KB ID 0000921 Dtd 01/02/14
1. Test to make sure the client can see the CA, and is able to communicate with it, issue the following command;
As you can see above, the first time I ran the command I got the following error;
CertUtil: -pulse command FAILED: 0x80070005 (WIN32: 5) CertUtil: Access is denied.
I then ran the command window ‘as administrator’ and it completed, this was the first inkling I had, that permissions were probably not right.
2. Run mmc on an affected machine, and add in the certificates (local computer*) snap-in. right click the ‘personal container’ > attempt to get the certificate you have published manually.
*Or local user if you are auto enrolling user certificates.
At that point I got this error;
Active Directory Enrollment Policy STATUS: Failed The RPC server is unavailable.
3. The most common cause for that error, is the membership of the ‘Certificate Service DCOM Access’ group is incorrect, check yours and make sure it matches the one below.
4. On the CA Server launch the Certification Authority management tool and look at the properties of the CA Server itself, on the security tab make sure yours looks like this, (Domain computer and domain controllers should have the ‘request certificates‘ rights).
5. Still on the CA Server, check the permissions on the C:WindowsSystem 32certsrv directory, authenticated users should have Read & Execute rights.
6. This is the change that finally fixed mine: In active directory users and computers, locate the Builtin container, within it there is a group called ‘Users’. Make sure it contains Authenticated Users and INTERACTIVE.
7. Run a ‘gpupdate /force’ on your test client, and/or reboot it.
Related Articles, References, Credits, or External Links