Provision Intel vPro with SCCM 2007 SP2 - strange error
We are trying to provision our Intel vPro clients with SCCM 2007 SP2. We use a test certificate from Verisign with a bit length of 1024 and the Root CA has 2048-bits (there is a 2048-bit limit on vPro clients). The Vpro client has the hash of the Root CA entered (as seen in the log below). The local password in MEBx is configured in SCCM to match the local MEBx password. We have un-provisioned the client multiple times. I'm particularly interested in the error: Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server. **** Error 0x431b240 returned by ApplyControlToken I have tried to search for "Error 0x431b240 returned by ApplyControlToken", but without success. Strange! This is the AMTOPMGR.log on the SCCM Provisioning server: >>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<< Provision target is indicated with SMS resource id. (MachineId = 52861 lovdotvpro1.orebroll.se) SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Found valid basic machine property for machine id = 52861. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Warning: Currently we don't support mutual auth. Change to TLS server auth mode. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) The provision mode for device lovdotvpro1.orebroll.se is 1. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Check target machine (version 5.2.10) is a SCCM support version. (TRUE) SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) The IP addresses of the host lovdotvpro1.orebroll.se are 10.20.19.106. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Attempting to establish connection with target device using SOAP. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Found matched certificate hash in current memory of provisioning certificate SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Create provisionHelper with (Hash: 6CC51B70B989FAD4BAB6C83649EE68C4CA6A0999) SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Set credential on provisionHelper... SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Try to use provisioning account to connect target machine lovdotvpro1.orebroll.se... SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) AMT Provision Worker: 1 task(s) are sent to the task pool successfully. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 12036 (0x2F04) STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=VEYRON SITE=CM1 PID=7296 TID=12036 GMTDATE=Fri Jul 16 07:34:26.421 2010 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 12036 (0x2F04) AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 12036 (0x2F04) AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 12036 (0x2F04) AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 12036 (0x2F04) AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 12036 (0x2F04) AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 12036 (0x2F04) Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) **** Error 0x431b240 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Fail to connect and get core version of machine lovdotvpro1.orebroll.se using provisioning account #0. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) **** Error 0x431b240 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Fail to connect and get core version of machine lovdotvpro1.orebroll.se using provisioning account #1. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Try to use default factory account to connect target machine lovdotvpro1.orebroll.se... SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) **** Error 0x431b240 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Fail to connect and get core version of machine lovdotvpro1.orebroll.se using default factory account. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Try to use provisioned account (random generated password) to connect target machine lovdotvpro1.orebroll.se... SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) **** Error 0x431b240 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Fail to connect and get core version of machine lovdotvpro1.orebroll.se using provisioned account (random generated password). SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Error: Device internal error. This may be caused by: 1. Schannel hotfix applied that can send our root certificate in provisioning certificate chain. 2. incorrect network configuration(DHCP option 6 and 15 required for AMT firmware). 3. AMT firmware self signed certificate issue(date zero). 4. AMT firmware is not ready for PKI provisioning. Check network interface is opening and AMT is in PKI mode. 5. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection. (MachineId = 52861) SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Error: Can NOT establish connection with target device. (MachineId = 52861) SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) >>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 2010-07-16 09:34:26 10428 (0x28BC) Regards
July 16th, 2010 11:21am

Hello, glad to hear you got it working! You are correct about the part of the error you refered to. I was not very clear at all. This is what I was refering to in your log file: Error: Device internal error. This may be caused by: 1. Schannel hotfix applied that can send our root certificate in provisioning certificate chain. 2. incorrect network configuration(DHCP option 6 and 15 required for AMT firmware). 3. AMT firmware self signed certificate issue(date zero). 4. AMT firmware is not ready for PKI provisioning. Check network interface is opening and AMT is in PKI mode. 5. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection. That is on the link and it does talk about option 15 being an issue in DHCP. Just wanted to clarify for others looking at this post.
Free Windows Admin Tool Kit Click here and download it now
July 19th, 2010 6:57pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics