GetElementCount started Source: Src\RCS_AMT_WMIProvider.cpp : CRCS_AMT::GetElementCount Line: 122:

                2014-11-22 00:07:31: Thread:2880(DETAIL) : RCS Server , Category: Start function Source: Src\AMT_Impl.cpp : RCS_AMT_WMIProviderImpl::GETAMT_CountByQuery Line: 62:

                • 5. Re: Error provisioning new machines
                  brunodom

                  Looks like that Intel vPro machines still rejecting or not recognizing your certificate. Have you tried instead of using OID, only issue certificate based on Web Server certificate template and placing this exactly string into OU attribute: Intel(R) Client Setup Certificate

                   

                  It should work. Also, in order to RCS recognize the certificate, you have to restart the services.

                   

                  Best Regards!

                  -Bruno Domingues

                  • 6. Re: Error provisioning new machines
                    zeglory

                    Hi Bruno,

                                 These errors have been taken from the server log, its regarding the service account running the RCS service. As far as i have read, we need to duplicate the User account, and I guess machine account would not be an option to use with the service account? We have tried, Only adding the OID, only adding the OU property, adding both OID and OU, but seem to get the same error message. After each try we have restarted the server and the client just be sure that everything new has been taken into consideration/use. I have found a similar posting on the forum, where the user solved the problem by placing the RCS service account into machine local store. But in our case, even that is not helping. Worst of all is that, when we run the Diagnostics tool, its showing every sub category/test as ok but overall test for provisioning certificate is still failing. I must admit, this is a rather strange phenomena! We are running RCS v 9.x on a Windows 2012 R2 machine, the CA has been installed on a Windows 2012 server, but 2003 enterprise template has been used for the provisioning cert. Furthermore, we have tried adding upn and dns values(san) in the request so that the same certificate might be used both by service account and server, but still no luck. We have followed the instructions in users guide in order to create a certificate template.

                     

                    Best regards,

                    Sean

                    • 7. Re: Error provisioning new machines
                      xFallenAngelx

                      Hello all,

                       

                      I'm having the same issue, except the certificate i'm using is a GoDaddy supplied certificate. I get

                       

                      Exit with code

                      75.

                      Details: Failed to complete remote configuration of this Intel(R) AMT device.

                      Failed while calling WS-Management call

                      GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error

                      0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable.

                      Valid certificate for PKI configuration not found.

                       

                      The weird thing is, when i first installed the certificate it appeared to work, but now it doesn't. i've gone as far as reinstalling the SCS server application to a new database, but just can't get it to work. Are there any other logs I can look in to see why the PKI certificate isn't being set as valid?

                       

                      The certificate was imported from a .pfx file and has a private key attached to it as said by the Intel AMT documentation...

                      • 8. Re: Error provisioning new machines
                        brunodom

                        Sean,

                             It's very strange, but devil lives in details. Do you mind we can do some basic checks? looking into your certificate itself:

                             As far you are using an internal certificate, it can be obvious but would be good to double check:

                             - Using MMC -> Certificate -> User (assuming that you are logged with the same service account), check if you have the primary key:

                        Cert_PtivKey.PNG

                        - Check if subject name match what vPro machine is seeing, i.e. suffix DNS on client must match with certificate domain as well:

                         

                        SubjectName.PNG

                        - Also, check if you can see the whole certificate chain without any error:

                         

                        CertChain.PNG

                        - If you are able to see the whole chain up to root, double click on root certificate, details and see what is showing in Thumbprint;

                        RootHash.PNG

                             You will be able to see the hash that must be filled in vPro machine - also if didn't work, have you tried, just for test, fill this hash manually into ME?

                         

                        Best Regards!

                        -Bruno Domingues

                        • 9. Re: Error provisioning new machines
                          brunodom

                          There are several possibilities:

                          certificate must be installed into same RCSServer service context, i.e. if you are using Network Service to run RCSServer, you should use RCSutils t install certificate, as explained in Intel Setup and Configuration Software - User Guide (found in Intel SCS package - section 3.5) - in case you are using a user domain account, log in using this account and install in User context (i.e. MMC -> certificate -> User -> Personal context);

                          Also, with GoDaddy, have you selected the vPro option during enrolling process?

                           

                          01_sslrequest_vpro.png

                           

                          Best Regards!

                          -Bruno Domingues

                          • 10. Re: Error provisioning new machines
                            xFallenAngelx

                            Hi Bruno,

                             

                            Thanks for the reply. Yes, i definitely selected for Intel vPro in the enrollment phase, and it has the Intel AMT OID on the certificate as well. The only thing i'm confused about, mine seems to be signed by a different GoDaddy CA. Are there any logs client or server side that say why a certificate didn't meet validation? The certificate DNS suffix matches the DHCP Option 15 as well.

                             

                             

                            Cert1.png

                            Cert2.png

                            Cert3.png

                            • 11. Re: Error provisioning new machines
                              brunodom

                              In order to double check if your root certificate is valid, you can check if thumbprint match with what you have in ME, for example, it's the thumbprint that you will find:

                               

                              GoDaddy-Hash.PNG

                              I'm assuming that you replaced the field "Issue to" to hide the real name, right?

                              What you also may looks like, is if this certificate is correctly installed in RCSServer service account context. can you confirm witch user account are you using?

                               

                              Best Regards!

                              -Bruno Domingues

                              • 12. Re: Error provisioning new machines
                                xFallenAngelx

                                I'm currently using NETWORK SERVICE, however, i've also tried using a defined service account as well. The Certificate is definitely in the store, as when the cert wasn't in the store, I got a different error.

                                 

                                Correct, i edited the field to hide our real name

                                 

                                I'll check the hash in the firmware and see if it matches. If it doesn't match, what can I do? Do you think I could go back to GoDaddy and say it's not working?

                                • 13. Re: Error provisioning new machines
                                  xFallenAngelx

                                  Hi Bruno,

                                   

                                  I fixed it!! It turns out, one of the intermediate certificates in the chain was set as a trusted root on the SCS server, which broke the root chain. By removing the intermediate from the trusted root and placing it in trusted intermediates, the chain was able to complete correctly and the certificate is now seen as valid.

                                   

                                  Hopefully this might help Sean as well!

                                  • 14. Re: Error provisioning new machines
                                    brunodom

                                    If you are using NETWORK SERVICE, that IMHO it's the most secure option, you should use RCSUtils.exe that can be found in Intel SCS\IntelSCS\Utils folders in intel zip file:

                                    Use this syntax to add the certificate:

                                     

                                    C:\>RCSUtils.exe /Certificate Add c:\certificate.pfx <password>

                                     

                                    This command should include your certificate, protected with the password that you defined, into NETWORK SERVICE security context.

                                     

                                    in order to check that it's working, at least that NETWORK SERVICE has this certificate, use this syntax;

                                     

                                    C:\>RCSUtils.exe /Certificate View /RCSUser NetworkService /Log File c:\logfile.txt

                                     

                                    and check what logfile.txt tells you about certificated in NetworkService context.

                                     

                                    In case that your GoDaddy certificate wasn't issue by root recognized by vPro, I'm almost sure that GoDaddy can revoke and re-issue a new certificate without costs. In most cases that I faced, the certificated was replaced in 30 days period after been issued.

                                     

                                    Best Regards!

                                    -Bruno Domingues

                                    1 of 1 people found this helpful
                                    1 2 Previous Next