Ask a Question Sign up for Free 163 Experts currently online. Ask Questions for Free!

RPC Server Unavailable When Requesting Computer Certificate - Windows Security

Hi, I'm trying to set up a machine for use with our VPN. We will be using L2TP & smartcards, so I need to request a computer certificate. Up till now I've been able to configure most computer when people are in the office, connected to the domain, using automatic ...

Results 1 to 9 of 9

  1. #1

    RPC Server Unavailable When Requesting Computer Certificate

    Hi,

    I'm trying to set up a machine for use with our VPN. We will be using L2TP &
    smartcards, so I need to request a computer certificate. Up till now I've
    been able to configure most computer when people are in the office,
    connected to the domain, using automatic certificate deployment via group
    policy. However we have 1 user who is not going to be in the office, but
    needs VPN access.

    So I've changed the VPN access to allow PPTP temporarily, and asked him to
    connect, then I've used remote assistance to terminal service into his
    machine. From there I've managed to use the web based enrollment to download
    the CA certificate, and tried to use the certificates MMC snap in to request
    a computer certificate. However I get the initial screen up, asking which
    certificate I'd like, common name etc, but when I press finish, the system
    hangs for about 10 seconds, then errors with "RPC Server is unavailable".

    At first I thought this might be a firewall issue, as he was running windows
    firewall, as well as Symantec firewall. So I disabled both, and also the
    firewall on his 3com router. However after trying again, with a number of
    reboots, it still errors. I can ping the CA, the domain, and other
    computers.

    Does anyone have any ideas as to how I can successfully request a computer
    certificate? Is there another way of doing it? I notice there is no computer
    certificate option in the web enrollment form, even though the template has
    been added to the CA.

    We're using ISA 2004 as the VPN server, and it's allowing all protocols
    through from VPN > internal, and Internal > VPN. The DC is windows 2003
    server, and the client machine is Windows XP pro SP2.

    Many thanks

    Ben


    Ben
  2. #2

    RE: RPC Server Unavailable When Requesting Computer Certificate

    The one thing that I would do it to start Netmon on both ends and run them
    while making the request for the cert. you should see one of them come back
    with a Port access issue. With this info, you will know what you need to do
    on the firewall for RPC to work and allow for the cert request to work
    properly...

    "Ben" wrote:
     
    Ozone
  3. #3

    Re: RPC Server Unavailable When Requesting Computer Certificate

    Your best bet would be to enable the "offline ipsec" certificate template
    for the CA and have him request that via Web Enrollment. The RPC error is
    usually because of a firewall problem or dns problem. If you had to you
    could manually request the certificate yourself for that computer and
    specify that computer name in the request. Then export the
    certificate/private key from your computer [select option to export whole
    certificate chain to include CA certificate] to a password protected.pfx
    file and send it to the user with instructions how to import it into the
    "computer" certificate store. Note that the user would need to be a local
    administrator to request and install the certificate. --- Steve


    "Ben" <com> wrote in message
    newshx.gbl... 


    Steven
  4. #4

    Re: RPC Server Unavailable When Requesting Computer Certificate

    Hi Steve,

    Thanks for the reply. I had looked into doing this, but I couldn't find any
    documentation on how to request a certificate on behalf of another computer
    (lots of documentation for doing another user). I've installed the
    certificate for "enrollment agent (computer)", but if I do 'request new
    certificate' and select computer, I don't get the option to enter the other
    computer name, even if I select advanced, I can put it in the friendly name,
    but at the end on the details screen, computer name is still that of my
    computer. If I try to export this, I don't get the option to export the
    private key, it's greyed out. And the only certificate format I can export
    to is DER encoded, Base-64 or Cryptographic message syntax, again the option
    for PFX is greyed out!
    If you know of any documentation that exists, could you point me in the
    right direction!

    Cheers

    Ben


    "Steven L Umbach" <net> wrote in message
    newshx.gbl... 


    Ben
  5. #5

    Re: RPC Server Unavailable When Requesting Computer Certificate

    Hi Ozone,

    Thanks for the reply, I will give the end user a call and give this a try
    over emote assistance! Thanks for the advice!

    Ben

    "Ozone" <microsoft.com> wrote in message
    news:com... 


    Ben
  6. #6

    Re: RPC Server Unavailable When Requesting Computer Certificate

    I don't believe there is any documentation but I have tried it in the past
    and it worked on a Windows 2000 Certificate Authority. If I remember
    correctly the option to export the private key was changed so that it could
    not be disabled in Windows 2003 for offline ipsec. Let me know more about
    the CA you are using [ stand alone or enterprise] and the exact operating
    system it is installed on as I believe I did find a way to do it on a
    Windows 2003 Enterprise CA but I can't remember what I did offhand but I
    will look into it further. --- Steve


    "Ben" <com> wrote in message
    newshx.gbl... 


    Steven
  7. #7

    Re: RPC Server Unavailable When Requesting Computer Certificate

    Hi Steve,

    Thanks for your help.

    We're running Windows 2003 standard server SP1, with an Enterprise CA.
    Clients are Windows XP SP2. Firewall/VPN server is ISA 2004 SP1.

    Ben

    "Steven L Umbach" <net> wrote in message
    news:%23CWAG$phx.gbl... 


    Ben
  8. #8

    Re: RPC Server Unavailable When Requesting Computer Certificate

    In article <phx.gbl>,
    com says... 
    Ben,
    The biggest issue you face is that you can only issue certificates based
    on version 1 templates in your configuration. An enterprise CA running
    on standard edition cannot issue certificates based on version 2
    templates.

    Why I am harping on this is that if the CA was running on enterprise
    edition, you could then create a custom v2 certificate template that
    provides the subject in the request, and allows private key export.

    brian
    Brian
  9. #9

    Re: RPC Server Unavailable When Requesting Computer Certificate

    Brian explained what the solution was for Windows 2003 CA though that does
    not look like a possibility for you unless you upgrade to Windows 2003
    Server Enterprise Edition. What I would do is to enable the offline ipsec
    template and then use the same method that you used to download the CA
    certificate via Web Enrollment to request an offline ipsec certificate for
    his computer via an advanced certificate request and being sure to select
    the option to store certificate in local computer store. Otherwise you could
    make the CA available to the user over the internet to request the
    certificate via Web Enrollment even if just temporarily. By default the Web
    Enrollment site uses integrated authentication which would not allow
    anonymous access to the website. The server running IIS for Web Enrollment
    does not have to be the CA either. --- Steve



    "Steven L Umbach" <net> wrote in message
    news:%23CWAG$phx.gbl... 


    Steven

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100