PKI

How to Fix “The RPC Server is Unavailable” Error

RPC server is unavailable

Issue

Every time the user tries to enroll a certificate, an RPC Server Unavailable error appears. In this instance, the domain controller or another client neglects to sign up for certificates from the CA.

Error Code

0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)

ADCS Certification Authority

Description

When a user requests a certificate from ADCS Certification Authority, the certificate request cannot be submitted to the certification authority giving out an error

The RPC server is unavailable

Cause

This RPC Server unavailable error occurs only due to two reasons:

  • It is not feasible to connect to the CA’s RPC interface.
  • Although it is possible to connect to the CA’s RPC interface, authentication is not supported.

Steps done

  • Checked from network trace to find that it denies the access (status: nca_s_fault_access_denied)
  • Checked GP Result to see which GPO are being populated.

Solution

This solution has been divided into five parts, covering the details of what we need to do:

  1. Checking Network Connection

    The client and the CA must be able to communicate via the network.

    • Check whether the hostname for CA Server is correct or not.
    • If the hostname is correct, then look for whether the name resolution is working fine and resolving the server’s name (i.e., the DNS entry registered on the old computer object).
    • Check whether the correct ports are opened on all firewalls (if any).
    • Basic, but it should also be taken care that the CA server and service are available and running successfully.
  2. Fixing the RPC Interface

    Coming to CA, the first hurdle is that the RPC interface must be cleared, and the connection should be established. To do this, the account should have “Access this computer from the network” permissions granted.

    To do this

    • Open Local Security Policy -> Expand Local policies -> Double click User rights assignment.

      access the computer from the network
    • By default, the following accounts should be enrolled here. Everyone, Administrators, Backup operators, Users

      network properties

      Note: There is also an option to “Deny access to this computer from Network”, which should strictly be avoided.

  3. DCOM Permissions

    After RPC is properly configured, DCOM will handle the authentication. To open this configuration,

    • Open Component Services; to do so, type dccomcnfg.
    • Browse to My computers and right-click. Enter properties.

      dccomcnfg
    • Browse to COM Security under “EDIT LIMITS”.

      Browse to COM Security
    • Check whether these permissions are there in the security group:

      • Access permissions: Local Access and “Remote Access”
      • Launch and activation permissions: “Local Launch” and “Remote Launch.”

        Local Access and Remote Access
        Local Launch and Remote Launch
      • By default, the “Authenticated Users” are in the local “Certificate Service DCOM Access” security group.

      Note: To be aware that these settings can be controlled via Group Policy.

  4. DCOM Config (CertSrv) Interface

    • Go to “Component Services” -> “Computers” -> “My Computers” -> “DCOM Config”
    • Open DCOM Config and select CertSrv Request. Right click and open properties.

      CertSrv Request
    • Go to security tab and click on edit.

      CertSrv Interface
    • Set the following permissions:

    • For Launch and Activation Permissions: Check “Local Activation” and “Remote Activation” for Everyone
    • For Access Permissions: Check “Local Access” and “Remote Access” for Everyone

      Access Permissions
      CA Permissions
  5. CA Permissions

    It is always a checklist to see that the proper permissions on the CA are given. Otherwise, it would return CERTSRV_E_ENROLL_DENIED error.

If you need help with your PKI environment, feel free to email us at [email protected].

Free Downloads

Datasheet of Public Key Infrastructure

We have years of experience in consulting, designing, implementing & migrating PKI solutions for enterprises across the country.

Download
Implementing & migrating PKI solutions for enterprises

About the Author

Yathaarth Swaroop is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo