Share via

Certificate Services Web Enrollment Error

Ming Cheung 421 Reputation points
2020-12-31T07:28:21.087+00:00

i use certsrv/certrqxt.asp to encroll cert, but error, i am new of CA
my teammate can use web enroll normally, he use his windows account
so i guess my account permission problem, but i dont know where to set?
i wonder does everyone can use web enroll without any permission setting? i dont know

Your request failed. An error occurred while the server was processing your request.

Contact your administrator for further assistance.

Request Mode:
newreq - New Request
Disposition:
(never set)
Disposition message:
(none)
Result:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
COM Error Info:
CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
LastStatus:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
Suggested Cause:
This error can occur if the Certification Authority Service has not been started.

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,852 questions

10 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 25,061 Reputation points Microsoft Vendor
    2021-01-01T02:10:25.943+00:00

    Hello @Ming Cheung ,

    Thank you for posting here.

    Based on the description, I understand we want to enroll certificates via certsrv web page but failed with the error message above.

    To better understand our question, please confirm the following information at your convenience.
    1.Do you use your domain user account to login one domain-joined client, then enroll certificate via certsrv web page?

    2.When you request certificate, do you select "User Certificate" or "advanced certificate request"?
    52644-web1.png

    3.If you select "advanced certificate request", which one of the following two options do you select?
    Create and submit a request to this CA.
    Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
    52645-web2.png

    4.Can you see the specfic certificate template that you want to enroll certificate?

    5.Which certificate template do you use to request certificate (user certificate template or computer certificate template)?

    6.Would you please check if your account or user group with your account has read and enroll permissions for specific certificate template on CA server?
    52653-web3.png

    If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Ming Cheung 421 Reputation points
    2021-01-03T15:37:46.313+00:00

    Hi Daisy Zhou
    thanks for your help

    i use "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file."
    select a cert template which for Web server as my teammate as well
    and that template has a group which have read,write,enroll only, i am in that group

    does any issued cert will appear at web enrollment selection box? it depends on my account permission, right?

    0 comments
  3. Daisy Zhou 25,061 Reputation points Microsoft Vendor
    2021-01-04T02:37:40.283+00:00

    Hello @Ming Cheung ,

    Thank you for your update.

    Here are the steps for your references.

    Step 1.On the CA server, duplicate one specific certificate template based on your needs and requirements.

    For example:
    Copy of Web server

    Subject Name tab
    Select “Supply in the request

    Tip: we must select “Supply in the request” under subject name tab, then we can see this certificate template through web page.
    53072-co1.png

    Security tab
    Authenticated Users: Read and Enroll permissions
    Domain Computers or sepcific machine name: Read and Enroll permission (because it is computer certificate template, we should give your machine read and enroll permissions).
    52993-co2.png

    Step 2.Issue certificate template on the CA server.
    53082-co3.png

    Step 3.Create CSR file on your machine (please refer to the steps in the following similar case).
    On the machine we want to request certificate using web server certificate template, open certlm.msc and create CSR file.

    Step 4.Logon your domain-joined machine using your domain account and request certificate.
    53064-co5.png

    For more infomration we can refer to the similar case with marked answer (I have replied before)
    Unable to sign CSR with Microsoft Windows CA
    https://learn.microsoft.com/en-us/answers/questions/89382/unable-to-sign-csr-with-microsoft-windows-ca.html

    Hope the information above is helpful, if anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments
  4. Ming Cheung 421 Reputation points
    2021-01-04T07:47:29.307+00:00

    Hi Daisy Zhou

    before i change the settings, i want to clarify some points

    1. i have permission in the "properties -> security" of the existing cert template, if i changed permission, do i need to press "Certificate template to issue" again to make it effective?
    2. if press "Certificate template to issue" again, any affection to the issued cert? any point i should care?
    3. i suppose the selection box of cert templates of web enrollment page must be affected by permission by asking login account when accessing the page, but i have read and enroll permission, i should able to see and enroll in web enrollment, any log file can see the detail reason of the error?

    thank you

    0 comments
  5. Daisy Zhou 25,061 Reputation points Microsoft Vendor
    2021-01-05T02:28:15.43+00:00

    Hello @Ming Cheung ,

    Here are the answers for your references.

    1. i have permission in the "properties -> security" of the existing cert template, if i changed permission, do i need to press "Certificate template to issue" again to make it effective?
      A1:There is no need to press "Certificate template to issue" again.
    2. if press "Certificate template to issue" again, any affection to the issued cert? any point i should care?
      A2:There is no need to press "Certificate template to issue" again.
    3. i suppose the selection box of cert templates of web enrollment page must be affected by permission by asking login account when accessing the page, but i have read and enroll permission, i should able to see and enroll in web enrollment, any log file can see the detail reason of the error?
      A3:Make sure:
      Authenticated Users: Read and Enroll permissions
      Domain Computers or sepcific machine name: Read and Enroll permission (because it is computer certificate template, we should give your machine read and enroll permissions).

    If all above are configured correctly, you should see the duplicated web server certificate template (though you logon the domain client using normal domain account).

    Tips:
    1.You can restart your domain client and sign in again, then wait for 10-20mins.
    2.I have tested in my lab and the screenshot in last reply for your references.

    Best Regards,
    Daisy Zhou

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.