Certificate autoenrollment fails with RPC server is unavailable – Again

Hey Again !

I’ve blogged in the past about this issue – Certificate autoenrollment fails with RPC server is unavailable , but following a session today, we’ve encountered a new situation when trying to Auto-Enroll certificates, also with manual enrollment using MMC. The error code was 0x800706ba –  The RPC server is unavailable

If you read my previous blog, you’ll see I’ve explained a situation with Auto-Enrollment on domain controllers when the CA is installed on a DC. Solution was actually adding the “Domain Controllers” security group to the CERTSVC_DCOM_ACCESS security group, but what happens when the CERTSVC_DCOM_ACCESS was deleted ?

Well, easy ( so it seems )

  1. Create the CERTSVC_DCOM_ACCESS group – Domain Local, Security Group in the Users container
  2. Populate the group with “Domain Users” , “Domain Computers” , “Domain Controllers”
  3. Log on to the CA server and run the following commands:
    1. certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
    2. net stop certsvc && net start certsvc
  4. Restart your effected computers / DC’s , because they have a new computer group membership
  5. Successfully auto-enroll your certificate

Have fun !

Reference links:

http://support.microsoft.com/kb/927066

Also (Again):
http://blogs.technet.com/instan/archive/2009/12/07/troubleshooting-autoenrollment.aspx

 

Certificate autoenrollment fails with RPC server is unavailable

Hi again,

Some of my work with Certification Authority or ADCS involves enrolling certificates for many usages,
sometimes autoenrollment does not work as it should… and you get some weird errors like:

Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from CA.domain.localDomain-CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

also along with some KDC certificate errors because the domain controller does not hold a valid domain controller certificate:

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

This happens when you create your CA on a Domain Controller and the “Domain Controllers” security group is missing from the “CERTSVC_DCOM_ACCESS” Domain Local Security Group.

have a look in the following post for more autoenrollment issues and how to fix’em:
http://blogs.technet.com/instan/archive/2009/12/07/troubleshooting-autoenrollment.aspx

The KDC error reference:
http://technet.microsoft.com/en-us/library/cc734096%28WS.10%29.aspx

SSLChainSaver v2 – Save root certificate (and chain), the super easy way.

Well , not much to say here, read the awesome tool.

you need to distribute your SSL root chain , which some times more then one certificate ,and make sure your mobile likes this ..

you can use this tool to save the whole ssl chain , and verify if the chain is indeed presented by the web site correctly , this might some an issue too, because sometimes the server does not hold the whole chain but just the main ROOT CA public key..this helps very easy to troubleshoot it. and distribute your files easly.

http://blogs.msdn.com/windowsmobile/archive/2008/05/18/sslchainsaver-v2-released.aspx

  • The tool can detect a common name mismatch on the cert but it doesn’t parse the “SubjectAltNames” extension. If your certificates are using SubjectAltNames, the tool will report a name mismatch but the certs will really work fine.

i dont find that super problematic thu 🙂 i just wanna save it.