[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Certificate Authority Server and Webserver

Posted on 2017-09-07
14
Low Priority
?
51 Views
Last Modified: 2017-09-22
Hi All,

I have configured Issuing CA and Web server.

Issuing CA Roles (Certificate Authority)
Web server (Certificate Authority Web enrollment Service and OCSP)

When I try requesting a certificate directly through (http://issuingCA/certsrv) it is working fine the certificate can be issued through web console

While I try request using (https://webserver/certsrv) Everything is coming finally when i click submit on certificate request it through below error.

Error : CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722

It is critical and really appreciated if any one can help this...

certsrv.JPG
0
Comment
Question by:Azarudeen Mohamed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 5

Accepted Solution

by:
Indyrb earned 1000 total points
ID: 42285190
0
 
LVL 1

Author Comment

by:Azarudeen Mohamed
ID: 42285226
Woow thanks a lot buddy... i have tried constrained delegation it is not working ... but for me open delegation is worked..

kudos (Y)
0
 
LVL 1

Author Comment

by:Azarudeen Mohamed
ID: 42285243
Thanks for your answer and it worked for http://webserver/certsrv
I have created a A record (pki.domain.com) pointing IP of webserver.

now it after delegation it is working for https://webbserver/certsrv

but it is not working for http://pki.domain.com/certsrv

can u please advise
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 5

Expert Comment

by:Indyrb
ID: 42285250
same error?
same steps?
0
 
LVL 5

Expert Comment

by:Indyrb
ID: 42285254
Cname or A record do you have reverse record as well
0
 
LVL 1

Author Comment

by:Azarudeen Mohamed
ID: 42285261
we have created only A record for this? what can we do to fix this issue..

can u explain in steps?
0
 
LVL 5

Expert Comment

by:Indyrb
ID: 42285270
so pki.domain.local is same as webserver? Did you check https bindings with pki.domain.local?
0
 
LVL 1

Author Comment

by:Azarudeen Mohamed
ID: 42285276
yes Pki.domain.local -> points to webserver IP.. so when http://pki.comain.local/certsrv it is opening the certificate webconsole... no issues on that...

but after submitting the request, it shows the same error "your request failed........"
0
 
LVL 5

Expert Comment

by:Indyrb
ID: 42285292
0
 
LVL 1

Author Comment

by:Azarudeen Mohamed
ID: 42285316
I have checked that, seems the issue is same between us.

Honestly i don't understand that article completely.

You need to manually set the services in the msDS-AllowedToDelegateTo attribute on the gMSA. You can do this in the ADUC attribute editor tab, or with PowerShell. You have to delegate 2 services, HOST and RPCSS in the form of RPCSS/<The CA Name>. This setting is the same as choosing Kerberos Only on the Delegation tab in ADUC.
1
2
      
Get-ADObject -Filter {Name -eq "<name of your gmsa>"} |
Set-ADObject -Add @{"msDS-AllowedToDelegateTo" = @("HOST/<netbios of the ca>", "HOST/<fqdn of the ca>", "rpcss/<NetBIOS of the CA>", "rpcss/<fqdn of the ca>")}

You could also try using Open Delegation by changing the userAccountControl value to add the ADS_UF_TRUSTED_FOR_DELEGATION bit (value in hex is 0x00080000) which is the same as checking the “Trust this computer for delegation to any service (Kerberos only)” box for a computer object. The PowerShell to do that is below, in this case, do not set the AllowedtoDelegateTo attribute.
1
2
3
      
$Acct = Get-ADObject -Filter {Name -eq "<Name of your gMSA>"} -Properties userAccountControl
$NewUAC = $Acct.userAccountControl -bor 0x00080000
Set-ADObject -Identity $Acct -Replace @{"userAccountControl" = $NewUAC}

The next step is to set the SPNs. You need to add several HTTP SPNs:
1
2
      
Get-ADObject -Filter {Name -eq "<name of your gmsa>"} |
Set-ADObject -Add @{"servicePrincipalName" = @("HTTP/certrequest", "HTTP/certrequest.contoso.com", "HTTP/server1", "HTTP/server1.contoso.com")}

Add the SPNs for the common DNS name and then SPNs for each of the web enrollment servers that will be accessed through that DNS name. Ensure that these server computer objects do not have HTTP SPNs themselves, or you’ll have a duplicate SPN issue.

So where i need to change these settings?
0
 
LVL 5

Expert Comment

by:Indyrb
ID: 42285396
Although a little older, this link might provide more insight

https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx

To create an SPN for a domain user account, you can use the setspn command. The setspn command to create SPN for a user account named CES for the Certificate Enrollment Web Policy service running on a computer with a fully qualified domain name (FQDN) of cpandl-ces1.cpandl.com in the cpandl.com domain is as follows:

setspn -s http/cpandl-ces1.cpandl.com cpandl\ces

The specific type of delegation that you should configure depends upon the authentication method selected for the Certificate Enrollment Web Service:

If you selected Windows integrated authentication, then you should configure delegation to Use Kerberos only.
If the service is using client certificate authentication, then you should configure delegation to Use any authentication protocol.
The specific services that you should delegate are the host service and the Remote Procedure Call system service (RPCSS).

To configure delegation, you can access the computer account or domain user account properties (as applicable to your situation) using Active Directory Users and Computers. Right-click the account and then click Properties. On the Delegation tab, configure the settings as described in this section depending upon the situation. For example, if you have configured client certificate authentication and are using a user account name CES to enable delegation to a certification authority with computer account named CPANDL-CA1
0
 
LVL 1

Author Comment

by:Azarudeen Mohamed
ID: 42304996
after a long check with network team firewall team no ports are blocked...

now the status is https://webservername/certsrv is working fine

https://webserverip/certsrv is not working the same error what could be the problem can anyone explain did we missed any steps in dcom/ com , spn for ipaddress
0
 
LVL 5

Expert Comment

by:Indyrb
ID: 42305290
Did you get this working, any of the above help assist?
0
 
LVL 1

Author Comment

by:Azarudeen Mohamed
ID: 42305592
yes tried that but still no luck
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question