Issues with certificate enrollment (Network Steve Forum)

Issues with certificate enrollment

I am having a problem with my CA server setup. I am on W2k8r2, I have installed the CA service on one of these servers

ca box, is in a datancentre

testbox, this is a W2k8r2 Box

I have created a GPO for the remote desktop cert to be created from the CA.

I have a DC in the same MS site as my test stand alone server.

Both of these boxes are in the same MS site as each other, but different to the CA box.

All 3 boxes are in different subnets.

When I login to both test server (via RDP).

I start mmc and attach the certificate snap in for the local pc and for the current user.

on the DC machine I try and create a domain controller cert. This fails says rpc unavailable.

On the Non DC box I try and create a remote desktop cert on the local pc account and it say rpc unavailable.

But when i try and create a User cert, under the user section of the snap it, it works.

So I am stumped.

When I try the domain controller cert creation on a DC in another MS site (different from the 2 mentioned so far) it works.

So I am not sure where I have to look and what permissions I have to change !

July 1st, 2015 10:06am

Are all the computers in the same Active Directory forest? Does nltest /sc_verify:<yourdomain> show a successful connection? Any firewalls (windows or network) in place? The RPC Unavailable isnt a permissions related issue - it would be network connectivity related.

Free Windows Admin Tool Kit Click here and download it now

July 6th, 2015 5:02pm

All same forest.

I'm can't get on the machine for a bit. But I can create certs as myself so mcc + certificates for my account I can create a user cert. but when I change the cert module to local machine it fails with RPC unavailable.

There has to be something wrong with the permissions

July 6th, 2015 9:24pm

If it was a permissions issue, then the MMC would get to the list of templates on the CA and show an empty list.

1) Are you using the default DCOM/RPC enrollment policy or is CES/CEP involved here?

2) Which context (user or computer) has the trust of the issuing CA? Is the Issuing CA in the computer context for Trusted Root or Intermediate?

3) What is the output if you run certutil -ds as the computer context?

Free Windows Admin Tool Kit Click here and download it now

July 6th, 2015 10:30pm

1) I am not sure

2) I am not sure of the answer

3) not sure how to put it in computer context

so if I start MMC

add in certificates 1 for user (A) and one for local computer (B)

I can see certificates under A and I can enroll in those, user, admin, etc

I can see different certs under B, but I can't enroll in any of these, it says RPC unavailable

status: failed

What i see in the event log

Certificate enrollment for Local system failed to enroll for a RemoteDesktopComputer certificate with request ID N/A from ybintra3.yieldbroker.com\yieldbroker-YBINTRA3-CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

C:\Users\alexander.samad>certutil -ping -config ybintra3.yieldbroker.com\yieldbroker-YBINTRA3-CA
Connecting to ybintra3.yieldbroker.com\yieldbroker-YBINTRA3-CA ...
Server "yieldbroker-YBINTRA3-CA" ICertRequest2 interface is alive
CertUtil: -ping command completed successfully.

I have checked the permission as in this post I had to update the builtin\users

https://social.technet.microsoft.com/Forums/windowsserver/en-US/f3de8600-cf4e-4a39-a42e-7f929e1b8d6d/certificate-enrollment-the-rpc-server-is-unavailable

Edited by Alex Samad 1 hour 37 minutes ago

July 14th, 2015 1:11am

1) I am not sure

2) I am not sure of the answer

3) not sure how to put it in computer context

so if I start MMC

add in certificates 1 for user (A) and one for local computer (B)

I can see certificates under A and I can enroll in those, user, admin, etc

I can see different certs under B, but I can't enroll in any of these, it says RPC unavailable

status: failed

What i see in the event log

I have checked the permission as in this post I had to update the builtin\users

https://social.technet.microsoft.com/Forums/windowsserver/en-US/f3de8600-cf4e-4a39-a42e-7f929e1b8d6d/certificate-enrollment-the-rpc-server-is-unavailable

Edited by Alex Samad Tuesday, July 14, 2015 5:25 AM

Free Windows Admin Tool Kit Click here and download it now

July 14th, 2015 5:07am

Lets get some debug logs on this. Run the following command:

Certutil setreg ENROLL\Debug 0xffffffe3

Attempt the enrollment as the computer object again and then posted the results of the enrollment from the %windir%\certenroll.log file.

Once you have done that, you can turn off debug logging with:

Certutil delreg ENROLL\Debug

July 14th, 2015 1:30pm

Sorry for the long delay, lots of other stuff going on.

Well I went to gather the information and now its working! I tried from a few machines and first off bang it works for computer local account and for personal account.

So I am not sure what I have done, apart from patching and rebooting ...

Thanks for your effort any way

Free Windows Admin Tool Kit Click here and download it now

July 22nd, 2015 1:12am

This topic is archived. No further replies will be accepted.