Buz Brodin| Senior Support Escalation Engineer
Hi everyone, Buz Brodin here. I recently had an interesting AMT provisioning case with System Center 2012 Configuration Manager where we hit multiple issues so I captured some of the various symptoms and error details and did some write ups that I wanted to share with you today.
Problem 1: Initial attempt at provisioning fails
Symptoms
When attempting to provision machines in System Center 2012 Configuration Manager, the following error occurs in the Amtopmgr.log and provisioning is not successful:
ERROR: [EnrollmentWrapper]: Enrollment service reports error: CertificateAuthorityError. Detail message: Submitting cert request and issuing cert failed SMS_AMT_OPERATION_MANAGER
Fail to call SubmitRequest in IssueCertificateFromES SMS_AMT_OPERATION_MANAGER
ERROR: Fail to issue certificate SMS_AMT_OPERATION_MANAGER
Error: Can't finish provision on AMT device SMS_AMT_OPERATION_MANAGER
The following application event error coincides with the provisioning attempt on the issuing Certificate Authority:
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Event ID: 53
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: Site.Server.Domain.Com
Description:
Active Directory Certificate Services denied request 49938 because The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422). The request was for Domain\Computer$iME. Additional information: Denied by Policy Module
Event Xml:
< Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
< EventID Qualifiers="33370">53</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
< Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
< TimeCreated SystemTime="2012-10-12T20:43:46.000000000Z" />
< EventRecordID>18258</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>computer.domain.com</Computer>
<Security UserID="S-1-5-18" />
</System>
< EventData Name="MSG_DN_CERT_DENIED_WITH_INFO">
<Data Name="RequestId">49938</Data>
<Data Name="Reason">The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422)</Data>
<Data Name="SubjectName">domain\computername$iME</Data>
<Data Name="AdditionalInformation">Denied by Policy Module</Data>
</EventData>
< /Event>
The EnrollmentService.log on the Out of Band Management ConfigMgr Server Role will show the following:
[22, PID:14736][03/14/2013 13:17:45] :CALayer: Sending CA failure status - ENROLLSRVMSG_CA_FAILURE
[22, PID:14736][03/14/2013 13:17:45] :CALayer: SubmitRequest CA: computer.domain.com\Contoso Issuing CA1 Errormessage: Denied by Policy Module ErrorCode: 2
[22, PID:14736][03/14/2013 13:17:45] :Only one CA is specified in profile. Failed to enroll with the specified CA: computer.domain.com\Contoso Issuing CA1
[22, PID:14736][03/14/2013 13:17:45] :EnrollmentRequestController: Enrollment exception Error Code:FailedToIssueCert Message: Submitting cert request and issuing cert failed
[22, PID:14736][03/14/2013 13:17:45] :EnrollAMTDevice: Error: Submitting cert request and issuing cert failed
[22, PID:14736][03/14/2013 13:17:45] :Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: Submitting cert request and issuing cert failed
at Microsoft.ConfigurationManagement.Enrollment.CALayer.SubmitRequest(EnrollmentRequestState enrollRequest)
at Microsoft.ConfigurationManagement.Enrollment.EnrollmentRequestController.Execute()
at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollAmtDevice(String certRequest, String template, String hashIdentity, String deviceName, String& provisioning, String& hashProvisioning)
at Microsoft.ConfigurationManagement.Enrollment.AmtEnrollmentService.EnrollAMTDevice(String certRequest, String templateId, String hashIdentity, String deviceName)
Cause
This issue occurs because the Security Group for the newly created AMT computernameIMEIME objects does not have the correct permissions on the ConfigMgr AMT Web Server Certificate template.
Resolution
To resolve this you need to configure permissions for the Web Server certificate template.
Create an empty security group to contain the AMT computer accounts that System Center 2012 Configuration Manager creates during AMT provisioning.
1. On the CA computer, click Start, type certtmpl.msc, and then press ENTER.
2. In the contents pane, right-click the Web Server template, and then click Properties.
3.Click the Security tab, and then click Add.
4. In Enter the object names to select, type the name of the security group that contains the AMT computer accounts
This security group should contain, at least temporarily when requesting custom certificates, the computer accounts of the AMT enabled machines that ConfigMgr will try to provision.
5. In Permissions, click Enroll under Allow, and then click OK.
More Information
Deployment of the PKI Certificates for Configuration Manager: http://technet.microsoft.com/en-us/library/230dfec0-bddb-4429-a5db-30020e881f1e#BKMK_AMT2008_cm2012
Problem 2: Second attempt at provisioning the same machine fails with different error now
Symptoms
When you try to provision a computer in ConfigMgr 2012 you find provisioning fails and the following errors occur:
The request subject name is invalid or too long
In the Amtopmgr.log you see the following:
ERROR: [EnrollmentWrapper]: Enrollment service reports error: CertificateAuthorityError. Detail message: Submitting cert request and issuing cert failed SMS_AMT_OPERATION_MANAGER Fail to call SubmitRequest in IssueCertificateFromES SMS_AMT_OPERATION_MANAGER ERROR: Fail to issue certificate SMS_AMT_OPERATION_MANAGER
Error: Can't finish provision on AMT device computer.domain.com with configuration code (0)! SMS_AMT_OPERATION_MANAGER
EnrollmentService.log contains entries similar to this:
[8, PID:5604][03/14/2013 15:14:56] :CALayer: Sending CA failure status - ENROLLSRVMSG_CA_FAILURE
[8, PID:5604][03/14/2013 15:14:56] :CALayer: SubmitRequest CA: computer.domain.com\Contoso Issuing CA1 Errormessage: Error Constructing or Publishing Certificate ErrorCode: 2
[8, PID:5604][03/14/2013 15:14:56] :Only one CA is specified in profile. Failed to enroll with the specified CA: computer.domain.com\Contoso Issuing CA1
[8, PID:5604][03/14/2013 15:14:56] :EnrollmentRequestController: Enrollment exception Error Code:FailedToIssueCert Message: Submitting cert request and issuing cert failed
[8, PID:5604][03/14/2013 15:14:56] :EnrollAMTDevice: Error: Submitting cert request and issuing cert failed
[8, PID:5604][03/14/2013 15:14:56] :Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: Submitting cert request and issuing cert failed
at Microsoft.ConfigurationManagement.Enrollment.CALayer.SubmitRequest(EnrollmentRequestState enrollRequest)
at Microsoft.ConfigurationManagement.Enrollment.EnrollmentRequestController.Execute()
at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollAmtDevice(String certRequest, String template, String hashIdentity, String deviceName, String& provisioning, String& hashProvisioning)
at Microsoft.ConfigurationManagement.Enrollment.AmtEnrollmentService.EnrollAMTDevice(String certRequest, String templateId, String hashIdentity, String deviceName)
Cause
This issue can occur if the properties of the ConfigMgr AMT Web Server Certificate template are not set correctly.
Resolution
On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates console.
In the properties of the ConfigMgr AMT Web Server Certificate click the Subject Name tab, click Build from this Active Directory information, select Common name for the Subject name format, and then clear User principal name (UPN) for the alternative subject name.
More Information
For more information see Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority: http://technet.microsoft.com/en-us/library/230dfec0-bddb-4429-a5db-30020e881f1e#BKMK_AMT2008_cm2012
Problem 3: Third attempt fails, this time with a different error; AMT AD accounts already exists. SMS_AMT_PROXY_COMPONENT
Symptoms
Provisioning attempt fails with the following error in SMS_AMT_Proxy_Compoenent log:
AMT AD accounts already exists. SMS_AMT_PROXY_COMPONENT
*** EN_EnrollmentAdminResetPin @DeviceName = *ComputerNameiME', @EncSessionKey =
[42000][50000][Microsoft][SQL Server Native Client 11.0][SQL Server]Failed to set enrollment pin. Cannot find matching record. : EN_EnrollmentAdminResetPin SMS_AMT_PROXY_COMPONENT
Error: Failed to reset enrollment record pin! SMS_AMT_PROXY_COMPONENT
Error: Failed to create enrollment record. SMS_AMT_PROXY_COMPONENT
Cause
This issue can occur if you try to reprovision a machine after a failed provision attempt and the IME$ account in the AD OU for the AMT Enabled Device still exists from the previous provisioning attempt.
Resolution
Delete the matching *ComputerNameiME account from the OU that you defined in the Out Of Band Service Point Properties and try to provision again.
More Information
Before you start provisioning, you are instructed to create an OU that will contain AMT-based computers, then define this OU in the Out Of Band Service Point Properties. During provisioning AMT accounts for each provisioned computer will be created in this OU by ConfigMgr 2012.
How to Provision and Configure AMT-Based Computers in Configuration Manager: http://technet.microsoft.com/en-us/library/gg712319.aspx
Problem 4: Fourth attempt at provisioning appears to succeed however now we get an error when opening the OOB Console and trying to connect to this provisioned machine
Symptoms
When you attempt to open the OOB Console to connect to a provisioned machine in ConfigMgr 2012 you receive the following error:
Error connecting with OOB Console = oobconsole.exe application error
The exception unknown software exception (oxe0434352) occurred in the application at location 0x7602b9bc
Cause
This was caused by a corrupt Adminconsole.ui.dat file in the user profile.
Resolution
Delete the Adminconsoleui.dat file contained in the APPData\Microsoft directory of the current logged in users profile and relaunch the console.
Problem 5: Machines are now all provisioned, we can launch the OOB Console, power controls and Serial Over LAN work fine, but we are not able to connect to the same machines internal web server via port 16993 in Internet Explorer. We get a login prompt or a page cannot be displayed message.
Symptoms
After you successfully provision a machine in ConfigMgr 2012 you find that you are not able to connect to the same machines internal web server via port 16993. However, in Internet Explorer you can connect from the same machine using the OOB Console in ConfigMgr.
Cause
A registry setting HAS to be in place on the machine you are initiating the connection FROM for the connection to work inside of Internet Explorer. This is the same as it was for ConfigMgr 2007 Service Pack 1.
Resolution
On the machine you are initiating the connection FROM, create the following registry keys:
For 32-bit computers
1. Click Start, click Run, type regedit and then click OK.
2. In the left pane, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl
3. On the Edit menu, point to New and then click Key.
4. Type FEATURE_INCLUDE_PORT_IN_SPN_KB908209 and then press ENTER.
5. On the Edit menu, point to New and then click DWORD Value.
6. Type iexplore.exe and then press ENTER.
7. On the Edit menu click Modify.
8. Type 1 in the Value data box and then click OK.
9. Exit Registry Editor.
For 64-bit computers
1. Click Start, click Run, type regedit and then click OK.
2. In the left pane, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl
3. On the Edit menu, point to New and then click Key.
4. Type FEATURE_INCLUDE_PORT_IN_SPN_KB908209 and then press ENTER.
5. On the Edit menu, point to New and then click DWORD Value.
6. Type iexplore.exe and then press ENTER.
7. On the Edit menu click Modify.
8. Type 1 in the Value data box and then click OK.
9. Exit Registry Editor.
Now you can connect with IE as well to http://clientname.domain.com:16993
More Information
For more information on troubleshooting OOBConsole connectivity please see the following:
Troubleshooting OOBConsole connectivity after an Intel vPro enabled device has been successfully provisioned in ConfigMgr 2007: http://blogs.technet.com/b/oob/archive/2011/02/17/troubleshooting-oobconsole-connectivity-after-an-intel-vpro-enabled-device-has-been-successfully-provisioned-in-configmgr-2007.aspx
Buz Brodin| Senior Support Escalation Engineer | Microsoft GBS Management and Security Division
Get the latest System Center news onFacebookandTwitter:
System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/