RPC Server is unavailable requesting a new certificate
Hi All, I'm trying to request a new Server certificate for a Terminal Server. I use the MMC snap in and I select "Automatically Enroll and retrieve certificates"; the Server Certificate is available but when I try to enroll I get the error: "Server RPC is unavalable"; an event ID 13 is recorded in the Application Log. I've only one root enterprise CA on my network, configured on my DC (Windows Server 2008 Datacenter SP2 x64); this is the result of "certutil -dump": Entry 0: (Local) Name: `eurecnaone-EURECNADC0-CA' Organizational Unit: `' Organization: `' Locality: `' State: `' Country/region: `' Config: `EurecnaDC0.eurecnaone.lan\eurecnaone-EURECNADC0 -CA' Exchange Certificate: `' Signature Certificate: `EurecnaDC0.eurecnaone.lan_eurecnaone-EURECNADC0 -CA.crt' Description: `' Server: `EurecnaDC0.eurecnaone.lan' Authority: `eurecnaone-EURECNADC0-CA' Sanitized Name: `eurecnaone-EURECNADC0-CA' Short Name: `eurecnaone-EURECNADC0-CA' Sanitized Short Name: `eurecnaone-EURECNADC0-CA' Flags: `13' CertUtil: -dump command completed successfully. ------------------------------- I can ping the DC from the terminal server using its IP address, name, dns name. I've tried to temporarily disable the firewall on the DC/CA machine but the problem persists. Active Directory Certificate Services and Remote Procedure Call services are up and running on the DC/CA machine. As far as I can see the TS is not the problem, I've same results from other computers on the domain. I log in using the Domain Administrator account. Any idea? Thank you, SyBI - Sinthetic Business Intelligence
August 5th, 2010 7:14pm

On the client requesting certs, in the event viewer (start -> search box, type eventvwr and press enter) can you enable the Applications and Service Logs\Microsoft\Windows\CAPI2\Operational log, try again, and post any errors that are recorded to the log. Note that if there is a lot of cert related activity, you may need to slightly increase the size of the log to ensure that events are not overwritten. -- Mike Burr
Free Windows Admin Tool Kit Click here and download it now
August 6th, 2010 2:02am

On the client requesting certs, in the event viewer (start -> search box, type eventvwr and press enter) can you enable the Applications and Service Logs\Microsoft\Windows\CAPI2\Operational log, try again, and post any errors that are recorded to the log. Note that if there is a lot of cert related activity, you may need to slightly increase the size of the log to ensure that events are not overwritten. -- Mike Burr I've activated that log, tried again, no errors there (refreshed). Just a double sequence of the informational event with ID 10, 90, 11, 30 (in chronological order from oldest to newest) after each try. SimoneSyBI - Sinthetic Business Intelligence
August 6th, 2010 5:16am

Hi, Sometimes event 13 with "Server RPC is unavailable" means “access is denied”. A possible cause of this issue is that one of the following objects is not added to the Builtin\Users group: · NT AUTHORITY\Authenticated Users · NT AUTHORITY\INTERACTIVE · Domain Users In addition, please verify that the DCOM permission is configured correctly on the CA server: 1) On the server, run dcomcnfg.exe. 2) On the Component Services console, navigate to Component Services\Computers\My Computer. 3) Right-click My Computer, select Properties, verify that Enable Distributed COM on this computer is selected in the Default Properties tab. 4) Click the COM Security tab, Click Edit Limits in the Access Permission section and ensure that Everyone and Certificate Service DCOM Access has Local Access and Remote Access permissions. 5) Click Edit Limits in the Launch and Activation Permission section and ensure that Certificate Service DCOM Access group has Local Activation and Remote Activation permissions. 6) Click OK. 7) Under My Computer, navigate to DCOM Config\CertSrv Request. 8) Right-click CertSrv Request, select properties, verity that Authentication Level is set to Default and gray out in the General tab. 9) Select the Security tab, and check if everything is disable (gray out). If you correct the setting above, please restart the CA service to check if the issue can be resolved. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
August 6th, 2010 8:43am

Hi, Sometimes event 13 with "Server RPC is unavailable" means “access is denied”. A possible cause of this issue is that one of the following objects is not added to the Builtin\Users group: · NT AUTHORITY\Authenticated Users · NT AUTHORITY\INTERACTIVE · Domain Users In addition, please verify that the DCOM permission is configured correctly on the CA server: 1) On the server, run dcomcnfg.exe. 2) On the Component Services console, navigate to Component Services\Computers\My Computer. 3) Right-click My Computer, select Properties, verify that Enable Distributed COM on this computer is selected in the Default Properties tab. 4) Click the COM Security tab, Click Edit Limits in the Access Permission section and ensure that Everyone and Certificate Service DCOM Access has Local Access and Remote Access permissions. 5) Click Edit Limits in the Launch and Activation Permission section and ensure that Certificate Service DCOM Access group has Local Activation and Remote Activation permissions. 6) Click OK. 7) Under My Computer, navigate to DCOM Config\CertSrv Request. 8) Right-click CertSrv Request, select properties, verity that Authentication Level is set to Default and gray out in the General tab. 9) Select the Security tab, and check if everything is disable (gray out). If you correct the setting above, please restart the CA service to check if the issue can be resolved. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Certificate Service DCOM Access was not present in COM Security/Edit Limits/Access Permissions and in Launch and Activation Permission. There was an unknown account with similar permissions (we have added this new DC in the past and then demoted the original one; maybe this is the reason). I've added the Certificate Service DCOM Access to both without deleting the unknown account and applied the suggested permissions. Everything else was fine. Restarted the Active Directory Certification Services but the enrolling still fails as before. I'm tempted to restart the whole CA machine but I can't do that now. Thank you, SimoneSyBI - Sinthetic Business Intelligence
August 6th, 2010 2:35pm

Restarting the whole DC/CA machine didn't work either. Any other suggestion? Thank you, SimoneSyBI - Sinthetic Business Intelligence
Free Windows Admin Tool Kit Click here and download it now
August 9th, 2010 4:27pm

Hi, Thanks for the information. Please also check the following: 1. Please ensure Domain Users & Domain Computers are part of CERTSVC_DCOM_ACCESS group. Please also add Domain Controllers to the CERTSVC_DCOM_ACCESS group if the terminal server is a domain controller. If the setting is incorrect, please run the following commands after the correction: certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG net stop certsvc net start certsvc 2. Please check whether the following group policy is configured: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options: DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL)This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
August 10th, 2010 10:03am

Hi, Any update? Please let us know if you need further assistance. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2010 8:36am

Hi, Any update? Please let us know if you need further assistance. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Had to remove and re-install the CA. Either restore from backup didn't work. Thank you, SimoneSyBI - Sinthetic Business Intelligence
August 31st, 2010 7:02pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics