I've been having this issue for a about a week now and I'm going no where. OOB is configured with a public GoDaddy cert for provisinoing cert. Enterprise root CA is installed on 2008 32-bit server. I duplicated the web server template and created "ConfigMgr ATM Client Template" and gave the SCCM site system (which is the provisining server as well), read,write,enroll, and autoenroll rights on that template. "ConfigMgr ATM Client Template" is configured as OOB template in SCCM console. I am trying to provision an in-band comupter xplocaltest.healthcare.com which on ATM version 5.2.1. I see the following in atmoprmgr.log: >>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:03 AM 2000 (0x07D0) Provision target is indicated with SMS resource id. (MachineId = 382 xplocaltest.healthcare.local) SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:03 AM 2000 (0x07D0) Found valid basic machine property for machine id = 382. SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:03 AM 2000 (0x07D0) Warning: Currently we don't support mutual auth. Change to TLS server auth mode. SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:03 AM 2000 (0x07D0) The provision mode for device xplocaltest.healthcare.local is 1. SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:03 AM 2000 (0x07D0) Check target machine (version 5.2.1) is a SCCM support version. (TRUE) SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:03 AM 2000 (0x07D0) The IP addresses of the host xplocaltest.healthcare.local are 10.1.80.52. SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:03 AM 2000 (0x07D0) Attempting to establish connection with target device using SOAP. SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:03 AM 2000 (0x07D0) Found matched certificate hash in current memory of provisioning certificate SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:03 AM 2000 (0x07D0) Create provisionHelper with (Hash: A2D3C6A3361957DCF9031FA18E7AFE069A73D14A) SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:03 AM 2000 (0x07D0) Set credential on provisionHelper... SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:03 AM 2000 (0x07D0) Try to use provisioning account to connect target machine xplocaltest.healthcare.local... SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:03 AM 2000 (0x07D0) Succeed to connect target machine xplocaltest.healthcare.local and core version with 5.2.1 using provisioning account #0. SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:07 AM 2000 (0x07D0) GeneralInfo.GetProvisioningState finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:10 AM 2000 (0x07D0) Get device provisioning state is In Provisioning SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:10 AM 2000 (0x07D0) Passed OTP check on AMT device xplocaltest.healthcare.local. SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:14 AM 2000 (0x07D0) Machine xplocaltest.healthcare.local will be added and published to AD and OU is LDAP://OU=OOB Computers,DC=healthcare,DC=local. SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:14 AM 2000 (0x07D0) Send request to AMT proxy component to add machine xplocaltest.healthcare.local to AD. SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:14 AM 2000 (0x07D0) Successfully created instruction file for AMT proxy task: E:\Program Files (x86)\Microsoft Configuration Manager\inboxes\amtproxymgr.box SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:14 AM 2000 (0x07D0) Processing provision on AMT device xplocaltest.healthcare.local... SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:14 AM 2000 (0x07D0) Send request to AMT proxy component to generate client certificate. (MachineId = 382) SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:14 AM 2000 (0x07D0) Successfully created instruction file for AMT proxy task: E:\Program Files (x86)\Microsoft Configuration Manager\inboxes\amtproxymgr.box SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:14 AM 2000 (0x07D0) Wait 20 seconds to find client certificate for AMT device xplocaltest.healthcare.local being generated again... SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:14 AM 2000 (0x07D0) AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:23 AM 5280 (0x14A0) AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:23 AM 5280 (0x14A0) Auto-worker Thread Pool: Current size of the thread pool is 1 SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:23 AM 7392 (0x1CE0) RETRY(1) - Validate client certificate for AMT device xplocaltest.healthcare.local being generated. SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:34 AM 2000 (0x07D0) Wait 20 seconds to find client certificate for AMT device xplocaltest.healthcare.local being generated again... SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:34 AM 2000 (0x07D0) AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:43 AM 5280 (0x14A0) AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:43 AM 5280 (0x14A0) RETRY(2) - Validate client certificate for AMT device xplocaltest.healthcare.local being generated. SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:54 AM 2000 (0x07D0) Wait 20 seconds to find client certificate for AMT device xplocaltest.healthcare.local being generated again... SMS_AMT_OPERATION_MANAGER 5/16/2011 8:51:54 AM 2000 (0x07D0) AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 5/16/2011 8:52:03 AM 5280 (0x14A0) AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 5/16/2011 8:52:03 AM 5280 (0x14A0) RETRY(3) - Validate client certificate for AMT device xplocaltest.healthcare.local being generated. SMS_AMT_OPERATION_MANAGER 5/16/2011 8:52:14 AM 2000 (0x07D0) Wait 20 seconds to find client certificate for AMT device xplocaltest.healthcare.local being generated again... SMS_AMT_OPERATION_MANAGER 5/16/2011 8:52:14 AM 2000 (0x07D0) AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 5/16/2011 8:52:23 AM 5280 (0x14A0) AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 5/16/2011 8:52:23 AM 5280 (0x14A0) RETRY(4) - Validate client certificate for AMT device xplocaltest.healthcare.local being generated. SMS_AMT_OPERATION_MANAGER 5/16/2011 8:52:34 AM 2000 (0x07D0) Wait 20 seconds to find client certificate for AMT device xplocaltest.healthcare.local being generated again... SMS_AMT_OPERATION_MANAGER 5/16/2011 8:52:34 AM 2000 (0x07D0) AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 5/16/2011 8:52:43 AM 5280 (0x14A0) AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 5/16/2011 8:52:43 AM 5280 (0x14A0) RETRY(5) - Validate client certificate for AMT device xplocaltest.healthcare.local being generated. SMS_AMT_OPERATION_MANAGER 5/16/2011 8:52:54 AM 2000 (0x07D0) Error: Missed device certificate. To provision device with TLS server or Mutual authentication mode, device certficate is required. (MachineId = 382) SMS_AMT_OPERATION_MANAGER 5/16/2011 8:52:54 AM 2000 (0x07D0) Error: Can't finish provision on AMT device xplocaltest.healthcare.local with configuration code (0)! SMS_AMT_OPERATION_MANAGER 5/16/2011 8:52:54 AM 2000 (0x07D0) >>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 5/16/2011 8:52:54 AM 2000 (0x07D0) i also see this in the atmproxymgr.log: --------------------------------- Beginning enumeration of E:\Program Files (x86)\Microsoft Configuration Manager\inboxes\amtproxymgr.box\mtn.box SMS_AMT_PROXY_COMPONENT 5/16/2011 8:46:53 AM 5920 (0x1720) Processing Maintenance Inbox...Done SMS_AMT_PROXY_COMPONENT 5/16/2011 8:46:53 AM 5920 (0x1720) Found instruction file: E:\Program Files (x86)\Microsoft Configuration Manager\inboxes\amtproxymgr.box\{77952F3D-D5C7-4FD5-9DA9-BA851F247AD2}.apx SMS_AMT_PROXY_COMPONENT 5/16/2011 8:46:53 AM 5920 (0x1720) Processing Instruction: RCT 1;1;382;3.2.1;xplocaltest.healthcare.local;SMS_AMT_OPERATION_MANAGER_PROV; SMS_AMT_PROXY_COMPONENT 5/16/2011 8:46:53 AM 5920 (0x1720) Request certificate task begin to read Site Control File. SMS_AMT_PROXY_COMPONENT 5/16/2011 8:46:53 AM 5920 (0x1720) Changes to the site control file settings detected. SMS_AMT_PROXY_COMPONENT 5/16/2011 8:46:53 AM 5920 (0x1720) Request certificate task success to read parameters from Site Control File. SMS_AMT_PROXY_COMPONENT 5/16/2011 8:46:53 AM 5920 (0x1720) Request certificate task success to connect to the SQL database. SMS_AMT_PROXY_COMPONENT 5/16/2011 8:46:53 AM 5920 (0x1720) ERROR: CertCreateCertificateContext failed: 0x80093102, msg=ASN1 unexpected end of data. SMS_AMT_PROXY_COMPONENT 5/16/2011 8:46:53 AM 5920 (0x1720) Error: CTaskRequestClientCert::RevokeExistedCertificate failed to get serial number from the certificate binary. SMS_AMT_PROXY_COMPONENT 5/16/2011 8:46:53 AM 5920 (0x1720) Request certificate task disConnected to the SQL database. SMS_AMT_PROXY_COMPONENT 5/16/2011 8:46:53 AM 5920 (0x1720) ERROR: ICertRequest2->Submit failed: 0x800706ba SMS_AMT_PROXY_COMPONENT 5/16/2011 8:46:55 AM 5920 (0x1720) INFO: Enter process request 3 SMS_AMT_PROXY_COMPONENT 5/16/2011 8:46:55 AM 5920 (0x1720) INFO: Delete Request SMS_AMT_PROXY_COMPONENT 5/16/2011 8:46:55 AM 5920 (0x1720) INFO: Request to delete not found SMS_AMT_PROXY_COMPONENT 5/16/2011 8:46:55 AM 5920 (0x1720) Failed to run instruction: RCT 1;1;382;3.2.1;xplocaltest.healthcare.local;SMS_AMT_OPERATION_MANAGER_PROV; SMS_AMT_PROXY_COMPONENT 5/16/2011 8:46:55 AM 5920 (0x1720) -------------------------------------- It seems that the site system can' get a certificate due a failed serial number? is that in regards to Revoke CRL? Any help is appreciated. Thanks,

Hi, This issue can occur if the CRL or your root CA or Subordinate/Issuing CA.is not published or has expired. This most commonly occurs in multi-tier CA hierarchy that rolls up to an Offline Root Certificate Authority. When we initially provision, an AMT agent SCCM will pass the complete certificate chain to the AMT enabled device. A valid CRL (Certificate Revocation List) must be able to be reached by the provisioning server for the cert to be considered valid or the site server will reject the certificate during the verification of the certificate chain. By default a CA will republish its CRL every 7 days. If this number is not changed, you need to boot the offline root CA every 7 days and republish a valid CRL. To publish a CRL: To view the interval the CRL is published at, run the CA MMC snapin, navigate to Revoked Certificatest, Properties and select the CRL Publishing Parameters tab. The CRL publication interval is how often the CA fully “synchronises” the Revoked Certificates list with the published CRL. To manually publish the certificate revocation list: Using the Windows interface Log on to the system as a Certification Authority Administrator. Open Certification Authority. In the console tree, click Revoked Certificates. Certification Authority (Computer)/CA name/Revoked Certificates On the Action menu, point to All Tasks, and click Publish. Select New CRL to overwrite the previously-published certificate revocation list (CRL), or select Delta CRL only to publish a current delta CRL. Note: To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority. Clients that have a cached copy of the previously-published CRL or delta CRL will continue using it until its validity period has expired, even though a new CRL has been published. Manually publishing a CRL does not affect cached copies of CRLs that are still valid; it only makes a new CRL available for systems that do not have a valid CRL. By default, on the server on which the CA is installed, the CRL and delta CRL are published in: Systemroot\system32\CertSrv\CertEnroll If the Active Directory directory service is available, they are also published to Active Directory. Regards, Sabrina This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.