Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
ADCS problem with enroll certificates for computers.

Unanswered ADCS problem with enroll certificates for computers.

  • Tuesday, December 02, 2008 9:30 AM
     
     
    Sign In to Vote
    0
    Hi All,
    There are PKI infrastructure:
    • 1 standalone root CA (Win 2008 Std, workgroup, offline)
    • 2 enterprise issuing CA (Win 2008 Ent, DC role, NPS role)
    In AD all root\issue CA certs is available, crl is available, Enterprise PKI console show OK status for all components,  etc.
    It seems work and right config.

    But there is one problem.

    PCs and DCs in domain cannot request computer cert from both CA.
    Manual enroll through mmc fails on domain members/domain controllers with error
        Source: CertificateServicesClient-CertEnroll
        Event ID: 13
        Certificate enrollment for Local system failed to enroll for a Workstation/Domain Controller certificate from ....(name of CA).... (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

        Autoenroll through GP/Manual enroll through Web-enrollment also failed.
    But!!! User enroll cert without problem. At least through mmc console i can enroll user cert.

    Plz help somebody. I crash my mind with problem. )))

    Thanks all.
     

All Replies

  • Wednesday, December 03, 2008 6:34 PM
     
     
    Sign In to Vote
    0
     A couple of things to check:
    1) Can you run certutil -ping -config "cadnsname\CA logical name" from the affected hosts
    2) Who has the permissions to Request certificates at the CA (did someone change Authenticated Users to Domain Users)
    3) Look at DCOM Permissions to ensure that AUthenticated Users have the correct permissions at the CA
    Brian
     
  • Thursday, December 04, 2008 8:26 AM
     
     
    Sign In to Vote
    0
    Brian, thank you for your answer.

    --- 1) Can you run certutil -ping -config "cadnsname\CA logical name" from the affected hosts

    Yes, i can run this. Result is success on both issuing CA.

    certutil -ping -config "CA FQDN\CA Logical Name"
    Connecting to CA FQDN\CA Logical Name ...
    Server "CA Logical Name" ICertRequest2 interface is alive
    CertUtil: -ping command completed successfully.

    --- 2) Who has the permissions to Request certificates at the CA (did someone change Authenticated Users to Domain Users)

    Only group which has permission Request Certificates (on level CA security) is Authenticated Users
    Domain Users group is not present in CA ACLs

    --- 3) Look at DCOM Permissions to ensure that AUthenticated Users have the correct permissions at the CA

    DCOM Permissions on the CA for Certificate Service DCOM Access group
    Access Permissions level -> Local Access - Allow, Remote Access - Allow
    Launch and Activation Permissions level -> Remote Launch - Allow, Remote Activation - Allow 

    Authenticated Users are member of  Certificate Service DCOM Access group

    Authenticated Users are not directly include on the DCOM ACLs

    Thank you.

     

     
  • Friday, December 05, 2008 9:37 AM
    Moderator
     
     
    Sign In to Vote
    0
     

    Hi,

     

    Please add the following groups to the Certificate Service DCOM Access group:

     

    ·         Domain Users group

    ·         Domain Controllers group

    ·         Domain Computers group


    In addition, make sure that the Certificate Service DCOM Access group has Local/Remote Activation permission as well.

     

    And then, update the DCOM security settings for the certificate service by running the following commands at a command prompt:

     

    certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG

    net stop certsvc

    net start certsvc

     

    Note: Press Enter after each command.

     

     

     
  • Friday, December 05, 2008 12:03 PM
     
     
    Sign In to Vote
    0
    Hi Joson,

    I completed all your recomended steps, but problem isn't resolved.

    But i have seen interesting behavior of CA at moment apply security settings.

    Running command certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG shown this:

    C:\Users\mkislov>certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
    SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\SetupStatus:

    Old Value:
      SetupStatus REG_DWORD = 6003 (24579)
        SETUP_SERVER_FLAG -- 1
        SETUP_CLIENT_FLAG -- 2
        SETUP_DCOM_SECURITY_UPDATED_FLAG -- 2000 (8192)
        0x4000 (16384)

    New Value:
      SetupStatus REG_DWORD = 4003 (16387)
        SETUP_SERVER_FLAG -- 1
        SETUP_CLIENT_FLAG -- 2
        0x4000 (16384)
    CertUtil: -setreg command completed successfully.
    The CertSvc service may need to be restarted for changes to take effect.

    But as soon as i restarted CA (net stop certsvc & net start certsvc) and query status (certutil -getreg SetupStatus)
    i have seen this:

    C:\Users\mkislov>certutil -getreg SetupStatus
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\SetupStatus:

      SetupStatus REG_DWORD = 6003 (24579)
        SETUP_SERVER_FLAG -- 1
        SETUP_CLIENT_FLAG -- 2
        SETUP_DCOM_SECURITY_UPDATED_FLAG -- 2000 (8192)
        0x4000 (16384)
    CertUtil: -getreg command completed successfully.

    Hence DCOM security settings isn't applied???

     
  • Tuesday, December 16, 2008 11:03 AM
     
     
    Sign In to Vote
    0
    Problem isn't resolved.
    Please help with resolving.