Troubleshooting FIMCM: RPC server is unavailable - Error 0x800706BA

Troubleshooting FIMCM: RPC server is unavailable - Error 0x800706BA

 


Overview / Purpose

Recently worked on a FIM Certificate Management issue that I wanted to share the information acquired during this troubleshooting session, and what ended up resolving the issue.

 


Problem statement

Windows Update Services updated the Bulk Client to FIM Certificate Management 2010 Update 2.  After noticing that, Update 2 was installed across the rest of FIM Certificate Management.  Attempting to issue Smart Cards through the Bulk Client tool produced the following error message.

 


Error message

The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)

 


FIM CM - Verbose Logging information

An error occurred during request execution. Request:

1) Exception Information

*********************************************

Exception Type: System.Runtime.InteropServices.COMException

ErrorCode: -2147023174

Message: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)

Data: System.Collections.ListDictionaryInternal

TargetSite: Microsoft.Clm.CertificateServices.Interop.PropertyType GetCAPropertyFlags(System.String, Microsoft.Clm.CertificateServices.Interop.CAProperty)

HelpLink: NULL

Source: Microsoft.Clm.CertificateServices.Interop

StackTrace Information

*********************************************

Server stack trace:

   at Microsoft.Clm.CertificateServices.Interop.ICertRequest2.GetCAPropertyFlags(String strConfig, CAProperty PropId)

   at Microsoft.Clm.CertificateServices.Interop.CertRequest.GetCAProperty(String config, CAProperty property, Int32 index, CAFormatFlag flags)

   at Microsoft.Clm.BusinessLayer.CertificateServer.IsOnline()

   at Microsoft.Clm.BusinessLayer.RequestExecution.CheckCertificateAuthorityAvailable(UserProfile profileTemplate)

   at Microsoft.Clm.BusinessLayer.RequestExecution.RequestCertificates(Guid requestGuid, UniqueCertificateRequests enroll, String password, String comment)

   at Microsoft.Clm.BusinessLayer.SmartCard.SmartCard.EnrollGenerateCerts(Request aRequest, UniqueCertificateRequests enrollData, String pfxPassword, CertificateRequestResults& requestResults)

   at Microsoft.Clm.BusinessLayer.SmartCard.BaseCsp.EnrollProtocol.Process()

   at Microsoft.Clm.BusinessLayer.SmartCard.BaseCsp.Protocol.ProcessClientMessage()

   at Microsoft.Clm.BusinessLayer.SmartCard.BaseCsp.Protocol.ProcessClientMessage(Guid requestUuid, bcspClientMsg clientMsg)

   at Microsoft.Clm.BusinessLayer.RemoteRequests.ProcessBaseCspClientMessage(Guid requestUuid, bcspClientMsg msg, CultureInfo uiCulture, CultureInfo culture)

   at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)

   at System.Runtime.Remoting.Messaging.StackBuilderSink.SyncProcessMessage(IMessage msg, Int32 methodPtr, Boolean fExecuteInContext)

Exception rethrown at [0]:

   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

   at Microsoft.Clm.BusinessLayer.RemoteRequests.ProcessBaseCspClientMessage(Guid requestUuid, bcspClientMsg msg, CultureInfo uiCulture, CultureInfo culture)

   at Microsoft.Clm.BulkClient.BaseCsp.ClientProtocol.ExecuteRequest(Guid requestUuid, String reader)

   at Microsoft.Clm.BulkClient.RequestExecution.RequestExecutionWorkerThread.ExecuteSmartCardRequest(Guid guidReq, Boolean isBaseCsp)

   at Microsoft.Clm.BulkClient.RequestExecution.RequestExecutionWorkerThread.DoWork()


Cause

In this particular issue, we discovered the cause of the problem to be an Access Denied.  We discovered that the account issuing the smart cards was not allowing delegation.

 


Troubleshooting steps

  • Possible problem connecting to the Certificate Authority (CA):

    Here is a Microsoft Knowledge Base Article ( KB-975795: Error Connecting to Certificate Authority: <domain>\<CA name> ) that provides information into this error and items to check. 

    *NOTE: Even if you have done some of these, it is important to double check these items, as that is what we did in this case and we were able to locate the issue.

In one customer issue, we discovered that item #4 in the above mentioned Microsoft Knowledge Base Article was actually our problem. 

#4 The user account requesting the certificate might have the "Account is sensitive and cannot be delegated" checkbox checked in the Account options section of the Account tab in AD Users and Computers.

    • Validate that the version of the Bulk Client and the Smart Card Client on the client machine are the same.
    • Validate config files:

      It is very possible that the config files may have been overwritten during the installation of the update.  If you have a backup of the config files, compare them against what is currently there to confirm that they are the same.  If they are not, replace the config files with the ones from your backup. 

 


Resolution

Provide the account issuing the Smart Cards with allowing delegation

 


See also

Sort by: Published Date | Most Recent | Most Useful
Comments
  • I faced same error and found a solution by opening the Group Policy Object Editor (gpedit.msc) and edited the Group Policy object (GPO) that is used to manage Windows Firewall settings.

    Open Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile & Standard Profile.

    Here enable the following exceptions: "Allow inbound remote administration exception" and "Allow inbound file and printer sharing exception".

Page 1 of 1 (1 items)