locked
Intel AMT Provisioning Error - Failed to create SSPI credential with error=0x8009030D by AcquireCredentialsHandle. RRS feed

  • Question

  • Hello All,

    we have setup in a test environment one configuration manager R2 on windows 2003 SP2 with internal CA authority. We have entered manually the Root CA hash in the MEBx and have disabled the DHCP as we don't have a separate DHCP server for the test environment. Currently when we try in band provisioning, we receive the following error in the amtopmgr.log on the configuration manager server:
    --------------------------------------------------

     

    Attempting to establish connection with target device using SOAP.    SMS_AMT_OPERATION_MANAGER    03.4.2009 09:04:17    376 (0x0178)
    
    Found matched certificate hash in current memory of provisioning certificate    SMS_AMT_OPERATION_MANAGER    03.4.2009 09:04:17    376 (0x0178)
    
    Create provisionHelper with (Hash: 9241BCE663AC8F0649349AC8CC34234982EAD)   SMS_AMT_OPERATION_MANAGER    03.4.2009 09:04:17    376 (0x0178)
    
    Set credential on provisionHelper...    SMS_AMT_OPERATION_MANAGER    03.4.2009 09:04:17    376 (0x0178)
    
    Try to use provisioning account to connect target machine <machine name>.<domain suffix>...    SMS_AMT_OPERATION_MANAGER    03.4.2009 09:04:17    376 (0x0178)
    
    Failed to create SSPI credential with error=0x8009030D by AcquireCredentialsHandle.    SMS_AMT_OPERATION_MANAGER    03.4.2009 09:04:17    376 (0x0178)
    
    Fail to connect and get core version of machine <machine name>.<domain suffix> using provisioning account #0.    SMS_AMT_OPERATION_MANAGER    03.4.2009 09:04:17    376 (0x0178)
    
    Try to use default factory account to connect target machine <machine name>.<domain suffix>...    SMS_AMT_OPERATION_MANAGER    03.4.2009 09:04:17    376 (0x0178)
    
    Failed to create SSPI credential with error=0x8009030D by AcquireCredentialsHandle.    SMS_AMT_OPERATION_MANAGER    03.4.2009 09:04:17    376 (0x0178)
    
    Fail to connect and get core version of machine <machine name>.<domain suffix> using default factory account.    SMS_AMT_OPERATION_MANAGER    03.4.2009 09:04:17    376 (0x0178)
    
    Try to use provisioned account (random generated password) to connect target machine <machine name>.<domain suffix>...    SMS_AMT_OPERATION_MANAGER    03.4.2009 09:04:17    376 (0x0178)
    
    Failed to create SSPI credential with error=0x8009030D by AcquireCredentialsHandle.    SMS_AMT_OPERATION_MANAGER    03.4.2009 09:04:17    376 (0x0178)
    
    Fail to connect and get core version of machine <machine name>.<domain suffix> using provisioned account (random generated password).    SMS_AMT_OPERATION_MANAGER    03.4.2009 09:04:17    376 (0x0178)
    
    Error: Device internal error. Check Schannel, provision certificate, network configuration, device. (MachineId = 13)    SMS_AMT_OPERATION_MANAGER    03.4.2009 09:04:17    376 (0x0178)
    
    Error: Can NOT establish connection with target device. (MachineId = 13)    SMS_AMT_OPERATION_MANAGER    03.4.2009 ã. 09:04:17    376 (0x0178)
    
    

    --------------------------------------------------
    This error we see on every try with the accounts, which we have entered. We are pretty sure that the password is the same. We have tried and with the default password and the result was the same. The version of AMT is 4.1.3.
    So has anyone clue what can cause this error and how can we solve it.
    Thanks in advance for your responses.

     

    • Edited by Kindim Friday, April 3, 2009 10:35 AM
    Thursday, April 2, 2009 2:20 PM

Answers

  • Hello All,

    we have found the problem. It appears that the problems cames from nested groups. As soon as we allow permissions for the computer account of the configuration manager server, instead of the group we had no problems to make the provisioning.
    The other problem with the client, which we saw in BIOS was the following:

    Machine Type: Invalid
    System Serial Number: Invalid
    UUID: FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF

    We had to update the BIOS with the boot CD image, downloaded from the manufacturer.

    After that everything worked as expected.

    With best Regards
    Kin
    • Marked as answer by Kindim Monday, June 29, 2009 7:34 AM
    • Edited by Kindim Monday, June 29, 2009 9:13 AM
    Monday, June 29, 2009 7:33 AM

All replies

  • Have you installed schannel hotfix? http://support.microsoft.com/default.aspx/kb/942841/en-us .
    Configuration Manager China R&D Blog:http://blogs.technet.com/msdchina/
    Friday, April 3, 2009 6:47 AM
  • Hello Jerryliu,

    yes both Hotfixes are installed.
    KB960804
    KB942841
    But that didn't solved the problem.
    Friday, April 3, 2009 7:25 AM
  • Ok,

    we have requested a new provisioning certificate from our internal CA and now the error has been changed:

    -------------------------------------------------------------------------------------------------------------------------------------
    Set credential on provisionHelper...    SMS_AMT_OPERATION_MANAGER    16.4.2009 16:05:13    812 (0x032C)
    Try to use provisioning account to connect target machine <FQDN>
    ...    SMS_AMT_OPERATION_MANAGER    16.4.2009 16:05:13    812 (0x032C)
    Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.    SMS_AMT_OPERATION_MANAGER    16.4.2009 16:05:13    812 (0x032C)
    **** Error 0x2feb924 returned by ApplyControlToken    SMS_AMT_OPERATION_MANAGER 16.4.2009 16:05:13    812 (0x032C)
    Fail to connect and get core version of machine <FQDN> using provisioning account #0.
    SMS_AMT_OPERATION_MANAGER    16.4.2009 16:05:13    812 (0x032C)
    -------------------------------------------------------------------------------------------------------------------------------------
    So can anyone help me what can cause this error.

    Thanks in advance.

    Thursday, April 16, 2009 1:07 PM
  • The fact that you're not using DHCP worries me, because we've now updated the docs to say that DHCP is required for both out of band and in-band provisioning, in order to set the domain suffix correctly and create an A record in DNS.  See the latest prerequisites topic (http://technet.microsoft.com/en-us/library/cc161785.aspx) where we say:

    For DHCP, ensure that the DHCP scope options include DNS servers (006) and Domain name (015) and that the DHCP server dynamically updates DNS with the computer resource record.

    You can read more about this requirement here: http://blogs.technet.com/wemd_ua_-_sms_writing_team/archive/2008/12/09/out-of-band-management-requirements-for-in-band-amt-provisioning-and-dhcp.aspx 

    This clarification came about because of another forum post where they had a very similar error to yours (but earlier version of AMT) - see http://social.technet.microsoft.com/forums/en-US/configmgrgeneral/thread/ba8ded54-9f4b-4425-9768-7b95cd66ac04/.  Their issue came down to DHCP/DNS configuration for AMT - so I was wondering, in the log file where it says <machine name>.<domain suffix>, do you have a DNS record so that this name can be successfully resolved to an IP address?


    - Carol

     

     

    This posting is provided “AS IS” with no warranties and confers no rights

    Thursday, April 16, 2009 5:10 PM
  • Hello Carol,

    sorry for the delay in response.
    We have setup the ip addresses and suffix manually, so we have disabled the DHCP server on the MEBx and on the Windows. The DNS server resolves correctly the clients machine, so there is no problem.

    As we can't reproduce DHCP server in our test environment i ask our PKI team to publish the certificate templates in our real environment. As soon as they publish the templates, we will make the test in the real environment, where we have DHCP server with options 6 and 15 activated and i will let you know if the tests was successfull.

    Thanks for your answer and the links.
    Tuesday, April 21, 2009 10:25 AM
  • So,

    we have prepared a DHCP server and checked the DNS for the forward (A) and reverse (PTR) DNS records for the client and ConfigMgr site server on a test environment and everything is ok, but the Configuration manager server still can't made the provisioning.
    >>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<< 
    Provision target is indicated with SMS resource id. (MachineId = 6 < machine name > .< domain suffix >
    Found valid basic machine property for machine id = 6. 
    Warning: Currently we don't support mutual auth. Change to TLS server auth mode. 
    The provision mode for device < machine name > .< domain suffix > is 1. 
    Attempting to establish connection with target device using SOAP. 
    Found matched certificate hash in current memory of provisioning certificate 
    Create provisionHelper with (Hash: 9241BCE663AC8F0649349AC8CC34234982EAD) 
    Set credential on provisionHelper... 
    Try to use provisioning account to connect target machine < machine name > .< domain suffix >
    Fail to connect and get core version of machine < machine name > .< domain suffix > using provisioning account #0. 
    Try to use default factory account to connect target machine < machine name > .< domain suffix >
    Fail to connect and get core version of machine < machine name > .< domain suffix > using default factory account. 
    Try to use provisioned account (random generated password) to connect target machine < machine name > .< domain suffix >
    Fail to connect and get core version of machine < machine name > .< domain suffix > using provisioned account (random generated password). 
    Error: Device internal error. Check Schannel, provision certificate, network configuration, device. (MachineId = 6) 
    Error: Can NOT establish connection with target device. (MachineId = 6) 
    >>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<< 
    As i already mention we have to login on the MEBx and to change the password in order to input our internal CA hash. So we have checked many times the password on both sites and it is the same. We have checked the links which Carol was send to us and we have follow the instructions there but that did not help us.
    We have used this guide in order to create the templates and the only difference is the template name.
    http://technet.microsoft.com/en-us/library/cc161804.aspx

    Thanks in advance for your help

    • Edited by Kindim Tuesday, June 9, 2009 8:51 AM
    Friday, May 15, 2009 1:09 PM
  • It does sound like you've checked everything you can within Configuration Manager - especially if you've checked the DNS domain suffix in AMT matches the host computer domain suffix, in addition to checking the DNS records. If you configure DHCP after the network interface has closed, this can introduce a timing issue where the DNS domain suffix doesn't update in AMT - see this blog post for more details: http://blogs.technet.com/wemd_ua_-_sms_writing_team/archive/2008/12/09/out-of-band-management-requirements-for-in-band-amt-provisioning-and-dhcp.aspx 

    There are a couple of suggested reasons for "Error: Device internal error. Check Schannel, provision certificate, network configuration, device" in our troubleshooting docs (http://technet.microsoft.com/en-us/library/cc161803.aspx), which point to the hotfix files being overwritten or DNS/DHCP misconfiguration.  However, if you've checked these, I recommend you contact Intel for more diagnostics why AMT is rejecting the connection.  I've just noticed from your original post that you're running AMT version 4.1.3, and this isn't one of our supported versions (see http://technet.microsoft.com/en-us/library/cc161963.aspx), so I definitely recommend checking with them in case there are known issues that might be causing this provisioning failure.

    In case you're not aware of this, Intel have an excellent community forum to help support out of band management in Configuration Manager, and they are very helpful/responsive.  When it comes to the nitty-gritty details of what AMT is doing and how to configure it, they are the experts because this is their technology.  See the Intel vPro Expert Center: Microsoft vPro Manageability - http://communities.intel.com/community/vproexpert/microsoft-vpro.
     
    If you do find a resolution with them, can update this post to help other Configuration Manager customers? 


    - Carol

     

     

    This posting is provided “AS IS” with no warranties and confers no rights

    Saturday, May 16, 2009 12:36 PM
  • Hi Kindim,

    Did you ever find a solution to this problem??

    We are have the same issue

    Regards

    Merijn
    Friday, June 5, 2009 7:15 AM

  • Hello Merijn,

    no till now i didn't found it.
    I am still trying different thing.
    If i find something i will post it here.


    Regards

    Kin
    Users Medals Users Medals Users Medals Users Medals Users Medals
    • Edited by Kindim Friday, June 19, 2009 9:58 AM
    Tuesday, June 9, 2009 8:53 AM
  • Hello All,

    we have found the problem. It appears that the problems comes from nested groups. As soon as we allow permissions for the computer account we have no problems to make the provisioning. The other problem with the client was that the model type, machine type was invalid and the UUID was containing only letter "f" (this we have saw in BIOS). We had to update the BIOS with the boot CD image downloaded from the manufacturer.

    With best Regards
    Kin

    What do you mean with  "allow permissions for the computer account" ?

    Regards Merijn
    Monday, June 29, 2009 7:31 AM
  • Hello All,

    we have found the problem. It appears that the problems cames from nested groups. As soon as we allow permissions for the computer account of the configuration manager server, instead of the group we had no problems to make the provisioning.
    The other problem with the client, which we saw in BIOS was the following:

    Machine Type: Invalid
    System Serial Number: Invalid
    UUID: FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF

    We had to update the BIOS with the boot CD image, downloaded from the manufacturer.

    After that everything worked as expected.

    With best Regards
    Kin
    • Marked as answer by Kindim Monday, June 29, 2009 7:34 AM
    • Edited by Kindim Monday, June 29, 2009 9:13 AM
    Monday, June 29, 2009 7:33 AM
  • Hello Merjin,

    i mean that we used 3 nested groups and gave permission to the top group. But its appear that there is a problem in our test environment with the nesting, which we will investigate later.

    According to MS guide ( http://technet.microsoft.com/en-us/library/cc161804.aspx ), you should use this Group ConfigMgr Out of Band Service Points , which in our case was the top group.
    14. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
    
    15. Click Add, enter ConfigMgr Out of Band Service Points in the text box, and then click OK.
    
    16. Select the following Allow permissions for this group: Read and Enroll. 
    
    
    Here we have used the computer account instead this group.

    Regards
    Kin
    Monday, June 29, 2009 7:47 AM