Link to home
Create AccountLog in
Avatar of Luis Moreno
Luis MorenoFlag for United States of America

asked on

Windows Certificate enrollment - RPC server unavailable WIN32 - 1722

Hello All!

 

I've created a 2 tier Windows PKI.

Root CA is a standalone Windows Standard server 2016, with extensions being configured to allow certs to be provisioned by a Subordinate CA, which is another Windows Standard server 2016 joined to our domain.

Both CAs are light up on green, new Templates for users and workstations have been created and permissions for templates have been set as per instructions of a helpful video on youtube, see implementation steps in the bottom of this post.

Also, I’ve setup Auto Enrollment for users and computers via GPO, which I’ve confirmed are applying to my test user and computer.

Every time I force auto-enrollment performing a gpupdate /force on the test system, I get the following Windows events with “Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.”

I tried to manually enroll for a computer certificate using the manage certificate MMC and the same error comes up: “The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)

See screenshots for Windows client logs and manual enrollment errors respectively below:

 

User generated image

 

User generated image

 

 

After much T-Shooting, conducting these steps…

  • Allowing all traffic on firewall
  • Disabling Windows firewall on CA and Client Machine
  • Testing RPC on port 135 and 445 (successfully via PortQry utility)
  • Certutil -ping -config CAName: successfully, only when ran as a Domain admin… as a normal user failed with the same RPC error

 

…it occurred to me, to make my Windows user a local admin of the testing computer. Once I did that certutil -ping -config CAName completed successfully!

Then I proceeded to test manual “User” certificate enrollment via the Manage Certificate MMC and IT WORKED!!!!!!!!!!! I was able to enroll and I could see the issued certificate in the CA console, all good. So all this made me believe that RPC connectivity issues is not the root cause of my problem.

 

Now, when attempting Computer manual enrollment via the Managed Certificate MMC, it displays the computer template created and “available”, but when clicking on the “Enroll” button, the same RPC error appears.

 

I’ve done some research online, most of the resolutions published are about DCOM permissions but non of these instructions have worked.

There is one post about DCOM permissions by editing “Limits” which I have not been able to try, since this button is greyed out on my CA server…

 

Not sure where to go from here. Any help would be appreciated!

 

*****************************************************************************************************************************

 

Instructions followed for CA implementation:

 

Part 1) Build the underlying infrastructure

===========================================

 

1) Deploy DC (best practices)

                - install AD DS

                - test and verify our DNS

                - deploy a subset of OUs, admin users

                                (AD CS is deployed in part via GPO)

 

2) Deploy workstations

                - Join the domain

                - Test and verify

 

3) Deploy Enterprise CA

                - Join the domain

 

4) Deploy Root CA

                - NOT domain joined

 

 

Part 2) Build the PKI Hierarchy

===========================================

 

1) Deploy Root CA

 

                - Install AD CS (standalone CA)

                - Configure AD CS

                                - Claim the root CA role (establish your trust anchor)

                                - Pre-configure the certificate extensions (AIA and CDP/CRL information)

 

                                                AIA (Authority Information Access)

                                                e.g. http://Server_IP/certdata/<ServerDNSName><CaName><CertificateName>

 

                                                CRL (Certificate Revocation List)

                                                e.g. http://Server_IP/certdata/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

 

                                                Default locations of CRL and Root Certificate

                                                C:\Windows\System32\CertServ\CertEnroll

 

                                - Publish the CRL

                                - Export Root Certificate with CA's public key

                - Export our Root CA, our CRL, and our CA's public key to Enterprise (issuing) CA

 

2) Deploy our Enterprise CA

 

                - Install the AD CS role

                                - Claim the Enterprise CA role

                - Create the trust relationship (PKI hierarchy) with the Root CA

                                - Create the EntCA public key

                                - Install the Root certificate (with public key) on the EntCA

                                - Extend AIA by creating certificate and CRL distribution point

                                - Send a certificate request (with Enterprise public key) to the Root CA

                                - Complete the certificate request process on the Ent CA

                                - Export and install the new .pkb certificate granting issuing authority

 

Part 3) Distribute the Certificates via GPO

===========================================

 

3) Configure our Domain to Utilize the Enterprise CA

 

                - Populate the eventual IIS publication point for the AIA and CRL

                                - e.g. http://www.ISS_Website.net/aia

                                - e.g. http://www. ISS_Website.net/crl

                - Use user and computer templates to create domain certificates and modify key settings

                                - Duplicate, modify and issue templates for users and domain computers

                                - Key settings: Compatibility, General Naming, and Security

                                - Remember special parameters for user settings

                - Create a GPO to autoenroll users and computers

                                - Computer and Users > Policies > Windows Settings > Security > Public Key Policies > Certificate Enrolment Policy

                                - Computer and Users > Policies > Windows Settings > Security > Public Key Policies > Auto-Enrolment Policy

                - Simultaneously allow the Root CA to be issued via GPO

                                - Computer > Policies > Windows Settings > Security > Public Key Policies > Trusted Root Certification Authorities

 

Part 4) Test for Success

===========================================

 

4) Verify successful issuing of certificates for domain users and workstations

Avatar of McKnife
McKnife
Flag of Germany image

Please verify the settings on the security tab of the certificate template.
Did you entitle authenticated users to enroll & autoenroll or how are permissions set there?
Avatar of Luis Moreno

ASKER

Hey McKnife!

Correct, I’ve setup the permissions on the new Templates, Auth users to enroll and autoenroll 

You didn't use denials there as well, by any chance?
correct, no denials
Please remove the template from within "certificate templates" in your CA snapin (don't delete the template) and re-add it - same problem?
I can vaguely remember having that error after taking the read permission from authenticated users. So please check whether read is checked in addition to enroll/autoenroll.

Any machine wide operation requires the run as administrator permission. i.e. computer certificate.  Which is why it fails when run as a standard user but the user certificate works.

checked the permissions again and made sure read permissions were included, removed and readded the template, still the same, also restarted CA services and still.
thanks for the comment David, now for some reason the User cert template stopped working
not sure way is behaving so erratically now

The issue is definetily permission based. I checked on the permissions on the Templates and verified "Read, Enroll and AutoEnroll" are checked for Auth users and Domain users... however, does not seem to work until I make my user a member of the local admin of my Subordinate CA! wierd... 

Below the successful results after making my user a member of the CA server local admins


Where do you think I should check next?


User generated image


Sorry, I have no idea. Maybe run procmon at the server to see whether it reveals access denials while trying as weak user?

Cool, we'll do. Ultimately, enrolling for computer certs is most of my interest...

Recreated a Computer template, tweaked permissions for AUth user and Domain computers (READ, ENROLL and AUTOENROLL), tried to enroll manually again and same error. In the case of the user, I was able to successfully enroll after providing the user local admin rights on CA server, but not sure how to workaround with a computer account... do you think that maybe DCOM permissions are messing things up?


User generated image


No idea if dcom is even involved. I would use procmon and surely Google the error message in connection to enrollment as in "rpc_s..." "Enrollment" as search terms together.

WOW, glad you mentioned it. You brought me back to traffic captures... this is what I'm seen now that perfectly aligns with your comment that I didn't see before for some reason... I'll go Googling!

User generated image 

ASKER CERTIFIED SOLUTION
Avatar of Luis Moreno
Luis Moreno
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Interesting. Could it be that this membership should be the default? I will compare to our environment tomorrow.

Glad you found it.
No, that group is empty on our CA.
What made you think this could be it?