Event ID 6 and 13

KB ID 0000473 

Problem

Event ID 6

Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment

Description:

Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

 

Event ID 13

Source: Microsoft-Windows-CertificateServicesClient-CertEnroll

Description:

Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from {hostname}{name of CA}(The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

 

Solution

Note: The pertinent information in the Event ID 13 above is 0x800706ba there are Other causes of this Event ID make sure yours is the same.

In my case I had an Exchange server that was using a certificate that had been “self signed”. And the Root CA that signed the certificate had been ungracefully removed from the domain. Take a note of the Root CA name from the Event ID error shown arrowed).

1. Launch Active Directory Sites and Services” > Select the top level object > View > Show Services Node.

2. Expand Services > Public Key Services > AIA > Delete the “Problem CA”.

3. Then select “Enrollment Services” > Delete the “Problem CA”.

If you have a New CA (in this example you would have seen it in step 2), then DO NOT perform the next two steps!!!

4. Providing you DONT have a CA now, select “Certificate Templates” and delete them all.

5. Providing you DONT have a CA now, select “Public Key Services” and delete the NTAuthCertificates item.

6. To tidy up, (On the server logging the error) run the following command:

[box] certutil -dcinfo deleteBad [/box]

7. Finally on the server logging the error run the following command to update the policies:

[box] gpupdate /force [/box]

Related Articles, References, Credits, or External Links

NA

Certificate Services Error – ‘The Email name is unavailable and cannot be added to the Subject or Subject Alternate name’

KB ID 0001029

Problem

Server: Windows Server 2012 R2
Client: Windows 8 Enterprise

I was setting auto-enrollment this morning, and the computer certificates were getting issued but not the user ones. The policies were correct, the registry keys on the clients were correct, even RSOP told me the users ‘should’ be getting certificates.

However nothing was working so I decided to ‘manually enroll’ and this happened;

The Email name is unavailable and cannot be added to the Subject or Subject Alternate name. Denied by Policy Module the request ID is {number}

As I could see it was denied, I went and looked in failed requests, sure enough, here was where my auto enrollment had been failing.

Event ID Logs

A look in the event log on the Certificate Server also gave me this.

Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Date: 03/02/2015 13:31:07
Event ID: 13
Task Category: None
Level: Error
Keywords: Classic
User: PETENETLIVEpetelong
Computer: PNLWin800v.petenetlive.com
Description:
Certificate enrollment for PETENETLIVEpetelong failed to enroll for a PNL-User
 certificate with request ID 23 from PNLPKI00v.petenetlive.competenetlive-CA 
(The EMail name is unavailable and cannot be added to the Subject or Subject 
Alternate name. 0x80094812 (-2146875374)).

Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Date: 03/02/2015 13:28:52
Event ID: 6
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: PNLWin800v.petenetlive.com
Description:
Automatic certificate enrollment for PETENETLIVEpetelong failed (0x80094812) 
The EMail name is unavailable and cannot be added to the Subject or Subject 
Alternate name.

Solution

The certificate template I was using needed the following option removing (WARNING: Don’t do this if you are going to use these certs to sign emails – I was not). I also removed the include E-mail name option below.

Or (as a quick fix -I was on my test network with one user) I simply gave that user an entry in their Email field in Active Directory.

Another Option: Give all users an email address using PowerShell, see the following article;

PowerShell – Update All Domain Users With Email Address From UPN

Related Articles, References, Credits, or External Links

NA