SCCM R3 Out of Band Management Console - Serial Connection Failed
-
יום רביעי 30 מאי 2012 16:31
Hello everyone,
Really at a dead end and wondering if anyone had any suggestions.
I have SCCM 2007 R3 installed on Server 2008 R2, and have been progressing with the configuration of Out of Band Management. Everything seems to be working correctly with the exception of the Serial Connection in the Out of Band Management Console within the SCCM console.
The CA (also on Server 2008 R2) is issuing the certificates and I can see the SCCM server as the requester.
My test workstation provisions correctly, I'm using a cert from Go Daddy and I'm able to connect with the OOBM console and control power etc. But the Serial Connection fails.
AMTOPMGR.Log shows "Enable SOL with true and IDER with true"
The OOBMConsole.log file shows the familiar errors:
IMR_SOLOpenTCPSession fail with result:0x00000020
I've seen the posts \ messages regarding the incomplete certificate chain but I'm not sure that is the problem.
I've added the certificates in the SCCM server cert store too.
If I run KVMView.exe independently of the SCCM console, but on the same server, I can establish a successful TLS connetion, just not from within the SCCM console itself.
Other features, such as the WebInterface are also working correctly.
Does anyone have any ideas where I'm going wrong, judging by the error in OOBMConsole.log it must be cert related, but I've run out of ideas.
Thanks in advance
כל התגובות
-
יום רביעי 30 מאי 2012 18:25
Hi there, have you confirmed on these boxes that you have enabled the functionality in the BIOS?
"If IDE redirection and serial over LAN does not work in the out of band management console when successfully connected to an AMT-based computer, these options might be configured as disabled in the BIOS extensions or they might not be enabled by the computer manufacturer.
To help identify this scenario, on the site server computer, look for the following entries in the log file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log:
Error: cannot put change to AMT_RedirectionService instance. SMS_AMT_OPERATION_MANAGER <date> <time> 3120 (0x0C30)
Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::EnableRedirectionService SMS_AMT_OPERATION_MANAGER <date> <time> 3120 (0x0C30)
Solution
If these options are disabled in the BIOS extensions, you can enable them. Before doing so, check that enabling them does not conflict with your company security policy because these functions enable highly privileged management options. Refer to your computer manufacturer documentation if you need help with configuring the BIOS extensions.
Because these functions enable highly privileged management options, it is possible that they have been intentionally not enabled by the manufacturer. Contact your manufacturer for more information, and also seeDecide Whether You Need a Customized Firmware Image From Your Computer Manufacturer."
From this article here. In the past when I ran into this it was often the case.
And this article here has some excellent steps to try and troubleshoot the issue, particularly around topic3 which may well be your situation.
If all this checks OK then post a snippet from the AMTOPMGR and Console log file from around when you connect so we can see all the activity around that time.
-
יום חמישי 31 מאי 2012 12:31
Hi Shawn,
Thanks for the response.
I'm happy that the BIOS extensions are enabled since I can connect using the KVMView.exe and see the reboot process, including both text and GUI elements.
I did check the "Topic 3" from the link you suggested and I did have multiple root certificates in the Trusted Root Certification Authorities store. Following the article I removed the duplicates and reset the store, but it made no difference. I've also got the root certificate added to the Intermediate Certification Authorities.
I've added the log file record for the SOL session and also the provisioning record log file.
OOBConsole.log
[6][31/05/2012 11:23:44] :GetAMTPowerState success with 2.
[6][31/05/2012 11:23:54] :GetAMTPowerState success with 2.
[6][31/05/2012 11:24:05] :GetAMTPowerState success with 2.
[6][31/05/2012 11:24:15] :GetAMTPowerState success with 2.
[6][31/05/2012 11:24:26] :GetAMTPowerState success with 2.
[6][31/05/2012 11:24:36] :GetAMTPowerState success with 2.
[6][31/05/2012 11:24:46] :GetAMTPowerState success with 2.
[6][31/05/2012 11:24:57] :GetAMTPowerState success with 2.
[9][31/05/2012 11:25:00] :Open SOL connection...
[9][31/05/2012 11:25:00] :IMR_SOLOpenTCPSession2 with user = xxx\xxx-xxx fail with result:0x20, description:Failed to Establish TLS Connection
[9][31/05/2012 11:25:00] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9][31/05/2012 11:25:00] :IMR_SOLOpenTCPSession2 with user = xxx\xxx-xxx fail with result:0x20, description:Failed to Establish TLS Connection
[9][31/05/2012 11:25:00] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9][31/05/2012 11:25:00] :IMR_SOLOpenTCPSession2 with user = xxx\xxx-xxx fail with result:0x20, description:Failed to Establish TLS Connection
[9][31/05/2012 11:25:00] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9][31/05/2012 11:25:00] :IMR_SOLOpenTCPSession2 with user = xxx\xxx-xxx fail with result:0x20, description:Failed to Establish TLS Connection
[9][31/05/2012 11:25:00] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9][31/05/2012 11:25:00] :IMR_SOLOpenTCPSession2 with user = xxx\xxx-xxx fail with result:0x20, description:Failed to Establish TLS Connection
[9][31/05/2012 11:25:00] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9][31/05/2012 11:25:00] :status message Type:Audit, ID:0x00000000C000766A, User:xxx\xxx-xxx, Machine:xxxxSCM01, Target:Wnxxxxx.yyy.yyyy.yyyyyy add to queue, waiting for report.
[1][31/05/2012 11:25:02] :Closing SOL terminal...
[1][31/05/2012 11:25:02] :SOL terminal closed
[6][31/05/2012 11:25:07] :GetAMTPowerState success with 2.
amtopmg.log
>>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<<
Provision target is indicated with SMS resource id. (MachineId = 540 Wnxxxxx.yyy.yyyy.yyyyyy)
Found valid basic machine property for machine id = 540.
Warning: Currently we don't support mutual auth. Change to TLS server auth mode.
The provision mode for device Wnxxxxx.yyy.yyyy.yyyyyy is 1.
Check target machine (version 7.1.3) is a SCCM support version. (TRUE)
The IP addresses of the host Wnxxxxx.yyy.yyyy.yyyyyy are 132.144.105.147.
Attempting to establish connection with target device using SOAP.
Found matched certificate hash in current memory of provisioning certificate
Create provisionHelper with (Hash: 9xxxxxxxxx2FAD58AF9xxxxxxx608BE3E3BAD)
Set credential on provisionHelper...
Try to use provisioning account to connect target machine Wnxxxxx.yyy.yyyy.yyyyyy...
Succeed to connect target machine Wnxxxxx.yyy.yyyy.yyyyyy and core version with 7.1.3 using provisioning account #0.
GeneralInfo.GetProvisioningState finished with HResult = 0x0, status = 0x0, clientError = 0.
Get device provisioning state is In Provisioning
Passed OTP check on AMT device Wnxxxxx.yyy.yyyy.yyyyyy.
Machine Wnxxxxx.yyy.yyyy.yyyyyy will be added and published to AD and OU is LDAP://OU=AMT,OU=Windows 7,OU=Development,OU=yyy,DC=yyy,DC=yyyy,DC=network.
Send request to AMT proxy component to add machine Wnxxxxx.yyy.yyyy.yyyyyy to AD.
Successfully created instruction file for AMT proxy task: D:\Program Files (x86)\Microsoft Configuration Manager\inboxes\amtproxymgr.box
Processing provision on AMT device Wnxxxxx.yyy.yyyy.yyyyyy...
Send request to AMT proxy component to generate client certificate. (MachineId = 540)
Successfully created instruction file for AMT proxy task: D:\Program Files (x86)\Microsoft Configuration Manager\inboxes\amtproxymgr.box
Wait 20 seconds to find client certificate for AMT device Wnxxxxx.yyy.yyyy.yyyyyy being generated again...
AMT Provision Worker: Wakes up to process instruction files
AMT Provision Worker: Wait 20 seconds...
RETRY(1) - Validate client certificate for AMT device Wnxxxxx.yyy.yyyy.yyyyyy being generated.
Found client certificate already being generated for AMT device Wnxxxxx.yyy.yyyy.yyyyyy.
Start 1st stage provision on AMT device Wnxxxxx.yyy.yyyy.yyyyyy. (SOAP)
SecurityAdministration.ClearTLSCredentials finished with HResult = 0x0, status = 0x0, clientError = 0.
NetworkTime.GetLowAccuracyTimeSynch finished with HResult = 0x0, status = 0x0, clientError = 0.
NetworkTime.SetHighAccuracyTimeSynch finished with HResult = 0x0, status = 0x0, clientError = 0.
NetworkAdmin.SetHostName finished with HResult = 0x0, status = 0x0, clientError = 0.
NetworkAdmin.SetDomainName finished with HResult = 0x0, status = 0x0.
SecurityAdministration.SetTLSCertificateWithKeyPair finished with HResult = 0x0, status = 0x0.
SecurityAdministration.SetTlsServerAuthentication finished with HResult = 0x0, status = 0x0, clientError = 0.
SecurityAdministration.GetDigestRealm finished with HResult = 0x0, status = 0x0, clientError = 0.
SecurityAdministration.SetAdminAclEntryEx finished with HResult = 0x0, status = 0x0, clientError = 0.
SecurityAdministration.SetMEBxPassword finished with HResult = 0x0, status = 0x10, clientError = 0.
We can't set MEBx password at this time. Admin may have already changed this.
SecurityAdministration.CommitChanges finished with HResult = 0x0, status = 0x0, clientError = 0.
Finished 1st stage provision on AMT device Wnxxxxx.yyy.yyyy.yyyyyy. Sleep 5 seconds for 2nd stage provision.
Start 2nd stage provision on AMT device Wnxxxxx.yyy.yyyy.yyyyyy.
session params : https://Wnxxxxx.yyy.yyyy.yyyyyy:16993 , 11001
Delete existing ACLs...
Add ACLs..
Set Ping Response with true...
Set Kerberos options...
Set active power scheme..
Enable WebUI with true..
Enable SOL with true and IDER with true..
Enable Redirection port with true..
Finished 2nd stage provision on AMT device Wnxxxxx.yyy.yyyy.yyyyyy.
Finished provision on AMT device Wnxxxxx.yyy.yyyy.yyyyyy with configuration code (65534)!
CStateMsgReporter::DeliverMessages - Queued message: TT=1201 TIDT=0 TID='Link provisioned AMT machine with current profile' SID=2 MUF=0 PCNT=5, P1='65' P2='2012-05-30 13:37:35' P3='1' P4='0' P5='7.1.3'
CStateMsgReporter::DeliverMessages - Created state message file: D:\Program Files (x86)\Microsoft Configuration Manager\inboxes\auth\statesys.box\incoming\9sslexgn.SMX
>>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<<
- נערך על-ידי Dave_Hill יום חמישי 31 מאי 2012 12:33
-
יום חמישי 06 ספטמבר 2012 03:37
Hey Dave,
did you end up getting your answer>
If I understand the issue correctly, when you try to KVM control the system from your SCCM server it fails with the above error?
I'm pretty confident it would be a certificate issue. Check out my blog point 12.
http://blair-muller.blogspot.com.au/2012/08/troubleshooting-kvm-control-of-vpro.html
Regards,
Blair
Regards, Blair Muller Check Out My Blog: http://blair-muller.blogspot.com/
-
יום חמישי 06 ספטמבר 2012 03:46
Sorry Dave,
Just read your post at http://communities.intel.com/thread/29700
When I goto a provisioned system by hostname rather then FQDN using chrome I receive an error, because the certificate was issued to the FQDN, I cannot access the webGUI. Internet Explorer does not have an issue.
Have you tried provisioning the system with SCS and integrating it into SCCM to see if you have the same issue?
Regards,
Blair
Regards, Blair Muller Check Out My Blog: http://blair-muller.blogspot.com/
-
יום שלישי 11 ספטמבר 2012 14:20
Hi Blair,
Thanks for the update to the post. Still no final conclusion unfortunately though. The only thing that fails to work correctly is still the Serial Connection via the OOBM console.
I'd agree that IE (v8.0.7601.17514) has no problem accessing thge WebGUI via either the hostname or FQDN. I hadn't attempted to provision using SCS, but I will, and post an update.
Regards Dave
-
יום רביעי 12 ספטמבר 2012 23:28
Hey Dave,
Looking forward to hearing about the results with SCS.
It's a lot easier to troubleshoot because you can create your own profiles. For example, you can test without AD authentication and TLS.
Regards,
Blair
Regards, Blair Muller Check Out My Blog: http://blair-muller.blogspot.com/
.png)
