out of band console not working
I succeeded to provision some computers (amtstatus=3) but the oobconsole can not connect to any of these machines. The system goes busy-connecting-disconnected.
The oobconsole.log contains one error :
[3/12/2008 17:51:44] :GetAMTPowerState fail with result:0x80072EE9I can open the webinterface of the managementcontroller using https://j-feys-xp2.hhr.be:16993, but I can't log on. No user/password combination is accepted.
the amtopmgr.log contains a configuration code :
Finished provision on AMT device j-feys-xp2.hhr.be with configuration code (65534)! SMS_AMT_OPERATION_MANAGER 3/12/2008 12:11:04 7548 (0x1D7C)Does anyone know what these resultcodes mean ?
ps: I created my own provisioning certificate with a windows 2008 enterprise certificate server.
Tutte le risposte
Thanks for raising the question. OOB Console is using current user kerberos account to authenticate with AMT systems. The key point here is AMT system must be enabled with kerberos authentication and registered with correct SPN in AD during provision.
I suggest you to check if the AD container on SCCM UI has been selected correctly and check if the AMT computer account has been added to the container with AD user and computers console.
As Jerry mentioned, this tends to be related to Kerberos authentication, which can be caused by a variety of different issues. Most commonly issue is the miss configuration of the AD OU SCCM uses to create the AD Object for AMT Kerberos authentication. To confirm you have it configured properly, you may want to reference: http://technet.microsoft.com/en-us/library/cc161814(TechNet.10).aspx. If you do not see an object created in that OU in an enabled state, there is most likely a configuration issues.
The other not so obvious reasons for the issue could be that the user you are logged in as has not been granted access to the AMT client. Assuming you followed the AMT Settings and AMT User Accounts process as described here: http://technet.microsoft.com/en-us/library/cc161918(TechNet.10).aspx
If the AMT firmware version is less than 3.2.1 there are some additional items that could be causing the issues… but I’m assuming you are firmware version 3.2.1?
Although your WebUI issue you are seeing would exist if the AD object was not created properly, there is IE 6 hot fix and registry enter for IE 6 & 7 that is required to do Kerberos authentication on a non-standard port. You may want to verify that KB908209 installed for IE 6 and that the required FEATURE_INCLUDE_PORT_IN_SPN_KB908209 registry entry is added for both IE 6 and IE 7.
--Matt Royer
- As it has already been mentioned, kerberos authentication needs to be working 100%. Make sure that your vPro client's A and PTR records are properly returning from the system running the OOB console. Just use nslookup and do a forward and reverse lookup. Do a reverse lookup several times, to make sure that you don't have multiple PTR records for the same IP address. I ran into this scenario once, and it broke it
Trevor Sullivan
Systems Engineer
OfficeMax Corporation - I succeeded to use the out of band console on 2 of the 5 provisioned computers. It are all HP DC7800 with AMT version 3.2.2.
The only difference between those two and the other computers is that I cleared cmos with a button on the mainboard and then reprovisoned them.
Allthough the out of band management console seems to work, it gives the following error in oobconsole.log
[12][13/12/2008 15:08:25] :Error occurred when sending data to Proxy, cannot connect to telnet
A second strange phenomenon is that after network discovery the AMT status changes back to 1. When I manually set it back to 3 in system_disc, I can use oob again till the next networkdiscovery.
I succeeded to logon into the webconsole by setting the FEATURE_INCLUDE_PORT_IN_SPN_KB908209 registry key. - Yes. OOB Console will leverage on telnet for serail over lan connection and display. If you are using windows server 2008, it's by default no telnet installed and you should install telnet manually.
For network discovery, I guess there might be some error happened when perform AMT discovery. Network not stable is the possiblity case. But the settings on AMT computer are still correct and the information of the computer is well kept in SCCM database. Then after you change the AMTStatus as provisioned, it works well.
It's good to see your AMT webui work with kerberos account. That's means kerberos settings is correctly set into AMT computer and also the computer account in AD. - Hmmm, fancy that .... now I'm having this issue, but on a Windows XP system. Actually, it's two separate Windows XP systems. I can log onto the web interface of the AMT system, but my fresh installation of the Configuration Manager console fails when using the OOBconsole.
I can connect to the same AMT device using my Windows Vista client, Windows 7 Beta client, or Windows 2003 Server SCCM site server.
I checked the system's DNS records, and they're correct. I imported my root and subordinate CA certificates into the Trusted Root CA store and the Intermediate CA store. That didn't fix it either .... same behavior occurring.
Trevor Sullivan
Systems Engineer
OfficeMax Corporation
Trevor Sullivan Systems Engineer OfficeMax Corporation - I have created an OU and gave the SCCM full control permission. I also created the container with same name in AD using Adsiedit and also gave full control permission.
The computer account already existed what should I now check and where? - For me it is working now.. I just have an issue with IDE Redirection I loose the connection as soon as it goed beyond the POST..
