Link to home
Start Free TrialLog in
Avatar of pramod1
pramod1Flag for United States of America

asked on

ACTIVE DIRECTORY, CERTIFICATE, GPO

i am importing certificate for RDP  on a domain controller

but i feel it is GPO which is not allowing to get imported as per the error below

error
"an error occured while enrolling the certificate. Certificate requested cannot be submitted to certificate authority
RPC server is unavailable 0x800706ba(Win32:1722 RPC_S_SERVER_UNAVAILABLE)

how can i identify the GPO?

Avatar of arnold
arnold
Flag of United States of America image

The certificate source?
Does it have the private key?


You need to use the certutil to identify the CA reference to which it tries to submit.

You could save the CSR and submit it to the issuing CA...

Something is a miss..

The GPO is not at issue, the CA record to which the request should be sent is the issue.

Do you have something that you know has a currently valid cert, using that looking at the certificate path could help identify the issuing CA.
Hello,

what are you doing exactly?

It seems that you are trying to install a certificate which is in reality a "request" !

Is the CA/Authority service on the domain controller?

If you don't have an authority, and if the RDP certificate has been created as "self-signed", you must add it as authority on all machines that needs to use or accept it.
Avatar of pramod1

ASKER

I am trying to import the rdp cert from mmc of DC where it fails but when I do from member server it works
Why or what do you want to obtain adding the RDP cert on the DC ?

Are you just using the MMC console "certificates" to add the certificate in the "Trusted authorities"?
=> It is nearly the only useful action that I can imagine.

The only other action should be to distribute this certificate by GPOs to update machines with a new authority to accept.
Avatar of pramod1

ASKER

i am addressing vulnerability that i need CA cert and not self signed cert
SOLUTION
Avatar of DEMAN-BARCELO (MVP) Thierry
DEMAN-BARCELO (MVP) Thierry
Flag of France image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of pramod1

ASKER

i am trying to import this certificate from under personal-certificate - and then import and gettingRPC error
User generated imageand copying it to User generated image
Avatar of pramod1

ASKER

Certificate Enrollment Error – 0x800706ba The RPC server is unavailable

Avatar of pramod1

ASKER

User generated image
Avatar of pramod1

ASKER

url: DOMAIN.NET\ pre-prod issuing CA1 
Avatar of pramod1

ASKER

I WAS READING ARTICLE

  1. On the domain controller on which the certification service is deployed, you need to make sure there is a domain security group CERTSVC_DCOM_ACCESS or Certificate Service DCOM Access;
HOW DO UI CHECK ABOVE

Avatar of pramod1

ASKER

I CHECKED THIS Certificate Service DCOM Access  IN ADUC but it is blank
That I see is only the request (construction) of the certificate.

Now, you have to submit this request (.REQ file) on the server where the Certificate Authority is installed.

You need to have a template (authorized) corresponding to the request.

Then, you can issue (approuve) the delivery of the certificate on the CA server.

You can use this kind of command to obtain the public part of the certificate :

certreq -attrib "CertificateTemplate:YourTemplate" -submit YourRequestFile.req

You need a template that authorizes 1825 days...
Avatar of pramod1

ASKER

but when i do the same from member windows server, it works fine
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
run certutil on the two systems in question what do you get as a response. do they both return the same info?