Troubleshooting Walkthrough of ConfigMgr 2012 SP1 Provisioning

Troubleshooting Walkthrough of ConfigMgr 2012 SP1 Provisioning

  • Comments 2
  • Likes

Buz Brodin | Senior Support Escalation Engineer

imageHi everyone, Buz Brodin here. I recently had an interesting AMT provisioning case with System Center 2012 Configuration Manager where we hit multiple issues so I captured some of the various symptoms and error details and did some write ups that I wanted to share with you today. 

Problem 1: Initial attempt at provisioning fails

Symptoms

When attempting to provision machines in System Center 2012 Configuration Manager, the following error occurs in the Amtopmgr.log and provisioning is not successful:

ERROR: [EnrollmentWrapper]: Enrollment service reports error: CertificateAuthorityError. Detail message: Submitting cert request and issuing cert failed         SMS_AMT_OPERATION_MANAGER       
Fail to call SubmitRequest in IssueCertificateFromES     SMS_AMT_OPERATION_MANAGER       
ERROR: Fail to issue certificate  SMS_AMT_OPERATION_MANAGER
Error: Can't finish provision on AMT device SMS_AMT_OPERATION_MANAGER

The following application event error coincides with the provisioning attempt on the issuing Certificate Authority:

Log Name:      Application
Source:        Microsoft-Windows-CertificationAuthority
Event ID:      53
Task Category: None
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:      Site.Server.Domain.Com
Description:
Active Directory Certificate Services denied request 49938 because The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422).  The request was for Domain\Computer$iME.  Additional information: Denied by Policy Module
Event Xml:
< Event xmlns="
http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
    < EventID Qualifiers="33370">53</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    < Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    < TimeCreated SystemTime="2012-10-12T20:43:46.000000000Z" />
   < EventRecordID>18258</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>computer.domain.com</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  < EventData Name="MSG_DN_CERT_DENIED_WITH_INFO">
    <Data Name="RequestId">49938</Data>
    <Data Name="Reason">The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422)</Data>
    <Data Name="SubjectName">domain\computername$iME</Data>
    <Data Name="AdditionalInformation">Denied by Policy Module</Data>
  </EventData>
< /Event>

The EnrollmentService.log on the Out of Band Management ConfigMgr Server Role will show the following:

[22, PID:14736][03/14/2013 13:17:45] :CALayer: Sending CA failure status - ENROLLSRVMSG_CA_FAILURE
[22, PID:14736][03/14/2013 13:17:45] :CALayer: SubmitRequest CA: computer.domain.com\Contoso Issuing CA1 Errormessage: Denied by Policy Module ErrorCode: 2
[22, PID:14736][03/14/2013 13:17:45] :Only one CA is specified in profile. Failed to enroll with the specified CA: computer.domain.com\Contoso Issuing CA1
[22, PID:14736][03/14/2013 13:17:45] :EnrollmentRequestController: Enrollment exception Error Code:FailedToIssueCert Message: Submitting cert request and issuing cert failed
[22, PID:14736][03/14/2013 13:17:45] :EnrollAMTDevice: Error: Submitting cert request and issuing cert failed
[22, PID:14736][03/14/2013 13:17:45] :Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: Submitting cert request and issuing cert failed
   at Microsoft.ConfigurationManagement.Enrollment.CALayer.SubmitRequest(EnrollmentRequestState enrollRequest)
   at Microsoft.ConfigurationManagement.Enrollment.EnrollmentRequestController.Execute()
   at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollAmtDevice(String certRequest, String template, String hashIdentity, String deviceName, String& provisioning, String& hashProvisioning)
   at Microsoft.ConfigurationManagement.Enrollment.AmtEnrollmentService.EnrollAMTDevice(String certRequest, String templateId, String hashIdentity, String deviceName)

Cause

This issue occurs because the Security Group for the newly created AMT computernameIMEIME objects does not have the correct permissions on the ConfigMgr AMT Web Server Certificate template.

Resolution

To resolve this you need to configure permissions for the Web Server certificate template.

Create an empty security group to contain the AMT computer accounts that System Center 2012 Configuration Manager creates during AMT provisioning.

1. On the CA computer, click Start, type certtmpl.msc, and then press ENTER.

2. In the contents pane, right-click the Web Server template, and then click Properties.

3.Click the Security tab, and then click Add.

4. In Enter the object names to select, type the name of the security group that contains the AMT computer accounts

This security group should contain, at least temporarily when requesting custom certificates, the computer accounts of the AMT enabled machines that ConfigMgr will try to provision.

5. In Permissions, click Enroll under Allow, and then click OK.

More Information

Deployment of the PKI Certificates for Configuration Manager: http://technet.microsoft.com/en-us/library/230dfec0-bddb-4429-a5db-30020e881f1e#BKMK_AMT2008_cm2012

Problem 2: Second attempt at provisioning the same machine fails with different error now

Symptoms

When you try to provision a computer in ConfigMgr 2012 you find provisioning fails and the following errors occur:

The request subject name is invalid or too long

In the Amtopmgr.log you see the following:

ERROR: [EnrollmentWrapper]: Enrollment service reports error: CertificateAuthorityError. Detail message: Submitting cert request and issuing cert failed SMS_AMT_OPERATION_MANAGER Fail to call SubmitRequest in IssueCertificateFromES SMS_AMT_OPERATION_MANAGER ERROR: Fail to issue certificate SMS_AMT_OPERATION_MANAGER
Error: Can't finish provision on AMT device computer.domain.com with configuration code (0)! SMS_AMT_OPERATION_MANAGER

EnrollmentService.log contains entries similar to this:

[8, PID:5604][03/14/2013 15:14:56] :CALayer: Sending CA failure status - ENROLLSRVMSG_CA_FAILURE
[8, PID:5604][03/14/2013 15:14:56] :CALayer: SubmitRequest CA: computer.domain.com\Contoso Issuing CA1 Errormessage: Error Constructing or Publishing Certificate ErrorCode: 2
[8, PID:5604][03/14/2013 15:14:56] :Only one CA is specified in profile. Failed to enroll with the specified CA: computer.domain.com\Contoso Issuing CA1
[8, PID:5604][03/14/2013 15:14:56] :EnrollmentRequestController: Enrollment exception Error Code:FailedToIssueCert Message: Submitting cert request and issuing cert failed
[8, PID:5604][03/14/2013 15:14:56] :EnrollAMTDevice: Error: Submitting cert request and issuing cert failed
[8, PID:5604][03/14/2013 15:14:56] :Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: Submitting cert request and issuing cert failed
at Microsoft.ConfigurationManagement.Enrollment.CALayer.SubmitRequest(EnrollmentRequestState enrollRequest)
at Microsoft.ConfigurationManagement.Enrollment.EnrollmentRequestController.Execute()
at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollAmtDevice(String certRequest, String template, String hashIdentity, String deviceName, String& provisioning, String& hashProvisioning)
at Microsoft.ConfigurationManagement.Enrollment.AmtEnrollmentService.EnrollAMTDevice(String certRequest, String templateId, String hashIdentity, String deviceName)

Cause

This issue can occur if the properties of the ConfigMgr AMT Web Server Certificate template are not set correctly.

Resolution

On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates console.

In the properties of the ConfigMgr AMT Web Server Certificate click the Subject Name tab, click Build from this Active Directory information, select Common name for the Subject name format, and then clear User principal name (UPN) for the alternative subject name.

More Information

For more information see Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority: http://technet.microsoft.com/en-us/library/230dfec0-bddb-4429-a5db-30020e881f1e#BKMK_AMT2008_cm2012

Problem 3: Third attempt fails, this time with a different error; AMT AD accounts already exists. SMS_AMT_PROXY_COMPONENT

Symptoms

Provisioning attempt fails with the following error in SMS_AMT_Proxy_Compoenent log:

AMT AD accounts already exists. SMS_AMT_PROXY_COMPONENT
*** EN_EnrollmentAdminResetPin @DeviceName = *ComputerNameiME', @EncSessionKey =

[42000][50000][Microsoft][SQL Server Native Client 11.0][SQL Server]Failed to set enrollment pin. Cannot find matching record. : EN_EnrollmentAdminResetPin SMS_AMT_PROXY_COMPONENT
Error: Failed to reset enrollment record pin! SMS_AMT_PROXY_COMPONENT
Error: Failed to create enrollment record. SMS_AMT_PROXY_COMPONENT

Cause

This issue can occur if you try to reprovision a machine after a failed provision attempt and the IME$ account in the AD OU for the AMT Enabled Device still exists from the previous provisioning attempt.

Resolution

Delete the matching *ComputerNameiME account from the OU that you defined in the Out Of Band Service Point Properties and try to provision again.

More Information

Before you start provisioning, you are instructed to create an OU that will contain AMT-based computers, then define this OU in the Out Of Band Service Point Properties. During provisioning AMT accounts for each provisioned computer will be created in this OU by ConfigMgr 2012.

How to Provision and Configure AMT-Based Computers in Configuration Manager: http://technet.microsoft.com/en-us/library/gg712319.aspx

Problem 4: Fourth attempt at provisioning appears to succeed however now we get an error when opening the OOB Console and trying to connect to this provisioned machine

Symptoms

When you attempt to open the OOB Console to connect to a provisioned machine in ConfigMgr 2012 you receive the following error:

Error connecting with OOB Console = oobconsole.exe application error
The exception unknown software exception (oxe0434352) occurred in the application at location 0x7602b9bc

Cause

This was caused by a corrupt Adminconsole.ui.dat file in the user profile.

Resolution

Delete the Adminconsoleui.dat file contained in the APPData\Microsoft directory of the current logged in users profile and relaunch the console.

Problem 5: Machines are now all provisioned, we can launch the OOB Console, power controls and Serial Over LAN work fine, but we are not able to connect to the same machines internal web server via port 16993 in Internet Explorer. We get a login prompt or a page cannot be displayed message.

Symptoms

After you successfully provision a machine in ConfigMgr 2012 you find that you are not able to connect to the same machines internal web server via port 16993. However, in Internet Explorer you can connect from the same machine using the OOB Console in ConfigMgr.

Cause

A registry setting HAS to be in place on the machine you are initiating the connection FROM for the connection to work inside of Internet Explorer. This is the same as it was for ConfigMgr 2007 Service Pack 1.

Resolution

On the machine you are initiating the connection FROM, create the following registry keys:

For 32-bit computers

1. Click Start, click Run, type regedit and then click OK.

2. In the left pane, locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl

3. On the Edit menu, point to New and then click Key.

4. Type FEATURE_INCLUDE_PORT_IN_SPN_KB908209 and then press ENTER.

5. On the Edit menu, point to New and then click DWORD Value.

6. Type iexplore.exe and then press ENTER.

7. On the Edit menu click Modify.

8. Type 1 in the Value data box and then click OK.

9. Exit Registry Editor.

 

For 64-bit computers

1. Click Start, click Run, type regedit and then click OK.

2. In the left pane, locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl

3. On the Edit menu, point to New and then click Key.

4. Type FEATURE_INCLUDE_PORT_IN_SPN_KB908209 and then press ENTER.

5. On the Edit menu, point to New and then click DWORD Value.

6. Type iexplore.exe and then press ENTER.

7. On the Edit menu click Modify.

8. Type 1 in the Value data box and then click OK.

9. Exit Registry Editor.

Now you can connect with IE as well to http://clientname.domain.com:16993

More Information

For more information on troubleshooting OOBConsole connectivity please see the following:

Troubleshooting OOBConsole connectivity after an Intel vPro enabled device has been successfully provisioned in ConfigMgr 2007: http://blogs.technet.com/b/oob/archive/2011/02/17/troubleshooting-oobconsole-connectivity-after-an-intel-vpro-enabled-device-has-been-successfully-provisioned-in-configmgr-2007.aspx

Buz Brodin | Senior Support Escalation Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Buz,

    I'm trying to enroll Macintosh clients in our ConfigMgr 2012 SP1 environment, and I'm getting an error in EnrollmentService.log that's very similar to what you wrote about in Problem 1. The error occurs a few seconds after trying to enroll the cert using the CMEnroll tool in Terminal. The error is:

    [7, PID:7968][05/02/2013 13:43:00] CALayer: SubmitRequest CA: [FQDN of CA]\[CA] Errormessage: Denied by Policy Module 2 ErrorCode: 2

    [7, PID:7968][05/02/2013 13:43:00] Only one CA is specified in profile. Failed to enroll with the specified CA: [FQDN of CA]\[CA]

    [7, PID:7968][05/02/2013 13:43:00] EnrollmentRequestController: Enrollment exception Error Code:FailedToIssueCert Message: Submitting cert request and issuing cert failed

    Have you come across this on any Macs? Thanks.

  • Hi Buz, when we try provisioning we're getting

    Failed to send TLS client hello message to server with errorcode=0x2749. Any suggestions where to look?