This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Not so much a question but a post so that other users can find this in the future.
We recently started experiencing an issue where our SUB-CA (2012R2) was not delivering certificates to either users or computers. When requesting a certificate manually it would report an RPC error 0x800706be Doing a search for that error returns a lot of items but most of them relate to a slightly different error which ends 706ba.
I followed those guides and the Microsoft build guide making sure that all permissions to dcom etc were correct. I then created group policy to set the local security settings and enabled audit and various other settings as required. I then checked that all the required ports were open on our internally hosted firewalls and started collecting traces and the like. The traces on firewall showed no blocks but traces on client/ca would show the certificate request being delivered to the CA but then after 60 seconds or so it would close the connection. Logging on the CA server certsvr process was showing no request being passed through from the client at all. Whereas when testing the Sub-CA could request or create a certificate for itself it all worked.
As the CA and the client seem to be communicating correctly we looked at communication from the CA to Active directory, Once again all ports as per documentation were checked on the local firewalls and confirmed to be open. Testing with TNC showed all ports open to server. So we requested advanced logging on the DC server and ran traces again. Still nothing of any excitement jumped out at us. (I will be going back through these logs at some point though)
It was at this point we came to the incorrect conclusion, We assumed the issue must be with the CA's OS. (We have had similar experiences with other systems previously) This was no problem as we had to update the servers to 2019 at some point anyway. So we did a Migration from 2012 to 2019, 2 newly built servers with all roles transferred, testing internally showed that our current authentication to WIFI still functioned correctly so CRL's were good. But requesting certificates gave the same result 0x800706be. Well that was disappointing. I spent the next day watching traffic on the firewalls and even created rules to allow all - all from CA - DC so nothing there was being blocked inside of the network.
As I knew client certificate request work flow was fine and the CA appears to be fine the problem had to be with the Domain controllers, These are managed by an external company so we generally don't mess with them but the time had come. Logging onto the domain controllers and doing the standard checks showed that Windows Defender firewall was turned on. So I requested it be turned off and as soon as it was done certificate requests completed successfully. Turning firewall back on and back to the error. Running through the list of required firewall ports showed everything as being open. I then started looking at the built in windows firewall rules for applications, And missing from the rule set was the Remote Event log management app, (this applies 3 rules RPC, NP-IN, and RPC-EMAP).
Once that rule was in place with the Defender firewall on we could request certificates again. That rule set is enabled by default using group policy on all our development servers but that policy is not applied to Domain controllers, And instead the firewall rules were being set locally.
I did manage to work out when the issue started but cannot see anything in the logs to show a change to the local firewall rules on Domain controllers at that time. The rule was not enabled on either our primary or secondary DC's. I think all the other tests we did were passing and saying all good because the ports themselves were open but the firewall was blocking access to the actual application.
TLDR = Check Windows Defender Firewall on Domain Controllers and CA's If enabled make sure that the rule set of built in apps includes Remote Event log Management App rules and that they are enabled for the correct profiles.
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.
Hello Nicholas Farmer,
Thank you for posting in Microsoft Community forum.
And thank you for your sharing for the question in the thread, I think it would be very helpful for people with similar problems.
Thank you again for your time and effort.
If you have any question or concern, please feel free to let us know.
Have a nice day!
Best Regards,
Daisy Zhou
