AMT SCSLite server error

AMT SCSLite server error

Hi,

I have loaded all the required certificates into the certificate store of the user that SCSLite is running under. But i still keep getting the below error in the logs. Can someone help me root cause ? Our SCSLite server is running on a Windows 2008 R2 server:

19-1-2012 20:46:32:(INFO) : xxxxxxus-s1, Category: Supply New AMT Identity: started
19-1-2012 20:46:32:(INFO) : User: (XXXXXX\\SCSUser) : xxxxxxus-s1 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (STARTED) : Status:0
19-1-2012 20:46:32:(INFO) : xxxxxxus-s1, Category: Supply new AMT Identity request finished successfully:
19-1-2012 20:46:32:(ERROR) : xxxxxxus-s1, Category: Certificate store: A valid PKI certificate was not found in Certificate Store of the user running the Intel SCS.
19-1-2012 20:46:32:(ERROR) : xxxxxxus-s1, Category: Operation Error: Initial connection to Intel AMT failed. A valid PKI certificate was not found in Certificate Store of the user running the Intel SCS.
19-1-2012 20:46:32:(ERROR) : xxxxxxus-s1, Category: Operation Error: Intel AMT configuration failed. A valid PKI certificate was not found in Certificate Store of the user running the Intel SCS.
19-1-2012 20:46:32:(INFO) : User: (XXXXXX\\SCSUser) : xxxxxxus-s1 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (FAILED) : Intel AMT configuration failed. A valid PKI certificate was not found in Certificate Store of the user running the Intel SCS. Status:3221227474

Does this error mean the certificate store on the server side not being configured correctly ? I am at a loss. Please help !!

14 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

It sounds like you are having issues with certificates, either how it was constructed or that it isn't loaded correctly. Have you gone through the documentation for SCS 6.0 Lite - I know there is a section that pretty clearly describes both how to make the certificates and then how to install them.

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Yes, It works just fine when we had it installed on a different server. But we just created a new server from scratch and i am struggling to get it to work. In the certificate store i see the certs installed fine. Any other way to get more information from the errors as to exactly what trouble SCS is having finding the certificate ?

This is a new production environment and i am stuck.

Thanks for your help!

I know that you have to have in the user's store who is running SCS - are you doing this? Also I am pretty sure that part of the certificate information has the fqdn of the system it is installed on. Does this new server have the same fqdn? You would have to create a new certificate based on your new fqdn.

Might you have a disjointed namespace issue? (when the primary Domain Name System (DNS) suffix of a computer does not match the DNS domain of which it is a member. Defining a network environment with disjointed namespaces (intentionally or accidentally) can cause many different types of communication and authentication failures.)

Have you gone through the troubleshooting section of the SCS Lite document? The errors you listed make it sound like it's a user store issue.

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

I think i may have got it working now. Based on your input, i re-read the SCSLite certificate import process and then after a service restart it appears that error has gone now. Thanks for your help!
But now i see a different error. What does this mean ?

19-1-2012 23:17:49:(INFO) : xxxxx-us-k2, Category: Supply New AMT Identity: started
19-1-2012 23:17:49:(INFO) : User: (XXXXXX\SCSUser) : xxxxx-us-k2 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (STARTED) : Status:0
19-1-2012 23:17:49:(INFO) : xxxxx-us-k2, Category: Supply new AMT Identity request finished successfully:
19-1-2012 23:17:49:(ERROR) : xxxxx-us-k2, Category: AMT Interface error: Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014
19-1-2012 23:17:49:(ERROR) : xxxxx-us-k2, Category: Operation Error: Initial connection to Intel AMT failed. Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014
19-1-2012 23:17:49:(ERROR) : xxxxx-us-k2, Category: Operation Error: Intel AMT configuration failed. Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014
19-1-2012 23:17:49:(INFO) : User: (XXXXXX\SCSUser) : xxxxx-us-k2 : 03000200-0400-0500-0006-000700080009, Category: (PLATFORM_CONFIG) : (FAILED) : Intel AMT configuration failed. Failed while calling Soap call GetCoreVersion. AMT Connection Error 4014: Failed to get the certificate private key, error in discover 4014 Status:3221227474

Ok so you are using the SCS Lite utility... What version of AMT is the system that you are trying to enable? I see that we don't have the "Lite" version out on the SCS Download site anymore. You might want to get the ACU wizard and try that. But aside from that Starting in release 7 I'm pretty sure that we don't have a SOAP interface anymore and the soap call to GetCore Version is failing so it might be an AMT release/compatibility issue now.The errors are a little puzzling. You have configured the same AMT system before with SCS 6 Lite, but on a different server, right? It's just that this new server is failing with the configuration? I see private key errors but prior to that I see a soap error.

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Hi,
The AMT version on the system is 3.0.2.
Could you tell me more about the ACU wizard ?

Yes, we have successfuly configured from the previous server. I have never seen these errors on that server ever.

Regards,
Ram

3.0.2 is pre WS-MAN - can you go out to your OEM site and upgrade the FW to 3.2? Very few tools may work well with 3.0.x. Can you go back to your other server and provision still? I think we will have to take a better look at your certificate information.

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

HI,
No, unfortunately our other server is down now. Cant' use that to provision. Any other thoughts ? We have a very large number of systems running this version. Changing them all at this time would be a huge deal. It's a production environment.

Regards,
Ram

Ok.. First I was incorrect in saying that SCS 6 Lite was no longer on the site - it is. And I verified that it should work with your version of AMT.The ACU Wizard would be used if you wanted to do USB provisioning but if you have many systems, you would probably not have to go "touch" them all.Judging from the errors you are getting, it looks like the private key for the Remote Configuration cert is not installed. If it is, you must run the SCS as the user who has it installed in their cert store.You said this was working on the other server - can you tell me what is different between the two as far as configuration goes?Can you access the WebUI on any of your configured AMT systems from this new server?Have you seen this document?http://www.vproexpert.com/59JHE/RCFG-Cert-Util/docs/RemoteConfigurationCertificateSelection.pdfDoes this new server have DHCP option 15 set up corretly? (exertp out of the doc above)The CN parameter in the remote ConfigurationCertificate must match the DHCP option 15 setting. Below is an example (Figure 7) of how a domain could be set up. Withthis example we will show what certificates would be supported. TheCN used in a certificate is based off of a registered TLD (.com, .net, .uk). When requesting a certificate the certificate authority vendor will verify that the owner of the requesting certificate matches the owner ofthe domain name (e.g. company.com). If the names do not match theissuing certificate authority vendor will contact the domain owner sothat permission can be obtained.In the following section the DHCP option 15 settings match theway the domain is set up. For example a DHCP server for Mkgt.East.Company.local would have the DHCP option 15 value set to Mkgt.East.Company.local. During remote configuration the DHCP option 15 valueis used for authentication regardless of the domain the computer islogged in to.

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Hi,

  • We dont have a domain. All are workgroup based systems. But the certificate CN has a domain that matches the DHCP option 15 value
  • I ran the RCFG_Scout.exe on the remote client and it gave back the exact same CN that's there on the certificate.
  • I logged in as the SCSUser account on the server and looked at the certificate store. Everything looks fine to me.
  • The only change i can see is that earlier we had Windows 2003 server and now it's Windows 2008 but that shouldnt realy make a lot of difference. right ?

If you would be okay i am even willing to run a remote live troubleshooting sesssion by sharing my desktop with you. Please let me know if that will work for you.

Regards,

Ram

You might want to go grab the latest version of the SCS 6 Lite- it has information about installing the certs with Windows 2008.For an update to this issue, we are looking at the certificate not having a private key associated with it and we are also suspect of the DHCP option 15 being set up correctly. We beleive the issue is in one, if not both of these areas.

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Hi Gael,

It appears the issue is now resolved.
The issue(based on your analysis) was with the private key missing in the certificate. It appears that we originally received .pfx based certificate package from GoDaddy and since then extensions to it have been with the .crt file. So the .crt file may have been linking and using the private key from the old certificate(or atleast that's what i think). After loading the old expired .pfx certificate, Intel AMT provisioning has started working again.

Thanks a ton for your help!!

Regards,
Ram

I'm glad this is working now and that you have figured out what was going on.I will go ahead and close this issue.

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Leave a Comment

Please sign in to add a comment. Not a member? Join today