Enjoy Sharing

Provisioning with 2048 bit certificate

You may hit a problem when trying to provision the vPro giving you the logs below in the “C:Program FilesMicrosoft Configuration ManagerLogsamtopmgr.log”.

>>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<<    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
AMT Provision Worker: Wakes up to process instruction files    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    1020 (0x03FC)
Provision target is indicated with SMS resource id. (MachineId = 3 SIBER1_USER12.INTANBK.local)    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
AMT Provision Worker: Wait 20 seconds…    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    1020 (0x03FC)
Start to send a basic machine property creation request to FDM. (MachineId = 3)    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
AMT Provision Worker: Wakes up to process instruction files    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    1020 (0x03FC)
AMT Provision Worker: Wait 20 seconds…    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    1020 (0x03FC)
CStateMsgReporter::DeliverMessages – Queued message: TT=1201 TIDT=0 TID=’Fill Machine Property’ SID=1 MUF=0 PCNT=5, P1=’SIBER1_USER12′ P2=’89130000BFF59769BE24FE3D5C9EFE8CA4ED52E174D505ED49B9898DFE7710DB693A9CF178289D6DBA3E8DF1140000004200000048000000036600000000000080F20C247D2E8DD87A9E3D27CB55024D423AE263B22BD7FA742CDC9B10ED65242CC910BA0D3F471CDFA92CEE12D0277684A473F32BFECC47CCD464D7FD733DEFB7B45C3D44B7CE972E2A’ P3=’SIBER1_USER12.INTANBK.local’ P4=’admin’ P5=’F66656326507D0F050EA3DEC64C0F331A9DC758F’    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
CStateMsgReporter::DeliverMessages – Created state message file: C:Program FilesMicrosoft Configuration Managerinboxesauthstatesys.boxincoming6ok985qv.SMX    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
Warning: Currently we don’t support mutual auth. Change to TLS server auth mode.    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
The provision mode for device SIBER1_USER12.INTANBK.local is 1.    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
Attempting to establish connection with target device using SOAP.    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
Found matched certificate hash in current memory of provisioning certificate    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
Create provisionHelper with (Hash: 9D70092A4BB7EC5065A769EE2C67324132B8FF40)    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
Set credential on provisionHelper…    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
Try to use provisioning account to connect target machine SIBER1_USER12.INTANBK.local…    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
**** Error 0x17fb95c returned by ApplyControlToken    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
Fail to connect and get core version of machine SIBER1_USER12.INTANBK.local using provisioning account #0.    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
Try to use default factory account to connect target machine SIBER1_USER12.INTANBK.local…    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
**** Error 0x17fb95c returned by ApplyControlToken    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
Fail to connect and get core version of machine SIBER1_USER12.INTANBK.local using default factory account.    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
Try to use provisioned account (random generated password) to connect target machine SIBER1_USER12.INTANBK.local…    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
**** Error 0x17fb95c returned by ApplyControlToken    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
Fail to connect and get core version of machine SIBER1_USER12.INTANBK.local using provisioned account (random generated password).    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
Error: Device internal error. Check Schannel, provision certificate, network configuration, device. (MachineId = 3)    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)
Error: Can NOT establish connection with target device. (MachineId = 3)    SMS_AMT_OPERATION_MANAGER    20/3/2009 3:24:24 PM    576 (0x0240)

However searching for it on the internet would lead you to a technet site as below to indicate that this error is due to the certificate used is above 2048 bit. Note you may be using a 2048 bit certificate and still get this error. http://technet.microsoft.com/en-us/library/cc161803.aspx

“Configuration Manager Fails to Provision Computers for AMT Because the Root Certification Authority Certificate Has a Key Length of Greater Than 2048 Bits

As listed in Prerequisites for Out of Band Management and documented in Certificate Requirements for Out of Band Management, AMT-based computers cannot support a root certification authority certificate that has a key length of greater than 2048 bits. In this scenario, provisioning will fail with the following errors in the log file <ConfigMgrInstallationPath>LogsAmtproxymgr.log:

Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.

**** Error 0x193b95c returned by ApplyControlToken

Fail to connect and get core version of machine <IP address of computer to provision>

Solution

Use a certification authority that has a root certificate with a key length of 2048 bits or less.”

 

Further searching lead me to this solution. On the DHCP server ensure that scope option 006 and scope option 015 is populated with the correct information.

 

 

Enjoy!!!

Advertisements

One response

  1. Mats

    Hi, I’m having a issue when provisioning the AMT clients with SCCM and I get a similar error as you describe.Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.**** Error 0x5f6b5fc returned by ApplyControlToken.I’ve searched for a explanation to this error (0x5f6b5fc) without success, do you have any suggestions?We are using an internal Microsoft PKI CA where the Issuing CA has a key length of 2048bit.

    April 28, 2010 at 12:57 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s