Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Low
  • Security: Public
  • Views: 85
  • Last Modified:

Certificate Authority Server and Webserver

Hi All,

I have configured Issuing CA and Web server.

Issuing CA Roles (Certificate Authority)
Web server (Certificate Authority Web enrollment Service and OCSP)

When I try requesting a certificate directly through (http://issuingCA/certsrv) it is working fine the certificate can be issued through web console

While I try request using (https://webserver/certsrv) Everything is coming finally when i click submit on certificate request it through below error.

Error : CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722

It is critical and really appreciated if any one can help this...

certsrv.JPG
0
Azarudeen Mohamed
Asked:
Azarudeen Mohamed
  • 7
  • 7
1 Solution
 
IndyrbCommented:
0
 
Azarudeen MohamedSystem EngineerAuthor Commented:
Woow thanks a lot buddy... i have tried constrained delegation it is not working ... but for me open delegation is worked..

kudos (Y)
0
 
Azarudeen MohamedSystem EngineerAuthor Commented:
Thanks for your answer and it worked for http://webserver/certsrv
I have created a A record (pki.domain.com) pointing IP of webserver.

now it after delegation it is working for https://webbserver/certsrv

but it is not working for http://pki.domain.com/certsrv

can u please advise
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
IndyrbCommented:
same error?
same steps?
0
 
IndyrbCommented:
Cname or A record do you have reverse record as well
0
 
Azarudeen MohamedSystem EngineerAuthor Commented:
we have created only A record for this? what can we do to fix this issue..

can u explain in steps?
0
 
IndyrbCommented:
so pki.domain.local is same as webserver? Did you check https bindings with pki.domain.local?
0
 
Azarudeen MohamedSystem EngineerAuthor Commented:
yes Pki.domain.local -> points to webserver IP.. so when http://pki.comain.local/certsrv it is opening the certificate webconsole... no issues on that...

but after submitting the request, it shows the same error "your request failed........"
0
 
Azarudeen MohamedSystem EngineerAuthor Commented:
I have checked that, seems the issue is same between us.

Honestly i don't understand that article completely.

You need to manually set the services in the msDS-AllowedToDelegateTo attribute on the gMSA. You can do this in the ADUC attribute editor tab, or with PowerShell. You have to delegate 2 services, HOST and RPCSS in the form of RPCSS/<The CA Name>. This setting is the same as choosing Kerberos Only on the Delegation tab in ADUC.
1
2
      
Get-ADObject -Filter {Name -eq "<name of your gmsa>"} |
Set-ADObject -Add @{"msDS-AllowedToDelegateTo" = @("HOST/<netbios of the ca>", "HOST/<fqdn of the ca>", "rpcss/<NetBIOS of the CA>", "rpcss/<fqdn of the ca>")}

You could also try using Open Delegation by changing the userAccountControl value to add the ADS_UF_TRUSTED_FOR_DELEGATION bit (value in hex is 0x00080000) which is the same as checking the “Trust this computer for delegation to any service (Kerberos only)” box for a computer object. The PowerShell to do that is below, in this case, do not set the AllowedtoDelegateTo attribute.
1
2
3
      
$Acct = Get-ADObject -Filter {Name -eq "<Name of your gMSA>"} -Properties userAccountControl
$NewUAC = $Acct.userAccountControl -bor 0x00080000
Set-ADObject -Identity $Acct -Replace @{"userAccountControl" = $NewUAC}

The next step is to set the SPNs. You need to add several HTTP SPNs:
1
2
      
Get-ADObject -Filter {Name -eq "<name of your gmsa>"} |
Set-ADObject -Add @{"servicePrincipalName" = @("HTTP/certrequest", "HTTP/certrequest.contoso.com", "HTTP/server1", "HTTP/server1.contoso.com")}

Add the SPNs for the common DNS name and then SPNs for each of the web enrollment servers that will be accessed through that DNS name. Ensure that these server computer objects do not have HTTP SPNs themselves, or you’ll have a duplicate SPN issue.

So where i need to change these settings?
0
 
IndyrbCommented:
Although a little older, this link might provide more insight

https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx

To create an SPN for a domain user account, you can use the setspn command. The setspn command to create SPN for a user account named CES for the Certificate Enrollment Web Policy service running on a computer with a fully qualified domain name (FQDN) of cpandl-ces1.cpandl.com in the cpandl.com domain is as follows:

setspn -s http/cpandl-ces1.cpandl.com cpandl\ces

The specific type of delegation that you should configure depends upon the authentication method selected for the Certificate Enrollment Web Service:

If you selected Windows integrated authentication, then you should configure delegation to Use Kerberos only.
If the service is using client certificate authentication, then you should configure delegation to Use any authentication protocol.
The specific services that you should delegate are the host service and the Remote Procedure Call system service (RPCSS).

To configure delegation, you can access the computer account or domain user account properties (as applicable to your situation) using Active Directory Users and Computers. Right-click the account and then click Properties. On the Delegation tab, configure the settings as described in this section depending upon the situation. For example, if you have configured client certificate authentication and are using a user account name CES to enable delegation to a certification authority with computer account named CPANDL-CA1
0
 
Azarudeen MohamedSystem EngineerAuthor Commented:
after a long check with network team firewall team no ports are blocked...

now the status is https://webservername/certsrv is working fine

https://webserverip/certsrv is not working the same error what could be the problem can anyone explain did we missed any steps in dcom/ com , spn for ipaddress
0
 
IndyrbCommented:
Did you get this working, any of the above help assist?
0
 
Azarudeen MohamedSystem EngineerAuthor Commented:
yes tried that but still no luck
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now