• Status: Solved
  • Priority: Low
  • Security: Public
  • Views: 131
  • Last Modified:

Certificate Authority Server and Webserver

Hi All,

I have configured Issuing CA and Web server.

Issuing CA Roles (Certificate Authority)
Web server (Certificate Authority Web enrollment Service and OCSP)

When I try requesting a certificate directly through (http://issuingCA/certsrv) it is working fine the certificate can be issued through web console

While I try request using (https://webserver/certsrv) Everything is coming finally when i click submit on certificate request it through below error.

Error : CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722

It is critical and really appreciated if any one can help this...

certsrv.JPG
0
Azarudeen Mohamed
Asked:
Azarudeen Mohamed
  • 7
  • 7
1 Solution
 
IndyrbCommented:
0
 
Azarudeen MohamedSystem EngineerAuthor Commented:
Woow thanks a lot buddy... i have tried constrained delegation it is not working ... but for me open delegation is worked..

kudos (Y)
0
 
Azarudeen MohamedSystem EngineerAuthor Commented:
Thanks for your answer and it worked for http://webserver/certsrv
I have created a A record (pki.domain.com) pointing IP of webserver.

now it after delegation it is working for https://webbserver/certsrv

but it is not working for http://pki.domain.com/certsrv

can u please advise
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
IndyrbCommented:
same error?
same steps?
0
 
IndyrbCommented:
Cname or A record do you have reverse record as well
0
 
Azarudeen MohamedSystem EngineerAuthor Commented:
we have created only A record for this? what can we do to fix this issue..

can u explain in steps?
0
 
IndyrbCommented:
so pki.domain.local is same as webserver? Did you check https bindings with pki.domain.local?
0
 
Azarudeen MohamedSystem EngineerAuthor Commented:
yes Pki.domain.local -> points to webserver IP.. so when http://pki.comain.local/certsrv it is opening the certificate webconsole... no issues on that...

but after submitting the request, it shows the same error "your request failed........"
0
 
Azarudeen MohamedSystem EngineerAuthor Commented:
I have checked that, seems the issue is same between us.

Honestly i don't understand that article completely.

You need to manually set the services in the msDS-AllowedToDelegateTo attribute on the gMSA. You can do this in the ADUC attribute editor tab, or with PowerShell. You have to delegate 2 services, HOST and RPCSS in the form of RPCSS/<The CA Name>. This setting is the same as choosing Kerberos Only on the Delegation tab in ADUC.
1
2
      
Get-ADObject -Filter {Name -eq "<name of your gmsa>"} |
Set-ADObject -Add @{"msDS-AllowedToDelegateTo" = @("HOST/<netbios of the ca>", "HOST/<fqdn of the ca>", "rpcss/<NetBIOS of the CA>", "rpcss/<fqdn of the ca>")}

You could also try using Open Delegation by changing the userAccountControl value to add the ADS_UF_TRUSTED_FOR_DELEGATION bit (value in hex is 0x00080000) which is the same as checking the “Trust this computer for delegation to any service (Kerberos only)” box for a computer object. The PowerShell to do that is below, in this case, do not set the AllowedtoDelegateTo attribute.
1
2
3
      
$Acct = Get-ADObject -Filter {Name -eq "<Name of your gMSA>"} -Properties userAccountControl
$NewUAC = $Acct.userAccountControl -bor 0x00080000
Set-ADObject -Identity $Acct -Replace @{"userAccountControl" = $NewUAC}

The next step is to set the SPNs. You need to add several HTTP SPNs:
1
2
      
Get-ADObject -Filter {Name -eq "<name of your gmsa>"} |
Set-ADObject -Add @{"servicePrincipalName" = @("HTTP/certrequest", "HTTP/certrequest.contoso.com", "HTTP/server1", "HTTP/server1.contoso.com")}

Add the SPNs for the common DNS name and then SPNs for each of the web enrollment servers that will be accessed through that DNS name. Ensure that these server computer objects do not have HTTP SPNs themselves, or you’ll have a duplicate SPN issue.

So where i need to change these settings?
0
 
IndyrbCommented:
Although a little older, this link might provide more insight

https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx

To create an SPN for a domain user account, you can use the setspn command. The setspn command to create SPN for a user account named CES for the Certificate Enrollment Web Policy service running on a computer with a fully qualified domain name (FQDN) of cpandl-ces1.cpandl.com in the cpandl.com domain is as follows:

setspn -s http/cpandl-ces1.cpandl.com cpandl\ces

The specific type of delegation that you should configure depends upon the authentication method selected for the Certificate Enrollment Web Service:

If you selected Windows integrated authentication, then you should configure delegation to Use Kerberos only.
If the service is using client certificate authentication, then you should configure delegation to Use any authentication protocol.
The specific services that you should delegate are the host service and the Remote Procedure Call system service (RPCSS).

To configure delegation, you can access the computer account or domain user account properties (as applicable to your situation) using Active Directory Users and Computers. Right-click the account and then click Properties. On the Delegation tab, configure the settings as described in this section depending upon the situation. For example, if you have configured client certificate authentication and are using a user account name CES to enable delegation to a certification authority with computer account named CPANDL-CA1
0
 
Azarudeen MohamedSystem EngineerAuthor Commented:
after a long check with network team firewall team no ports are blocked...

now the status is https://webservername/certsrv is working fine

https://webserverip/certsrv is not working the same error what could be the problem can anyone explain did we missed any steps in dcom/ com , spn for ipaddress
0
 
IndyrbCommented:
Did you get this working, any of the above help assist?
0
 
Azarudeen MohamedSystem EngineerAuthor Commented:
yes tried that but still no luck
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now