25 November 2016

ADCS Server 2012 R2 Auto Enrollment with hardening - RPC Server Unavailable

On a Windows 2012 R2 server with the ADCS role installed you get an error "RPC server unavailable" after trying to request a certificate from a published template.

The first thing to look for is access rights.

In all the posts on the internet I came across mentioned to check whether the Authenticated users group had acces on several objects. The idea is in the right direction but not quite the solution yet.

In Windows Server 2012 R2 in combination with a hardening policy you need to use the Domain Users group as well.

So check for the Authenticated Users group and add the Domain Users group in the following places:The local server group: Certificate DCOM Access

The properties of the CA server itself, Authenticated Users, Domain Computers, Domain Controllers and Domain Users should be present.

On the CA server itself the Certsrv directory in C;\Windows\System32\ should have Read and Execute rights for Authenticated users and Domain Users.

In Active Directory\Builtin locate the "Users" group and check for Authenticated Users and Domain Users

Check the DCOM Access Limit of “My Computer” of the DC:
1- On the server, run dcomcnfg.exe.

2- On the Component Services console, navigate to Component Services\Computers\My Computer.

3- Right-click My Computer, select Properties, verify that Enable Distributed COM on this computer is selected in the Default Properties tab. 

4- Click the COM Security tab, Click Edit Limits in the Access Permission section and ensure that Everyone and Certificate Service DCOM Access has Local Access and Remote Access permissions.

5- Click Edit Limits in the Launch and Activation Permission section and ensure that Certificate Service DCOM Access group has Local Activation and Remote Activation permissions.

6- Click OK.

This should be enough to get those certificates rolling again.

No comments:

Post a Comment