Windows – Certificate Enrollment Fails

KB ID 0000921 

Problem

I first saw this problem a few years ago trying to get some Windows clients to auto enrol with server 2008, then this week my colleagues could not get  new 2019 Domain Controller to enrol for a Kerberos certificate, and the this was caused by the same problem.

Symtoms (RPC Error)

1. Test to make sure the client can see the CA, and is able to communicate with it, issue the following command;

[box]

certutil -pulse

[/box]

As you can see above, the first time I ran the command I got the following error;

CertUtil: -pulse command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.

I then ran the command window ‘as administrator’ and it completed, this was the first inkling I had, that permissions were probably not right.

2. Run mmc on an affected machine, and add in the certificates (local computer*) snap-in. right click the ‘personal container’ > attempt to get the certificate you have published manually.

Problem seen on a Domain Controller (Attempting to get a Kerberos Certificate).

An error occurred while enrolling for a certificate.
The Certificate request could not be submitted to the certification authority

Url: {CA Server Path}

Error: the RPC server is unavailable. 0x80076ba (WIN32: 1722
RPC_S_SERVER_UNAVAILABLE)

Problem seen on Windows Client (attempting to enrol for a Computer Certificate).

*Or local user if you are auto enrolling user certificates.

At that point I on the Windows cliebntgot this error;

Active Directory Enrollment Policy
STATUS: Failed

The RPC server is unavailable.

Resolution (Windows Certificate RPC Error)

The most common cause for that error, is the membership of the ‘Certificate Service DCOM Access’ group is incorrect, check yours and make sure it matches the one below.

On the CA Server launch the Certification Authority management tool and look at the properties of the CA Server itself, on the security tab make sure yours looks like this, (Domain computer and domain controllers should have the ‘request certificates‘ rights).

Still on the CA Server, check the permissions on the C:Windows\System 32\certsrv directory, authenticated users should have Read & Execute rights.

This is the change that finally fixed mine: In active directory users and computers, locate the Builtin container, within it there is a group called ‘Users’. Make sure it contains Authenticated Users and INTERACTIVE.

Run a ‘gpupdate /force’ on your test client, and/or reboot it.

Related Articles, References, Credits, or External Links

NA

Windows Server – Locate CA / Certificate Services

KB ID 0001163

Problem

A colleague was having some certificate problems onsite the other week. Someone suggested just using Certificate Services to simplify matters. I said I’d spin it up and configure it for him, (I’ve done a lot of Microsoft CA work, search the site!)

My fist question was, “Do they already have certificate services?’, unsurprisingly the answer was “I don’t know”.

So if you’re on a domain, and you want to locate your CA server, or simply find out if you have one, what do you do?

Solution

The simplest option is look in Active Directory Users and Computers, then locate the ‘Cert Publishers’ group and look at its members.

Or you can run adsiedit.msc >  CN=Certification Authorities, CN=Public Key Services, CN=Services, CN=Configuration, DC={domain-name},DC={domain-extension}

Easy Option: If you’re lazy, (like me!) Simply run the following command;

[box]

certutil –config – -ping

[/box]

If you don’t have any CA’s this is what you will see;

But if you do (below there is one, but there may be many);

Related Articles, References, Credits, or External Links

NA