8 Replies Latest reply on Oct 21, 2009 1:35 PM by Boris

    Connection name, DNS name, certificate name mismatch, etc

    Sniper04

      hi everyall,

       

      I have some problems with my computers. When i'm connect to my AMT computers with Intel Manageability Commander tool , i have this warning "Connection name, DNS name, certificate name mismatch." So when I try to connect to my computer by script, i can not connect to AMT .

       

      For renew certificate and connection, etc .. I think I must do unprovision partial my computers or it's possible to inject new certificate ? . So I used UnprovisionEx intel application, but can not work because it not connect to AMT for TLS reasons. Somebody have a script for partial unprovision computers ?? I managed my computers with Intel SCS.

       

      Thanks for your help,

        • 1. Re: Connection name, DNS name, certificate name mismatch, etc
          bgmckown

          First off, the warning message that you're experiencing in the Manageability Commander Tool is most likely due to a difference in the FQDN of the target Intel(R) AMT client system and the certificate its using for TLS communication. For example, if the system had a valid and correctly named certificate but the Commander tool was instructed to connect via the IPv4 address, then this warning message would appear. However, if Commander was instructed to use the FQDN (NOTE: this is the information displayed in the "IP / Hostname" field of the Connection tab) but the certificate was created using a different host name / domain name combination, then this warning message would occur.

           

          Now, the Intel(R) AMT Unprovision Utility(UnprovisionEx.exe) can be used to do either a partial or full unprovision of this system even though you are experiencing these certificate issues. You will need to add the '-ignorecert' command line switch when executing this utility. This instructs this utility to ignore any possibly invalid certificates passed from the Intel(R) AMT client and assumetrust with the target system. This does not prevent you from having to specify the console certificate if the Intel(R) AMT client is configured for mutual TLS authentication (either the '-cert' or '-certFile' switches).

           

          Hope this helps,

          - Brett McKown

          Senior Software Engineer

          Intel Corporation | Intel Architecture Group | Business Client Platform Division | BCPD Software Engineering

          • 2. Re: Connection name, DNS name, certificate name mismatch, etc
            Sniper04

            Thank you for your reply !

             

            Yes, i know all this informations. I try to unprovision my computer with Unprovision utility but ia have an error : HTTP 401 unauthorized

             

            My computer are setting with simple TLS authentication. I have not idea why they don't work. It's possible to verbose this tool ??

             

            With Commander tool, all work, very well ...

             

            It's possible to unprovision computer with powershell script ?

             

            Thank you

            • 3. Re: Connection name, DNS name, certificate name mismatch, etc
              bgmckown

              Are you getting the "HTTP 401 unauthorized" error even when you use the '-ignoreCert' command line switch with the Intel(R) AMT Unprovision Utility?

               

              As for getting "verbose" output - the utility already outputs everything that's relevant, including the specific error codes/messages that are returned from the remote AMT web service calls. Any more verbosity and you'd be seeing the internal program flow (function calls) which doesn't help the general user.

               

              There is a possibility of using PowerShell to perform the unprovision, but you would need to load the Manageability Stack library from the Manageability Commander Tool, create an AmtSystem class instance and use that to connect to the target Intel(R) AMT client. Then you would need to know which interfaces, classes and methods to call in order to unprovision the system. In my opinion, it's far easier to just use the command line utility, which should work just fine (assuming that you're using the correct command line options and parameters).

               

              - Brett McKown

              • 4. Re: Connection name, DNS name, certificate name mismatch, etc
                Sniper04

                Show this display error :

                 

                UnprovisionEx.exe" -hostname ptest.local -user admin -pass admin -tls -ignorecert -partial
                Intel(R) AMT Unprovision Utility 1.0.9058.1
                [Intel(R) Active Management Technology]
                Copyright (C) 2008 Intel Corporation. All rights reserved.

                Unprovisioning (PARTIAL) the system.
                An exception occurred while attempting to unprovision (PARTIAL) the system.

                La demande a échoué avec l'état HTTP 401 : Unauthorized.

                • 5. Re: Connection name, DNS name, certificate name mismatch, etc
                  bgmckown

                  While I'm not saying that you need to reveal your password here, are you certain that you are using the proper credentials to connect to the target Intel(R) AMT ME? You should be using the administrative password that you created/established either in the MEBx (pre-OS configuration via Ctrl-P during boot on most systems) or that was setup in SCS. What you provided in your last post, admin / admin, is not a strong password and therefore isn't valid. You may need to dig into SCS (of which I am not an expert or even a knowledgeable user) to determine the proper credentials to use with the command line Unprovision utility.

                   

                  - Brett McKown

                  • 6. Re: Connection name, DNS name, certificate name mismatch, etc
                    Sniper04

                    Hi, I found where come from the problem. It's just, it's not possible the tool on local computer. If you executed this tool on remote computer, they works very well.

                    No, i'm fall on a new problem. computer have been unrprovisionned partially great, but on SCS see computers always provisonned. If i try to provision computer with Activator tool, on my SCS console, I can see this error : "Exception when trying to push request - 0xCFFF0066 : Intel AMT device is already provisioned" So it's not possible to provisionned computers.... It's very embarrasing tool.

                     

                    I have a lot of problem where my computers have an DNS Name, or computers name incorrect ...

                    • 7. Re: Connection name, DNS name, certificate name mismatch, etc
                      bgmckown

                      Well, a partial unprovision is occurring (and, sorry that I didn't recognize that you were attempting to use this tool from the local system), the system is probably getting reprovisioned by SCS right away. Assuming that you have a SCS running all the time, as is the case with the standard installation/usage, then you will need to determine how to prevent SCS from automatically provisioning this system. Unfortunately, I will need to defer this to someone else on this board (... open call to anyone who knows how to use SCS ... SPEAK UP NOW!!).

                       

                      - Brett McKown

                      • 8. Re: Connection name, DNS name, certificate name mismatch, etc
                        Boris

                        I am not sure that I understand the use case.

                        if you partially un-provisioned the system without deleting the configuration parameters from the SCS so the SCS configured it again right away when it got first hello message. If you want to change the configuration parameters you doesn't need to un-provision the system but change it and reapply configuration.

                        Anyway I attached SCS user guide for future reference. Please let me know if you have more questions