How to Fix “The RPC Server is Unavailable” Error

Issue

Every time the user tries to enroll a certificate, an RPC Server Unavailable error appears. In this instance, the domain controller or another client neglects to sign up for certificates from the CA.

Description

When a user requests a certificate from ADCS Certification Authority, the certificate request cannot be submitted to the certification authority giving out an error

The RPC server is unavailable

Cause

This RPC Server unavailable error occurs only due to two reasons:

• It is not feasible to connect to the CA’s RPC interface.
• Although it is possible to connect to the CA’s RPC interface, authentication is not supported.

Steps done

• Checked from network trace to find that it denies the access (status: nca_s_fault_access_denied)
• Checked GP Result to see which GPO are being populated.

Solution

This solution has been divided into five parts, covering the details of what we need to do:

1. Checking Network Connection

   The client and the CA must be able to communicate via the network.

   • Check whether the hostname for CA Server is correct or not.
   • If the hostname is correct, then look for whether the name resolution is working fine and resolving the server’s name (i.e., the DNS entry registered on the old computer object).
   • Check whether the correct ports are opened on all firewalls (if any).
   • Basic, but it should also be taken care that the CA server and service are available and running successfully.

2. Fixing the RPC Interface

   Coming to CA, the first hurdle is that the RPC interface must be cleared, and the connection should be established. To do this, the account should have “Access this computer from the network” permissions granted.

   To do this

   • Open Local Security Policy -> Expand Local policies -> Double click User rights assignment.

     

   • By default, the following accounts should be enrolled here. Everyone, Administrators, Backup operators, Users

     

     Note: There is also an option to “Deny access to this computer from Network”, which should strictly be avoided.

3. DCOM Permissions

   After RPC is properly configured, DCOM will handle the authentication. To open this configuration,

   • Open Component Services; to do so, type dccomcnfg.

   • Browse to My computers and right-click. Enter properties.

     

   • Browse to COM Security under “EDIT LIMITS”.

     

   • Check whether these permissions are there in the security group:

     • Access permissions: Local Access and “Remote Access”

     • Launch and activation permissions: “Local Launch” and “Remote Launch.”

       

       

     • By default, the “Authenticated Users” are in the local “Certificate Service DCOM Access” security group.

     Note: To be aware that these settings can be controlled via Group Policy.

4. DCOM Config (CertSrv) Interface

   • Go to “Component Services” -> “Computers” -> “My Computers” -> “DCOM Config”

   • Open DCOM Config and select CertSrv Request. Right click and open properties.

     

   • Go to security tab and click on edit.

     

   Set the following permissions:

   • For Launch and Activation Permissions: Check “Local Activation” and “Remote Activation” for Everyone

   • For Access Permissions: Check “Local Access” and “Remote Access” for Everyone

     

     

5. CA Permissions

   It is always a checklist to see that the proper permissions on the CA are given. Otherwise, it would return CERTSRV_E_ENROLL_DENIED error.

If you need help with your PKI environment, feel free to email us at info@encryptionconsulting.com.