RPC Server is unavailable requesting a new certificate
Hi All,
I'm trying to request a new Server certificate for a Terminal Server. I use the MMC snap in and I select "Automatically Enroll and retrieve certificates"; the Server Certificate is available but when I try to enroll I get the error: "Server RPC
is unavalable"; an event ID 13 is recorded in the Application Log.
I've only one root enterprise CA on my network, configured on my DC (Windows Server 2008 Datacenter SP2 x64); this is the result of "certutil -dump":
Entry 0: (Local)
Name: `eurecnaone-EURECNADC0-CA'
Organizational Unit: `'
Organization: `'
Locality: `'
State: `'
Country/region: `'
Config: `EurecnaDC0.eurecnaone.lan\eurecnaone-EURECNADC0
-CA'
Exchange Certificate: `'
Signature Certificate: `EurecnaDC0.eurecnaone.lan_eurecnaone-EURECNADC0
-CA.crt'
Description: `'
Server: `EurecnaDC0.eurecnaone.lan'
Authority: `eurecnaone-EURECNADC0-CA'
Sanitized Name: `eurecnaone-EURECNADC0-CA'
Short Name: `eurecnaone-EURECNADC0-CA'
Sanitized Short Name: `eurecnaone-EURECNADC0-CA'
Flags: `13'
CertUtil: -dump command completed successfully.
-------------------------------
I can ping the DC from the terminal server using its IP address, name, dns name. I've tried to temporarily disable the firewall on the DC/CA machine but the problem persists.
Active Directory Certificate Services and Remote Procedure Call services are up and running on the DC/CA machine.
As far as I can see the TS is not the problem, I've same results from other computers on the domain. I log in using the Domain Administrator account.
Any idea?
Thank you,
SyBI - Sinthetic Business Intelligence
August 5th, 2010 7:14pm
On the client requesting certs, in the event viewer (start -> search
box, type eventvwr and press enter) can you enable the Applications and
Service Logs\Microsoft\Windows\CAPI2\Operational log, try again, and
post any errors that are recorded to the log.
Note that if there is a lot of cert related activity, you may need to
slightly increase the size of the log to ensure that events are not
overwritten.
-- Mike Burr
Free Windows Admin Tool Kit Click here and download it now
August 6th, 2010 2:02am
On the client requesting certs, in the event viewer (start -> search
box, type eventvwr and press enter) can you enable the Applications and
Service Logs\Microsoft\Windows\CAPI2\Operational log, try again, and
post any errors that are recorded to the log.
Note that if there is a lot of cert related activity, you may need to
slightly increase the size of the log to ensure that events are not
overwritten.
-- Mike Burr
I've activated that log, tried again, no errors there (refreshed). Just a double sequence of the informational event with ID 10, 90, 11, 30 (in chronological order from oldest to newest) after each try.
SimoneSyBI - Sinthetic Business Intelligence
August 6th, 2010 5:16am
Hi,
Sometimes event 13 with "Server RPC is unavailable" means “access is denied”. A possible cause of this issue is that one of the following objects is not
added to the Builtin\Users group:
·
NT AUTHORITY\Authenticated Users
·
NT AUTHORITY\INTERACTIVE
·
Domain Users
In addition, please verify that the DCOM permission is configured correctly on the CA server:
1)
On the server, run
dcomcnfg.exe.
2)
On the
Component Services console, navigate to
Component Services\Computers\My Computer.
3)
Right-click
My Computer, select Properties, verify that
Enable Distributed COM on this computer is selected in the Default Properties tab.
4)
Click the
COM Security tab, Click Edit Limits in the
Access Permission section and ensure that Everyone and
Certificate Service DCOM Access has Local Access
and Remote Access permissions.
5)
Click
Edit Limits in the Launch and Activation Permission section and ensure that
Certificate Service DCOM Access group has Local Activation
and Remote Activation permissions.
6)
Click OK.
7)
Under
My Computer, navigate to DCOM Config\CertSrv Request.
8)
Right-click
CertSrv Request, select properties, verity that
Authentication Level is set to Default and gray out in the
General tab.
9)
Select the
Security tab, and check if everything is disable (gray out).
If you correct the setting above, please restart the CA service to check if the issue can be resolved.
Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
August 6th, 2010 8:43am
Hi,
Sometimes event 13 with "Server RPC is unavailable" means “access is denied”. A possible cause of this issue is that one of the following objects is not
added to the Builtin\Users group:
·
NT AUTHORITY\Authenticated Users
·
NT AUTHORITY\INTERACTIVE
·
Domain Users
In addition, please verify that the DCOM permission is configured correctly on the CA server:
1)
On the server, run
dcomcnfg.exe.
2)
On the
Component Services console, navigate to
Component Services\Computers\My Computer.
3)
Right-click
My Computer, select Properties, verify that
Enable Distributed COM on this computer is selected in the Default Properties tab.
4)
Click the
COM Security tab, Click Edit Limits in the
Access Permission section and ensure that Everyone and
Certificate Service DCOM Access has Local Access
and Remote Access permissions.
5)
Click
Edit Limits in the Launch and Activation Permission section and ensure that
Certificate Service DCOM Access group has Local Activation
and Remote Activation permissions.
6)
Click OK.
7)
Under
My Computer, navigate to DCOM Config\CertSrv Request.
8)
Right-click
CertSrv Request, select properties, verity that
Authentication Level is set to Default and gray out in the
General tab.
9)
Select the
Security tab, and check if everything is disable (gray out).
If you correct the setting above, please restart the CA service to check if the issue can be resolved.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
This can be beneficial to other community members reading the thread.
Certificate Service DCOM Access was not present in COM Security/Edit Limits/Access Permissions and in Launch and Activation Permission. There was an unknown account with similar permissions (we have added this new DC in
the past and then demoted the original one; maybe this is the reason). I've added the Certificate Service DCOM Access to both without deleting the unknown account and applied the suggested permissions. Everything else was fine.
Restarted the Active Directory Certification Services but the enrolling still fails as before. I'm tempted to restart the whole CA machine but I can't do that now.
Thank you,
SimoneSyBI - Sinthetic Business Intelligence
August 6th, 2010 2:35pm
Restarting the whole DC/CA machine didn't work either. Any other suggestion?
Thank you,
SimoneSyBI - Sinthetic Business Intelligence
Free Windows Admin Tool Kit Click here and download it now
August 9th, 2010 4:27pm
Hi,
Thanks for the information.
Please also check the following:
1.
Please ensure Domain Users & Domain Computers are part of CERTSVC_DCOM_ACCESS group. Please also add Domain Controllers to the CERTSVC_DCOM_ACCESS group if
the terminal server is a domain controller. If the setting is incorrect, please run the following commands after the correction:
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc
2.
Please check whether the following group policy is configured:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options:
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL)
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL)This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.
August 10th, 2010 10:03am
Hi,
Any update?
Please let us know if you need further assistance.
Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2010 8:36am
Hi,
Any update?
Please let us know if you need further assistance.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
This can be beneficial to other community members reading the thread.
Had to remove and re-install the CA. Either restore from backup didn't work.
Thank you,
SimoneSyBI - Sinthetic Business Intelligence
August 31st, 2010 7:02pm