Windows – Certificate Enrollment Fails

KB ID 0000921 

Problem

I first saw this problem a few years ago trying to get some Windows clients to auto enrol with server 2008, then this week my colleagues could not get  new 2019 Domain Controller to enrol for a Kerberos certificate, and the this was caused by the same problem.

Symtoms (RPC Error)

1. Test to make sure the client can see the CA, and is able to communicate with it, issue the following command;

certutil -pulse

CertUtil -pulse failed

As you can see above, the first time I ran the command I got the following error;

CertUtil: -pulse command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.

I then ran the command window ‘as administrator’ and it completed, this was the first inkling I had, that permissions were probably not right.

2. Run mmc on an affected machine, and add in the certificates (local computer*) snap-in. right click the ‘personal container’ > attempt to get the certificate you have published manually.

Problem seen on a Domain Controller (Attempting to get a Kerberos Certificate).

Certificate RPC 1722 Error

An error occurred while enrolling for a certificate.
The Certificate request could not be submitted to the certification authority

Url: {CA Server Path}

Error: the RPC server is unavailable. 0x80076ba (WIN32: 1722
RPC_S_SERVER_UNAVAILABLE)

Problem seen on Windows Client (attempting to enrol for a Computer Certificate).

*Or local user if you are auto enrolling user certificates.

Certifcate RPC server is unavailble

At that point I on the Windows cliebntgot this error;

Active Directory Enrollment Policy
STATUS: Failed

The RPC server is unavailable.

Resolution (Windows Certificate RPC Error)

The most common cause for that error, is the membership of the ‘Certificate Service DCOM Access’ group is incorrect, check yours and make sure it matches the one below.

Certificate Servi DCOM Access Group Membership

On the CA Server launch the Certification Authority management tool and look at the properties of the CA Server itself, on the security tab make sure yours looks like this, (Domain computer and domain controllers should have the ‘request certificates‘ rights).

CA Server Security Settings

Still on the CA Server, check the permissions on the C:Windows\System 32\certsrv directory, authenticated users should have Read & Execute rights.

certsrv folder pemissions

This is the change that finally fixed mine: In active directory users and computers, locate the Builtin container, within it there is a group called ‘Users’. Make sure it contains Authenticated Users and INTERACTIVE.

Builtin users group membership

Run a ‘gpupdate /force’ on your test client, and/or reboot it.

Related Articles, References, Credits, or External Links

NA

Author: Migrated

Share This Post On