ts_nemits
asked on
Windows 2008 R2 Certificate Authority Enroll error
I have setup an certificate authority on a Windows 2008 R2 server.
When I try to manually enroll a computer certificate for a workstation (Windows 7), I get and error saying "The RPC server is unavailable". In event viewer i get 3 entries (2 informational and 1 error):
This suggests that this is not a problem connecting to the RPC on the CA, but a permissions problem. I have no idea where this i set though.
When I try to manually enroll a computer certificate for a workstation (Windows 7), I get and error saying "The RPC server is unavailable". In event viewer i get 3 entries (2 informational and 1 error):
Certificate enrollment for Local system is successfully authenticated by policy server {6081C72C-1312-4AE5-95AD-F 46C744D23C 6}
Certificate enrollment for Local system successfully load policy from policy server {6081C72C-1312-4AE5-95AD-F 46C744D23C 6}
Certificate enrollment for Local system failed to enroll for a Machine certificate with request ID N/A from nemapps.nemits.dk\NEMITS-C A (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
But then I try to enroll, from the same workstation, a user certificate. This works just fine.This suggests that this is not a problem connecting to the RPC on the CA, but a permissions problem. I have no idea where this i set though.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Found the problem. While the guide didn't really give the exact answer, i found that there were no users in the "Distributed COM Users" group on the CA server. Don't know why users could request certificates, and not computers. But after adding Authenticated users, all was fine.
Permissions for the template are set in the Certificate Templates mmc (certtmpl.msc - you should be able to open this from your workstation). The requester (e.g. the workstation / DOMAIN\Domain Computers) should have at least Read and Enroll permissions, and Autoenroll if desired.