RPC Server Unavailable trying to connect to CA

Issue - Unable to connect to a CA using certificate authority console.

Description  - Recently, we build up a new Standalone CA. We wanted to delegate  'cert issuing' task to Help desk Team but whenever we were trying to connect to this CA console using desktop CA console, we were encountering below error. Along with above issue, neither of us were able to connect to any of the services like connecting to C drive, remote registry etc. 

Error - RPC Server Unavailable error 0x6a (WIN32: 1722)

Tried - 1. Tried disabling 'windows firewall', didn't work
            2.  Tried starting remote procedure call locator service, did not work.
            3.  Sometimes event 13 with "Server RPC is unavailable" means “access is denied”. A possible cause of this issue is that one of the following objects is not added to the Built-in\Users group:

·         NT AUTHORITY\Authenticated Users
·         NT AUTHORITY\INTERACTIVE
·         Domain Users

 In addition, verified that the DCOM permission is configured correctly on the CA server:

1)      On the server, run dcomcnfg.exe.
2)      On the Component Services console, navigate to Component Services\Computers\My Computer.
3)      Right-click My Computer, select Properties, verify that Enable Distributed COM on this computer is selected in the Default Properties tab.
4)      Click the COM Security tab, Click Edit Limits in the Access Permission section and ensure thatEveryone and Certificate Service DCOM Access has Local Access and Remote Accesspermissions.
5)      Click Edit Limits in the Launch and Activation Permission section and ensure thatCertificate Service DCOM Access group has Local Activation and Remote Activationpermissions.
6)      Click OK.
7)      Under My Computer, navigate to DCOM Config\CertSrv Request.
8)      Right-click CertSrv Request, select properties, verity that Authentication Level is set to Default and gray out in the General tab.
9)      Select the Security tab, and check if everything is disable (gray out).

Still didn’t work.
4. Verify that the following keys exist in the registry (the keys are grouped according to operating system).

Verified that the ClientProtocols key exists under the
HKEY_Local_Machine\Software\Microsoft\Rpc
registry subkey and that the ClientProtocolsentry contains at least the following five default values:
Name
Type
Data
ncacn_http
REG_SZ
rpcrt4.dll
ncacn_ip_tcp
REG_SZ
rpcrt4.dll
ncacn_nb_tcp
REG_SZ
rpcrt4.dll
ncacn_np
REG_SZ
rpcrt4.dll
ncacn_ip_udp
REG_SZ
rpcrt4.dll

 Resolution - When further dig out, we found that , RPC port was blocked By default, port 135 TCP/UDP and ports 1024-65535 TCP must be open for RPC to work. 
RPC can also take advantage of SMB sessions for the purpose of RPC communication. Some examples of this can be seen with Computer Management or the Remote Registry service. With the use of RPC over SMB , so we want 445 to be open as well. So with the help of networking team , we were able to open port 135 and 445 and everything worked fine.

Reference - 1. https://social.technet.microsoft.com/Forums/windowsserver/en-US/64cb4674-c307-43ba-a066-869d1490b50c/rpc-server-unavailable-trying-to-connect-to-ca
2. https://social.technet.microsoft.com/Forums/en-US/2b93bfa8-c162-4fc8-9cf3-a8f8f8c8ff29/rpc-server-is-unavailable-requesting-a-new-certificate?forum=winservergen
3. http://social.technet.microsoft.com/wiki/contents/articles/4494.windows-server-troubleshooting-the-rpc-server-is-unavailable.aspx
4. https://communities.bmc.com/thread/39477
5. https://support.microsoft.com/en-us/kb/839880

Comments

Post a Comment

Popular posts from this blog

Enterprise CA option is greyed out / unavailable

Many times, when installing Active Directory Certificate Services they cannot choose to install Enterprise Certification Authority, because it’s unavailable as in following picture: Well, you need to fulfill basic requirements: Server machine has to be a member server (domain joined). You can run an Enterprise CA on the Standard, Enterprise, or Data Center Windows Edition. The difference is the number of ADCS features and components that can be enabled. To get full functionality, you need to run on Enterprise or Data Center Windows Server 2008 /12/R2/ Editions.  In order to install an Enterprise CA, you must be a member of either Enterprise Admins or Domain Admins in the forest root domain (either directly or through a group nesting). If issue still persists, there is probably a problem with getting correct credentials of your account. There are many thing that can cause it (network blockage, domain settings, server configuration, and other issues). In all ca
Read more

Rearm the Office 2013 installation

Image
There is a 25-day grace period from the time of installation of Key Management Service (KMS) clients before notifications to activate are displayed to the user. If you want to deploy an image, you must rearm your Office 2013 installation before you capture the image. If you do not rearm, users see notification dialog boxes at the time that the image is deployed, instead of 25 days after deployment. The 25-day grace period gives ample time for a KMS host to be found and activation to succeed. If activation is successful, users do not see notifications to activate. Rearm the Office installation Rearming does the following important tasks: Resets the grace timer to 30 days. Freezes the grace timer until either an Office application is run, or the ospp.vbs script is run. Resets the client computer ID (CMID). This is important because the KMS host uses the CMID to determine the num
Read more

MP has rejected registration request due to failure in client certificate

Image
Issue:- We have System Center Configuration Manager 2012 R2 deployed on Windows Server 2008R2 host. Recently we have moved our Certification Authority to Windows Server 2012 , renewed Root CA Certificate and intermediate Certificates also migrated Hashing algorithm from 'sha1' to 'sha2'  . New Root CA and intermediate CA also present on client machines and on SCCM. However, i have discovered these errors on MP: MP has rejected registration request due to failure in client certificate (Subject Name: ) chain validation. If this is a valid client ,  Even though Newly imaged machines are getting SCCM client installed but won't see all the client cycle under 'Actions tab' and also  'client certificate shows "None".  The operating system reported error 2148204809: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.  Solution:- Register  new Certificate of Root CA    under SCCM20
Read more