ADCS certificate enrollment error with RPC

I'm attempting to enroll in a computer certificate that works for a windows clients (W7), but not for the Apple (OS 10.9.4) clients.  I've been using the following document, with no success (http://support.apple.com/kb/HT5357).  The enrollment is being attempted from a mobileconfig generated from an OS X server.  The payload is limited to only ADCertificatePayload to limit how much to troubleshoot.  We are also limiting the enrollment to a single Issuing CA to limit where to look for communication.  I greatly appreciate any assistance you can provide.
This is the ManagedClient.log from /Library/Logs:
+||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Sep  3 13:44:20[562:1]:+|||||||||||||| Calling installPayload on plugin: ADCertificatePayloadPlugin ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Sep  3 13:44:20[562:1]:+|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Sep  3 13:44:20[562:1]:+ADCertificatePayloadPlugin.pdp_pluginInstallPayload
Sep  3 13:44:20[562:1]:+ADCertificatePayloadPlugin scheme overrides HTML to use RPC; scheme = (null)
Sep  3 13:44:20[562:1]:+ADCertificatePayloadPlugin using RPC = YES
Sep  3 13:44:21[562:1]:+ADCertificatePayloadPlugin.boundADInformationWithError dict =
    computerID = AppleWorkID;
    domainName = "FQDN.com";
    name = domainname;
    subject = "/CN=AppleWorkID.FQDN.com";
Sep  3 13:44:21[562:1]:+ADCertificatePayloadPlugin.credentialsForDomain domainname = domainname; username = AppleWorkID$
Sep  3 13:44:21[562:1]:+ADCertificatePayloadPlugin.getCertificateFromServer
Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer credentials username = AppleWorkID$
Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer gss_aapl_initial_cred status = 0
Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer running as euid = 0
Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer ca_name = IssuingCA
Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer servername = IssuingCA.FQDN.com
Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer cert_template = AppleWorkstation
Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer csr length = 624
Sep  3 13:44:21[562:1]:+Using RPC authn_level: 6
Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer partial_string_binding = ncacn_ip_tcp:IssuingCA.FQDN.com[]
Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer using principal name:  host/IssuingCA.FQDN.com
Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer dwFlags is ff
Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer Calling CertServerRequest...
Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer CertServerRequest return pdwRequestId = 0
Sep  3 13:44:21[562:1]:+:::::::::::::::: GetCertificateFromCAServer ERROR: CertServerRequest exception name :
Sep  3 13:44:21[562:1]:+:::::::::::::::: GetCertificateFromCAServer ERROR: CertServerRequest -2147024809
Sep  3 13:44:21[562:1]:+ADCertificatePayloadPlugin.getCertificateFromServer server returned cert = FAILED
Sep  3 13:44:21[562:1]:+**************** AD certificate getCertificateFromServer failed
Sep  3 13:44:21[562:1]:+:::::::::::::::: ADCertificatePayloadPlugin.pdp_pluginInstallPayload returning = -319
Sep  3 13:44:21[562:1]:+ADCertificatePayloadPlugin.pdp_pluginInstallPayload returning = fail
Sep  3 13:44:21[562:1]:+**************** Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The 'Active Directory Certificate' payload could not be installed. The certificate request failed." UserInfo=0x7fbd4157b540 {NSLocalizedDescription=The 'Active Directory Certificate' payload could not be installed. The certificate request failed.} from: InstallPayload in ADCertificatePayloadPlugin
The template, 'AppleWorkstation' template seems to have all the settings set correctly, but I'll go through them all.
General: Both display name and template name = "AppleWorkstation"
Compatability-> CA: Windows Server 2008 R2
Compatability->Certificate recipient: Windows 7 / Server 2008r2
Request Handling->Purpose:Signature and Encryption
Cryptography->Algorthim name:RSA
Cryptography->Minimum key size:2048
Cryptography->Request hash:SHA256
Security: Both the windows and mac domain computer objects have (read,enroll, autoenroll).
Subject Name->Build from this Active Directory information: Subject name format: common name
Subject Name: Only UPN is checked
The schema version of the template is 3 and the version of the template is 100.43
Both computers are joined to the Active Directory 2008 r2 domain.  Certificate services exist within the site on their own dedicated servers.  The CA's are as follows: 1x 2012r2 for offline root and 2 x Issuing CA's. 

Hi Alexander,
But by group should work by desing or did I get something wrong
I am not sure that I understand this query correctly, I’ll just put it this way, feel free to correct me if I misunderstood:
Access control assignment on a group will grant corresponding permissions to all members within it, it’s called inherited permissions.
If there is a direct access control entry which assigns permissions to
single security principle belonging to the group, then the direct permissions take precedence, it’s called explicit permissions.
Well, if a security principle belongs to two/multiple groups, and each group gets conflicting permissions, then the more
restricted (deny or not allow) ones take precedence. This rule goes the same with explicit permissions, more restricted ones have higher precedence.
In addition, here are some scripting forums below for you if there are any scripting requirements:
The Official Scripting Guys Forum
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
Windows PowerShell Forum
https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverpowershell&filter=alltypes&sort=lastpostdesc
MSDN Forums
https://social.msdn.microsoft.com/Forums/en-US/home
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]

Similar Messages

  • Certificate Enroll Errors RPC Server Is Unavailable

    I have a scenario in which I would like some advice before moving on. We have a Server 2012 root CA that was put in about a year-year and a half ago and at the same time there was another 2008 R2 root CA that was installed on a DC that was hosting FSMO roles.
    Well that DC started to die so we transferred the FSMO roles and removed certificate services. However, we only uninstalled the role but as I understand, there is a bit of cleanup to do in AD beyond just removing the role. So when we started to perform the
    first step, I noticed remnants of old servers that are no longer around. I've discovered that our previous admin had made 3 other servers (I believe all 2003) that have all completely gone away and yet are still listed in the Trusted Root Certification Authorities
    on all computers and I find in the event log the following error when I log in to our domain machines of them trying to contact each of the old CA servers:
    Certificate enrollment for Local system failed to enroll for a Machine certificate with request ID N/A from server.domain.org\server (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
    Now I have no way of knowing whether or not this admin actually properly removed the role before decommissioning these servers and I have no idea why we needed so many servers to be root CA's in the first place? Anyhow, I was wondering if the proper procedure
    would be to remove the root trusted certs from group policy and then clean up the remnant entries in AD as described in the Microsoft documentation of removing a root CA from your environment. I still see some errors and machines requesting to check for stuff
    like CRL with the most recent root CA that we removed so I just wanted to check to see if all of these errors will go away once we finish the cleanup and if there is anything special that needs to be done for the potentially orphaned root CA's. We did take
    a backup of the 2008R2 CA (the one that was on the dying DC) before we removed the role and I have confirmed that our production CA (the one that we would like to remain in production - is a sub CA of an offline root) has already issued new machine and DC
    certs to our domain machinese and domain controllers.
    Sorry for the lengthy post. Please let me know if any more information is required and thank you in advance!

    Hello,
    the root CA normally is the first one in a forest issuing the certificates for the subordinate CAs if required or for certificates.
    http://technet.microsoft.com/en-us/library/cc731183.aspx
    SO there is no need for multiple root CAs.
    To get rid of everything old and be sure the CA is configured correct for your needs I suggest to ask this in
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
    Best regards
    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/
    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

  • UAG Certificate Enrollment Error, Logon Failure.

    Hi All,
    I have been configuring UAG with the help of TLG provided online. On one machine I have to enroll
    IP-HTTPS listener certificate. For that i have followed following steps.
    Run > mmc > files > Add/Remove snap-in > certificate
    on the new window I select computer account then next
    then Local Computer Then Finish.
    Now, Right Click on the details Pane All Tasks > Request New Certificate > AD Enrollment policy
    Now After Clicking Next I am getting Error 
    Enrollment Error
    Logon Failure : Unkown Username or Bad Password.
    Recently I have change only this system's password (System Name UAG2SERVER)
    Can anyone please help.

    Hi,
    have you created a rule in the TMG console to allow all traffic to your CA? Otherwise the cert enrollment will fail.
    I don not understand what you mean with that you have changed the system password. Are you logged in with an domain account?
    regards,
    Lutz

  • Android device enrollment errors with ConfigMgr + Intune lab

    I have been setting up a ConfigMgr 2012 R2 CU4 + Intune lab at home over the last week following the below two guides. 
    http://blogs.technet.com/b/matt_hinsons_manageability_blog/archive/2014/11/25/setting-up-windows-intune-configmgr-2012-r2-with-adfs-on-prem-and-azure-lab-part-4.aspx
    http://schd.ws/hosted_files/mms2014/f3/MMS_Intune_ADFS_kb_tdk_v1.1_F.pdf
    I have everything setup and appears to be working, but I cannot enroll an Android device. 
    https://enterpriseenrollment.potentengineer.com
    https://enterpriseregistration.potentengineer.com
    I get the following error on two seperate Android devices from the Company Portal app. I get to the login page, type in the username [email protected], it redirects before I can put in a password and then I get the error. 
    Here are the
    diagnostic logs from the device. 
    I have confirmed the account and domain are setup properly in Intune. 
    I am able to login into the web interface with [email protected] without issue, but I cannot seem to enroll either of my devices. 
    My biggest concern is a certificate issue. I was trying to set this up without a wildcard cert because of the price. I got a UCC SSL cert from GoDaddy. 
    Domain: potentengineer.com
    SAN: enterpriseregistration.potentengineer.com
    SAN: fs.potentengineer.com
    I am not sure what else to do, any chance the cert is not setup properly? 
    Daniel Ratliff | http://www.PotentEngineer.com |
    @PotentEngineer

    I can't imagine that it would help, because you're using the certificate for your AD FS and not for
    enterpriseenrollment.potentengineer.com. For internal connections to AD FS you need the internal FQDN on the SAN and for external connections to AD FS (via WAP) you need the Internet FQDN on the SAN.
    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

  • Cisco CA + Cisco VPN Client - Error 42: Unable to create certificate enrolment request

    We find ourselves in a difficult situation with the
    Cisco VPN Cleint version 5.0.07.0290 where it keeps giving us an
    "Error 42: Unable to create certificate enrolment request" when we attempt to use the Online enrolment method to create and enrol a new certificate.
    There is no additional information in the VPN client logs where we have set 3-High for all logs.
    In addition, Wireshark does not show any packets sent from the machine running the client to the Cisco 3825 router which runs the Cisco CA.
    To create and enrol a certificate we do the following:
    1. Click on the Enroll button to show the Certificate Enrolment dialog
    2. Select  Online
    3. Select <New> for Certificate Authority
    4. Enter http://192.168.120.1 as CA URL (note, 192.168.120.1 is the IP of the Cisco 3825)
    5. Click Next to display the dialog where we can enter certificate details
    6. Enter details in all fileds except IP Address and Domain
    7. Click Enroll which shows a dilaog with the Error 42 ... message in it.
    If we attempt to create a request by using the File method, all works fine, that is, the client creates a file with the enrolment request.
    The fact that the client does not send any messages to the Cisco CA leads us to belive that we have a pronblem on the clinet machine. However, the client does not write any information in the logs, so it is a bit hard to fix the problem.
    We will be grateful for any assistance that you can provide with this issue. I can provide additional configuration information if required for both the client and the Cisco CA. Note that we have not modified any client configuration. Basically, we installed the clinet on a Windows 7 64bit machine and attempted the steps listed above.
    Thank you
    Emil

    FYI, I just came up against this problem and the solution in my instance was to ensure that the Cisco CA Server was configured to automatically grant certificate requests.
    Cisco2691#conf t
    Enter configuration commands, one per line.  End with CNTL/Z.
    Cisco2691(config)#crypto pki server CERTSERVER
    Cisco2691(cs-server)#grant ?
      auto     Automatically grant incoming SCEP enrollment requests
      none     Automatically reject any incoming SCEP enrollment request
      ra-auto  Automatically grant RA-authorized incoming SCEP enrollment request
    Cisco2691(cs-server)#grant auto
    % The CS config is locked. You need to shut the server off before changing its configuration.
    Cisco2691(cs-server)#shut
    Cisco2691(cs-server)#grant auto
    Cisco2691(cs-server)#
    Mar 25 19:39:53.356: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
    Cisco2691(cs-server)#no shut
    % Certificate Server enabled.

  • Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

    I have a lot of background on this question so bear with me please. :)
    I am tasked with getting our domain from 2003 to 2008 level. In order to do that I brought up a 2008 R2 server into the domain and did dcpromo to get it to "play" with the two other 2003 DCs. All is working pretty well except that I'm getting the auto-enrollment
    error above not because of a configuration error but because before I even came to work here the Root CA machine was taken out of service and disposed of! So the unable to contact is a true error. The machine no longer exists! I'm sure I'll have to re-setup
    a Root CA but wanted some guidance on the path to take on getting from where I am (broke!) to back to healthy!
    thanks in advance,
    Leo

    Hi Vadims,
    I do have exactly the same problem as described above. The Root CA no longer exist and the certificates are about to expire, however I have checked the expiration date of the certificate using certmgr in the AD servers (Three server cluster) and I have found
    different expiring dates for the same certificate as described bellow. 
    Trusted Root Certification Authorities > CONTOSO-CA (exp 17/05/2018)
    Intermediate Certification Authorities > CONTOSO-CA (exp 17/05/2018)
    Active directory User Object > CONTOSO-CA (exp 17/05/2014)
    We currently have an AD cluster conformed by three Windows server 2008 and no currently Certificate Authority role installed on any of them. 
    I also have seen using certmgr that all machines in the company have the certificate CONTOSO-CA in the following way:
    Trusted Root Certification Authorities > CONTOSO-CA (exp 17/05/2018)
    Intermediate Certification Authorities > CONTOSO-CA (exp 17/05/2018)
    Active directory User Object > Not present
    My question is, can I safely decommission the certificate following the procedure stated above (step 6)? what will be the impact of this certificate (Active directory user object) expiring?
    Thanks in advance
    Cesar

  • Hyper-V host fails with "RPC Server unavailable" error when I try to promote Windows Server in virtual machine to a domain controller

    Host: Windows Server 2012 R2 with Hyper-V and RRAS (for Internet over NAT)
    VM: Windows Server 2012 R2 with installed Active Directory Domain Services
    When I open AD DS configuration window (“promote this server to a domain controller”) many services and programs on my host (include Hyper-V, RRAS & Server Manager) fails with RPC Server unavailable error.

    Hello Aleksandr,
    There wasn't any configuration information, ipconfig /all, network setup, etc. So it's difficult to tell.
    More importantly, are you trying to promote the host server? If yes, that is not advised, for one, because it's a Hyper-V server, (not suggested at all), and two, RRAS is installed. RRAS is problematic with any domain controller because it turns it into
    a multihomed domain controller.
    Active Directory communication fails on multihomed domain controllers
    http://support.microsoft.com/kb/272294/
    Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, Clustering interfaces, management interfaces, backup interfaces, and/or PPPoE adapters - A multihomed DC is not a recommended configuration, however there are ways to
    configure a DC with registry mods:
    http://blogs.msmvps.com/acefekay/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters/
    7 Reasons not to Make Hyper-V a Domain Controller
    http://www.altaro.com/hyper-v/reasons-not-to-make-hyper-v-a-domain-controller/
    Domain Controller as Hyper-V host
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/4ff14bec-a815-473b-8d2a-33e91e17197b/domain-controller-as-hyperv-host?forum=winserverhyperv
    Networking?
    I don't know how your networking is setup, whether there are multiple NICs on the host server, if they are teamed, if you have the host interface set to allow the operating system to share administration, or if there are separate interfaces for each. Can
    the host OS ping/communicate with the DC virtual machine?
    If there are more than one NIC, you have the choice to team the NICs and share the Teamed NICs for the Hyper-V OS and the VMs, or keep them separate where one is devoted for the Hyper-V OS, and one for the VMs.
    Hyper-V Server VLAN Network Configuration
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/0aa71d2a-ebf9-4a3e-bbf5-94db55339fa2/hyperv-server-vlan-network-configuration?forum=winserverhyperv 
    Recommendation:
    Why not just create another VM DC?
    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

  • Bare metal restore of full server backup fails with RPC error 0x800706BA (server 2012)

    With Windows Server 2012, after creating a successful windows server backup (full server), I am unable to do a bare metal restore of the system.
    EFI System Partition, C:, D: are the volumes on a single array (Raid 5).
    Loading WinRE and launching re-image, the full server restore stops after completing the C: restore just after beginning the D: drive restore (data volume) with the error with the message about RPC error 0x800706BA, unavailable.
    The system will not boot as a result of the failure. 
    What may be causing this?
    [edit]
    I think I have two things working against me here... one, Volume Shadow Copy service wasn't running in WinPE and two.. the D: volume contains data deduplication.
    I think this is causing some of my problems.
    Is there an additional service that I need to start in WinPE to get a volume that was deduplicated restored perhaps using wbadmin?

    Hi,
    Thanks for the reply Shaon.
    The hardware system is identical; however, I am increasing storage capacity from 12TB to 16TB.  Basically, the system is the same, just new hard drives (4x4TB versus 4x3TB).  Drives are all identical enterprise class drives and I am actually using
    the same system (backup, swap drives then restore).
    I tried both using the WinRE restore (re-image) with the backup set, and tried using wbadmin.  Both produce same RPC unavailable messages (although using the GUI based tool via WinRE provides the additional error code #).
    I do not have any idea what to look at to try to figure this one out.
    [edit]
    I was just informed of this posting:
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/147efccc-e0e9-4458-852e-c3a44ae5cb64/the-system-image-restore-failed-error-details-he-rpc-server-is-unavailable-0x800706ba?forum=windowsbackup
    and in my case, this lab server does in fact act also as a DC as well as a file server...  do I need to spin up a secondary controller (perhaps in a VM on another machine) to do this restore?

  • Error: Validity of Certificate from list with PSE type PSE ends in 3 da

    Hello,
    our system is reporting the followin warning
    Error: Validity of Certificate from list with PSE type > PSE < ends in 1 days, more notes on system log (SM21)
    We check the transaction STRUST and STRUSTSSO2, the certificate between ERP and EP expires today. The ERP system is SAP R/3 Enterprise and EP release is 6.20
    Please how can we create the certificate in that releases of SAP ERP and EP, we only found information about this procedure in the newest releases.
    Thanks

    Hi
    Is the SAP Logon certifiacte goiogn to expire??From Portal to ERP??
    If this is PSE then follow this [Link.|http://help.sap.com/saphelp_nw2004s/helpdata/EN/a6/f19a3dc0d82453e10000000a114084/frameset.htm]
    Regards
    Ajay

  • SUN Volume Manager with rpc.metacld error

    Solaris 10 (x86) with latest recommend patch cluster ;
    SUN cluster 3.1 u4 with patch 120501-10
    There is always a rpc.metacld error. How to fix this issue?
    bash-3.00# scstat -n
    -- Cluster Nodes --
    Node name Status
    Cluster node: arcsunx42km2545 Online
    Cluster node: arcsunx42km0838 Online
    bash-3.00# hostname
    arcsunx42km0838
    bash-3.00# metaset -s new -a -h arcsunx42km2545 arcsunx42km0838
    Proxy command to: arcsunx42km2545
    rpc.metacld
    bash-3.00#
    bash-3.00#
    bash-3.00# metaset
    bash-3.00# metaset -s new -a -h arcsunx42km0838
    ERROR: arcsunx42km2545: rpc.metacld 13
    bash-3.00# svcs | grep meta
    online 4:56:08 svc:/network/rpc/metacld:default
    online 17:26:43 svc:/system/metainit:default
    online 17:26:44 svc:/network/rpc/meta:default
    online 23:31:38 svc:/network/rpc/metamed:default
    online 23:31:38 svc:/network/rpc/metamh:default
    bash-3.00#
    Message was edited by:
    skyqa

    I have the same problem,too.
    I fix it by run the command on another node.
    but I need to know the actual reason.
    who can give me a hand?
    thanks in advance!

  • Adding server in DAG failing with error Error: Cluster API failed: "AddClusterNode() (MaxPercentage=25) failed with 0x800706ba. Error: The RPC server is unavailable

    Hi, Below is teh environments
    DC: Win 2008 R2 SP1
    Exchange Server OS: Win  2012  R2 Std 
    Exchange : 2013 SP1 Ent
    Two Servers with CAS+MB role, already part of one DAG. I am trying to add one new server in existing DAG. The installation of exchange 2013 competed successfully. However when i am adding it to the existing DAG, the below error is coming. Please help
    to solve the issue. Thanks in advance.
    A server-side database availability group administrative operation failed with a transient error. Please try the operation again. Error: An error occurred while attempting a cluster operation. Error: Cluster API failed: "AddClusterNode() (MaxPercentage=25)
    failed with 0x800706ba. Error: The RPC server is unavailable" [Server: cluster owner FQDN]
    Manu

    Hi Manu,
    As Deepak mentioned, please try to enable IPv6 on all member servers first.
    Based on my research, In Microsoft Exchange Server 2013, IPv6 is supported only when IPv4 is also installed and enabled. If Exchange 2013 is deployed in this configuration, and the network supports IPv4 and IPv6, all Exchange servers can send data to and
    receive data from devices, servers, and clients that use IPv6 addresses.
    Please also configure or disable Firewall to allow the connection.
    Thanks
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
    Mavis Huang
    TechNet Community Support

  • Verisign certificate response fails with Error 9508 -empty/invalid fields

    We are trying to generate a trial 14-day Certificate Response file from Verisign. It fails with error "Error 9508 - Certificate Signing Request contains empty field(s)" when supplied with the certificate request. We have made several attempts to through transaction STRUST and via sapgenpse command to create certificate request file with unique DN which has values for CN, OU, O, ST, L, C. But no success.
    Has anyone successfully created a CSR from verisign for enable SSL in NW2004s?
    Thanks,
    Asif

    Have you tried putting all in one file and them import CSR?
    BEGIN CERTIFICATE-----
    <Base64-coded contents of the re-issued certificate>
    END CERTIFICATE-----
    BEGIN CERTIFICATE-----
    <Base64-coded contents of the certificate of the intermediate CA>
    END CERTIFICATE-----
    BEGIN CERTIFICATE-----
    < Base64-coded contents of the certificate of the root CA>
    END CERTIFICATE-----
    If yes, then try putting each cert in individual file and save it as .crt format to check all certs are ok and valid.
    -Pinkle

  • Certificate Enrollment Problem

     I have a Windows Server 2008 Enterprise Root CA with a different Windows 2008 Server running the Cert Enrollment website (ussing SSL).  Any certificate that I attempt to request (Vista or XP) results in:
    ============================================
    Your request failed. An error occurred while the server was processing your request.
    Contact your administrator for further assistance.
    Request Mode:
    newreq - New Request
    Disposition:
    (never set)
    Disposition message:
    (none)
    Result:
    The RPC server is unavailable. 0x800706ba (WIN32: 1722)
    COM Error Info:
    CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722)
    LastStatus:
    The operation completed successfully. 0x0 (WIN32: 0)
    Suggested Cause:
    This error can occur if the Certification Authority Service has not been started.
    =================================
    The Windows Firewall is off between the web enrollment server and the CA, but only 443 is open in to the web enrollment server from externally.
    What am I missing here?  This is rapidly becoming a showstopper.
    Thanks,
    BH

    I'm having a slightly related problem.  I have Certificate Services running on a Windows 2008 Enterprise Edition 64-bit.  I installed it as a Enterprise subordinate CA, using a certificate from the original enterprise CA.  It is set up as  I am trying to enroll a certificate on another computer.  When I use "Automatically Enroll and Retrieve Certificates",  I see the certificate I want.  However, when I try to enroll it I get the following error:
    The RPC server is unavailable.
    The certificate rquest could not be submitted to teh certificate authority
    There are no firewalls between the certificate authority and I tried using the certutil ping command as stated above and I got an 'is alive' reply from the CA.
    Any idea what my hang up could be?

  • NDES Certificate Enrollment on Surface fails

    Hi all
    I implemented a NDES infra based on Pietrs Blog in my Sandpit Lab (Infra runs on ConfigMgr 2012 R2 CU4), OS 2012 R2
    http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2014/04/25/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune.aspx I repeated each step sure 2 or 3 times.
    If I try to assign a Client Cert/user Cert (both of them) it always fails 0X87D1FDE8 Remediation failed as posted here
    https://social.technet.microsoft.com/Forums/en-US/15aebec7-4870-49af-8c0c-17d3d376783a/ndes-scep-certificate-profile-0x87d1fde8-remediation-failed-deployment-of-certificate-profiles?forum=configmanagermdm&prof=required
    (All Certs are new re-created. NDES, CRP new installed). If there are no enrollments of certs possible I can understand it but Android 4.2 Devices are enrolling like a charme. A Detail the NDES Server is reachable via WAP Proxy but this works (If I enter
    the Test URL I'm able to open the cert file). Finally on the Surface the Regkey in the MDM Hive is created and the NDES URi is available. All Log Files are looking fine.
    Any ideas/help or tips will be very appreciated.
    Cheers,
    +Mat

    All
    It is running know. It was a heavy war in My lab ... ;-) - and raised from several missconfigured components and  Settings. For an easier overview enclosed by component:
    CA
    I have an Enterprise Root CA with subordinated Issueing CA in the lab. Failure 1: The life time of the Issueing CA Cert is only configured for 2 years. So I changed this using certutil to 10 years (Root CA 20 years, Issueing 10 years). Failure 2: The NDES
    Template had a longer life time than the issueing CA. This raised in the failed cert request the issue "Life time incorrect"
    WAP Proxy
    On the WAP Proxy the required Settings
    Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
    Value: MaxFieldLength
    Type DWORD
    Data: 65534 (decimal)
    Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters  
    Value: MaxRequestBytes
    Type DWORD
    Data: 65534 (decimal)       
    were applied but the required December Update 2014 Hotfix
    http://blogs.technet.com/b/ems/archive/2014/12/11/hotfix-large-uri-request-in-web-application-proxy-on-windows-server-2012-r2.aspx was not properly installed (the WAP Proxy is a Workgroup Server)
    NDES
    The listed http Settings above I made a mistake (Dec and Hex) so typically copy/past error.
    CRP
    At least one Server is properly configured
    Some Remarks
    Within the Policies both certs Root and Iuessing CA has to be deployed to the Root Store. Later on in the configuration for the SECP Cert enrollment the template of the issueing CA has to be choosen.
    Very happy that this is rolling. Next step is to configure the WIFI Network (NPAS) that only devices with a valid Client certificate can use them.
    The biggest pain Overall is that the logging process is not really helpful and confusing e.g. the MCSEP.log reports
    2905.902.0:<2015/4/14, 19:31:3>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 44D6EDAE C3C7C52F DE1B2CE4 9C102C22 5DF4CC54 but the enrolling is working fine. Here Microsoft should investigate for a better overview.
    Cheers,
    +mat

  • MAC OS X Certificate Enrollment

    I want to use this configuration for MAC OS X certificate enrollment. What is required on the Windows PKI side for this to work? Do I need NDES or something else?
    Thank you.
    MCITP Exchange 2010 | MCITP Lync Server 2010 | MCTS Windows 2008

    The Macintosh OS lacks any long term certificate life-cycle management and the difficulty of enrollment and lack of renewal generally makes this un-scalable. Third party products fill the gap - such as AirWatch or Mobile Iron.
    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

Maybe you are looking for

  • Custom Bios for GX660r to enable AHCI for SSD

    Hi, I bought a sandisk ssd for my GX660r and unfortunately it is not found in AHCI mode. I know there was a bios mod made by Majster msi, but all links are down :( It would be great if somebody could give me a link to this mod. I cannot send private

  • 2 users with same user id in OIM!

    hi, can you please help me with this production environment issue! there are 2 users with same userid, same first name and last name in OIM but are only one is present in all of the target resources. i just dont know how to delete such user, as the t

  • PR -REASON FOR GENERATION

    hi guys, PRs are generated through MRP due to Sales orders. i am able to check the reason for generation of PR/PO only till the sales order is not complete in system. Once the sales order is complete/closed. i am not able to trace why the PR was gene

  • How long  should Migration Assistant take to find documents?

    I understand that the migration itself could take several hours over wifi (I am transferring from a PC to a new Mac.  But Migration Assistant has been "searching Documents" for app. 3 hours. Any thoughts? Thanks

  • Do all S60 phones have EXIF data embedded in there...

    (think i got my terminology right in that subject header) when photos are uploaded to sites such as flickr, the site posts what camera was used to take the picture, but my 3230 isn't recognised? i see the N70 is doing well in the flickr stats, so is