Windows – Certificate Enrollment Fails

KB ID 0000921 

Problem

I first saw this problem a few years ago trying to get some Windows clients to auto enrol with server 2008, then this week my colleagues could not get  new 2019 Domain Controller to enrol for a Kerberos certificate, and the this was caused by the same problem.

Symtoms (RPC Error)

1. Test to make sure the client can see the CA, and is able to communicate with it, issue the following command;

[box]

certutil -pulse

[/box]

As you can see above, the first time I ran the command I got the following error;

CertUtil: -pulse command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.

I then ran the command window ‘as administrator’ and it completed, this was the first inkling I had, that permissions were probably not right.

2. Run mmc on an affected machine, and add in the certificates (local computer*) snap-in. right click the ‘personal container’ > attempt to get the certificate you have published manually.

Problem seen on a Domain Controller (Attempting to get a Kerberos Certificate).

An error occurred while enrolling for a certificate.
The Certificate request could not be submitted to the certification authority

Url: {CA Server Path}

Error: the RPC server is unavailable. 0x80076ba (WIN32: 1722
RPC_S_SERVER_UNAVAILABLE)

Problem seen on Windows Client (attempting to enrol for a Computer Certificate).

*Or local user if you are auto enrolling user certificates.

At that point I on the Windows cliebntgot this error;

Active Directory Enrollment Policy
STATUS: Failed

The RPC server is unavailable.

Resolution (Windows Certificate RPC Error)

The most common cause for that error, is the membership of the ‘Certificate Service DCOM Access’ group is incorrect, check yours and make sure it matches the one below.

On the CA Server launch the Certification Authority management tool and look at the properties of the CA Server itself, on the security tab make sure yours looks like this, (Domain computer and domain controllers should have the ‘request certificates‘ rights).

Still on the CA Server, check the permissions on the C:Windows\System 32\certsrv directory, authenticated users should have Read & Execute rights.

This is the change that finally fixed mine: In active directory users and computers, locate the Builtin container, within it there is a group called ‘Users’. Make sure it contains Authenticated Users and INTERACTIVE.

Run a ‘gpupdate /force’ on your test client, and/or reboot it.

Related Articles, References, Credits, or External Links

NA

Publish CRL Error – Access Denied 0x80070005

KB ID 0001135

Problem

Seen when attempting to publish a CRL on a Windows Certificate Services Server.

Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

Solution

The problem is the COMPUTER ACCOUNT attempting to publish the CRL, (i.e. the Windows Certificate Services Server), needs rights to the physical folder the CRL files live in, like so;

Related Articles, References, Credits, or External Links

NA

Event ID 13

KB ID 0000520 

Problem

Seen every few hours in the application log:

Source: AutoEnrollment Description: Automatic certificate enrollment for the local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.

Solution

1. Go to your domain controller > Open Active Directory users and computers > Locate the CERTSVC_DCOM_ACCESS group.

2. Add in the “Domain Controllers” group.

3. On your Certification Authority Server > drop to command line and issue the following three commands.

[box]

certutil –setreg SetupStatus –SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc 

[/box]

Related Articles, References, Credits, or External Links

NA

Windows – Error ‘A Good Time server could not be located’

KB ID 0000705

Problem

Seen when running dcdiag,

Error(s):

Starting test: Advertising
Warning: Server-Name is not advertising as a time server.
......................... Server-Name failed test Advertising

 

Running enterprise tests on : PeteNetLive.com Starting test: Intersite ……………………. PeteNetLive.com passed test Intersite Starting test: FsmoCheck Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 A Time Server could not be located. The server holding the PDC role is down. Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355 A Good Time Server could not be located. ……………………. PeteNetLive.com failed test FsmoCheck

Solution

Note: Any one of the things below can cause this problem, I suggest you retry running dcdiag after each step until it runs without error.

1. In a windows domain, clients normally get their time from the domain controller that holds the PDC Emulator role. Locate that server and log on.

Locate your FSMO Role Servers

2. Now configure your PDC emulator to get its time from a reliable external source.

Windows – Setting Domain Time

3. If you have got this far, then should already have the windows time service running, check!

4. From command line, remove and reinstall the Windows time service with the following two commands.

[box]w32tm /unregister<br />w32tm /register[/box]

Note: It’s not unusual to see the following error after you issue a ‘w32tm /unregister’ command,

Error
The following error occurred: Access is denied (0x80070005)

If this happens don’t panic, open the services console (Press F5) and the Windows Time Service may have disappeared (if so re-register it). If not manually stop the Windows Time service and try to unregister again, then re-register.

WARNING: After doing this, you will need to set the time service to get reliable time from an NTP External Server again.

5. Press Windows Key+R > regedit {enter} > Navigate to the following registry key;

[box]HKLM > System > CurrentControlSet > services > W32Time > Parameters[/box]

Ensure the Type value it set to NTP, the restart the Windows time service and check again.

5. Whilst still in the registry editor navigate to;

[box]HKLM > System > CurrentControlSet > services > W32Time > Config[/box]
Set the AnnounceFlags value to 5.

6. Whilst still in the registry editor navigate to;

[box]HKLM > System > CurrentControlSet > services > W32Time > Time Providers > NtpServer[/box]

Make sure the Enabled value is set to 1 (one).

7. If the problem persists, on the PDC Emulator run gpedit.msc > Navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service[/box]

Make sure ‘Global Configuration Settings’ is set to ‘Not Configured’.

Navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service > Time Providers[/box]

Make ALL the settings are to ‘Not Configured’.

If you changed anything, run ‘gpupdate /force’ and try again.

8. On the PDC Emulator, Open a command window (Note: You must Run as Administrator!) > In the Computer Settings section locate all the policies that are applying to the server.

Note: As a shortcut to find the offending policy, you could run ‘gpresult /v > c:gpresult.txt’ then search that text file, for any instance of w32tm, (here’s an example).

As above navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service[/box]

Make sure Global Configuration Settings is set to ‘Not Configured’.

Navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service > Time Providers[/box]

Make ALL the settings are set to ‘Not Configured’.

If you changed anything, run ‘gpupdate /force’ and try again.

Related Articles, References, Credits, or External Links

NA

Certificate Import Error – ‘Exception from HRESULT: 0x80070005’

KB ID 0000818 

Problem

Seen on Windows Server 2012 when trying to complete a certificate request.

There was an error while trying to perform this operation
Details:
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Solution

1. Open Windows Explorer and navigate to;

[box]
C:ProgramDataMicrosoftCryptoRSAMachineKeys
[/box]

Note: ProgramData is a hidden folder.

2. Open the folder properties > Security > Advanced > Permissions.

3. Make sure the Administrators group, has the following rights to ‘This folder, subfolders, and files’ > Full control.

4. Make sure the Everyone group, has the following rights to ‘This folder only’ > Select ‘Show advanced permissions’.

List folder/read data>
Read attributes
Read extended attributes
Create folders/append data
Write attributes
Write extended attributes
Read permissions</br

 

Related Articles, References, Credits, or External Links

NA