RPC Server Unavailable When Requesting Computer Certificate

Hi,

I'm trying to set up a machine for use with our VPN. We will be using L2TP &
smartcards, so I need to request a computer certificate. Up till now I've
been able to configure most computer when people are in the office,
connected to the domain, using automatic certificate deployment via group
policy. However we have 1 user who is not going to be in the office, but
needs VPN access.

So I've changed the VPN access to allow PPTP temporarily, and asked him to
connect, then I've used remote assistance to terminal service into his
machine. From there I've managed to use the web based enrollment to download
the CA certificate, and tried to use the certificates MMC snap in to request
a computer certificate. However I get the initial screen up, asking which
certificate I'd like, common name etc, but when I press finish, the system
hangs for about 10 seconds, then errors with "RPC Server is unavailable".

At first I thought this might be a firewall issue, as he was running windows
firewall, as well as Symantec firewall. So I disabled both, and also the
firewall on his 3com router. However after trying again, with a number of
reboots, it still errors. I can ping the CA, the domain, and other
computers.

Does anyone have any ideas as to how I can successfully request a computer
certificate? Is there another way of doing it? I notice there is no computer
certificate option in the web enrollment form, even though the template has
been added to the CA.

We're using ISA 2004 as the VPN server, and it's allowing all protocols
through from VPN > internal, and Internal > VPN. The DC is windows 2003
server, and the client machine is Windows XP pro SP2.

Many thanks

Ben

Ozone
Tue Sep 20 13:21:03 CDT 2005

The one thing that I would do it to start Netmon on both ends and run them
while making the request for the cert. you should see one of them come back
with a Port access issue. With this info, you will know what you need to do
on the firewall for RPC to work and allow for the cert request to work
properly...

"Ben" wrote:

> Hi,
>
> I'm trying to set up a machine for use with our VPN. We will be using L2TP &
> smartcards, so I need to request a computer certificate. Up till now I've
> been able to configure most computer when people are in the office,
> connected to the domain, using automatic certificate deployment via group
> policy. However we have 1 user who is not going to be in the office, but
> needs VPN access.
>
> So I've changed the VPN access to allow PPTP temporarily, and asked him to
> connect, then I've used remote assistance to terminal service into his
> machine. From there I've managed to use the web based enrollment to download
> the CA certificate, and tried to use the certificates MMC snap in to request
> a computer certificate. However I get the initial screen up, asking which
> certificate I'd like, common name etc, but when I press finish, the system
> hangs for about 10 seconds, then errors with "RPC Server is unavailable".
>
> At first I thought this might be a firewall issue, as he was running windows
> firewall, as well as Symantec firewall. So I disabled both, and also the
> firewall on his 3com router. However after trying again, with a number of
> reboots, it still errors. I can ping the CA, the domain, and other
> computers.
>
> Does anyone have any ideas as to how I can successfully request a computer
> certificate? Is there another way of doing it? I notice there is no computer
> certificate option in the web enrollment form, even though the template has
> been added to the CA.
>
> We're using ISA 2004 as the VPN server, and it's allowing all protocols
> through from VPN > internal, and Internal > VPN. The DC is windows 2003
> server, and the client machine is Windows XP pro SP2.
>
> Many thanks
>
> Ben
>
>
>

Steven
Tue Sep 20 16:47:57 CDT 2005

Your best bet would be to enable the "offline ipsec" certificate template
for the CA and have him request that via Web Enrollment. The RPC error is
usually because of a firewall problem or dns problem. If you had to you
could manually request the certificate yourself for that computer and
specify that computer name in the request. Then export the
certificate/private key from your computer [select option to export whole
certificate chain to include CA certificate] to a password protected.pfx
file and send it to the user with instructions how to import it into the
"computer" certificate store. Note that the user would need to be a local
administrator to request and install the certificate. --- Steve


"Ben" <bjblackmore@hotmail.com> wrote in message
news:e85CT7quFHA.1256@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> I'm trying to set up a machine for use with our VPN. We will be using L2TP
> & smartcards, so I need to request a computer certificate. Up till now
> I've been able to configure most computer when people are in the office,
> connected to the domain, using automatic certificate deployment via group
> policy. However we have 1 user who is not going to be in the office, but
> needs VPN access.
>
> So I've changed the VPN access to allow PPTP temporarily, and asked him to
> connect, then I've used remote assistance to terminal service into his
> machine. From there I've managed to use the web based enrollment to
> download the CA certificate, and tried to use the certificates MMC snap in
> to request a computer certificate. However I get the initial screen up,
> asking which certificate I'd like, common name etc, but when I press
> finish, the system hangs for about 10 seconds, then errors with "RPC
> Server is unavailable".
>
> At first I thought this might be a firewall issue, as he was running
> windows firewall, as well as Symantec firewall. So I disabled both, and
> also the firewall on his 3com router. However after trying again, with a
> number of reboots, it still errors. I can ping the CA, the domain, and
> other computers.
>
> Does anyone have any ideas as to how I can successfully request a computer
> certificate? Is there another way of doing it? I notice there is no
> computer certificate option in the web enrollment form, even though the
> template has been added to the CA.
>
> We're using ISA 2004 as the VPN server, and it's allowing all protocols
> through from VPN > internal, and Internal > VPN. The DC is windows 2003
> server, and the client machine is Windows XP pro SP2.
>
> Many thanks
>
> Ben
>

Ben
Wed Sep 21 03:52:16 CDT 2005

Hi Steve,

Thanks for the reply. I had looked into doing this, but I couldn't find any
documentation on how to request a certificate on behalf of another computer
(lots of documentation for doing another user). I've installed the
certificate for "enrollment agent (computer)", but if I do 'request new
certificate' and select computer, I don't get the option to enter the other
computer name, even if I select advanced, I can put it in the friendly name,
but at the end on the details screen, computer name is still that of my
computer. If I try to export this, I don't get the option to export the
private key, it's greyed out. And the only certificate format I can export
to is DER encoded, Base-64 or Cryptographic message syntax, again the option
for PFX is greyed out!
If you know of any documentation that exists, could you point me in the
right direction!

Cheers

Ben


"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uJ70H0ivFHA.2064@TK2MSFTNGP09.phx.gbl...
> Your best bet would be to enable the "offline ipsec" certificate template
> for the CA and have him request that via Web Enrollment. The RPC error is
> usually because of a firewall problem or dns problem. If you had to you
> could manually request the certificate yourself for that computer and
> specify that computer name in the request. Then export the
> certificate/private key from your computer [select option to export whole
> certificate chain to include CA certificate] to a password protected.pfx
> file and send it to the user with instructions how to import it into the
> "computer" certificate store. Note that the user would need to be a local
> administrator to request and install the certificate. --- Steve
>
>
> "Ben" <bjblackmore@hotmail.com> wrote in message
> news:e85CT7quFHA.1256@TK2MSFTNGP09.phx.gbl...
>> Hi,
>>
>> I'm trying to set up a machine for use with our VPN. We will be using
>> L2TP & smartcards, so I need to request a computer certificate. Up till
>> now I've been able to configure most computer when people are in the
>> office, connected to the domain, using automatic certificate deployment
>> via group policy. However we have 1 user who is not going to be in the
>> office, but needs VPN access.
>>
>> So I've changed the VPN access to allow PPTP temporarily, and asked him
>> to connect, then I've used remote assistance to terminal service into his
>> machine. From there I've managed to use the web based enrollment to
>> download the CA certificate, and tried to use the certificates MMC snap
>> in to request a computer certificate. However I get the initial screen
>> up, asking which certificate I'd like, common name etc, but when I press
>> finish, the system hangs for about 10 seconds, then errors with "RPC
>> Server is unavailable".
>>
>> At first I thought this might be a firewall issue, as he was running
>> windows firewall, as well as Symantec firewall. So I disabled both, and
>> also the firewall on his 3com router. However after trying again, with a
>> number of reboots, it still errors. I can ping the CA, the domain, and
>> other computers.
>>
>> Does anyone have any ideas as to how I can successfully request a
>> computer certificate? Is there another way of doing it? I notice there is
>> no computer certificate option in the web enrollment form, even though
>> the template has been added to the CA.
>>
>> We're using ISA 2004 as the VPN server, and it's allowing all protocols
>> through from VPN > internal, and Internal > VPN. The DC is windows 2003
>> server, and the client machine is Windows XP pro SP2.
>>
>> Many thanks
>>
>> Ben
>>
>
>

Ben
Wed Sep 21 03:53:11 CDT 2005

Hi Ozone,

Thanks for the reply, I will give the end user a call and give this a try
over emote assistance! Thanks for the advice!

Ben

"Ozone" <Ozone@discussions.microsoft.com> wrote in message
news:9A8AB0C9-8A91-4797-B24E-8548232C452D@microsoft.com...
> The one thing that I would do it to start Netmon on both ends and run them
> while making the request for the cert. you should see one of them come
> back
> with a Port access issue. With this info, you will know what you need to
> do
> on the firewall for RPC to work and allow for the cert request to work
> properly...
>
> "Ben" wrote:
>
>> Hi,
>>
>> I'm trying to set up a machine for use with our VPN. We will be using
>> L2TP &
>> smartcards, so I need to request a computer certificate. Up till now I've
>> been able to configure most computer when people are in the office,
>> connected to the domain, using automatic certificate deployment via group
>> policy. However we have 1 user who is not going to be in the office, but
>> needs VPN access.
>>
>> So I've changed the VPN access to allow PPTP temporarily, and asked him
>> to
>> connect, then I've used remote assistance to terminal service into his
>> machine. From there I've managed to use the web based enrollment to
>> download
>> the CA certificate, and tried to use the certificates MMC snap in to
>> request
>> a computer certificate. However I get the initial screen up, asking which
>> certificate I'd like, common name etc, but when I press finish, the
>> system
>> hangs for about 10 seconds, then errors with "RPC Server is unavailable".
>>
>> At first I thought this might be a firewall issue, as he was running
>> windows
>> firewall, as well as Symantec firewall. So I disabled both, and also the
>> firewall on his 3com router. However after trying again, with a number of
>> reboots, it still errors. I can ping the CA, the domain, and other
>> computers.
>>
>> Does anyone have any ideas as to how I can successfully request a
>> computer
>> certificate? Is there another way of doing it? I notice there is no
>> computer
>> certificate option in the web enrollment form, even though the template
>> has
>> been added to the CA.
>>
>> We're using ISA 2004 as the VPN server, and it's allowing all protocols
>> through from VPN > internal, and Internal > VPN. The DC is windows 2003
>> server, and the client machine is Windows XP pro SP2.
>>
>> Many thanks
>>
>> Ben
>>
>>
>>

Steven
Wed Sep 21 10:18:21 CDT 2005

I don't believe there is any documentation but I have tried it in the past
and it worked on a Windows 2000 Certificate Authority. If I remember
correctly the option to export the private key was changed so that it could
not be disabled in Windows 2003 for offline ipsec. Let me know more about
the CA you are using [ stand alone or enterprise] and the exact operating
system it is installed on as I believe I did find a way to do it on a
Windows 2003 Enterprise CA but I can't remember what I did offhand but I
will look into it further. --- Steve


"Ben" <bjblackmore@hotmail.com> wrote in message
news:O6BfGnovFHA.252@TK2MSFTNGP09.phx.gbl...
> Hi Steve,
>
> Thanks for the reply. I had looked into doing this, but I couldn't find
> any documentation on how to request a certificate on behalf of another
> computer (lots of documentation for doing another user). I've installed
> the certificate for "enrollment agent (computer)", but if I do 'request
> new certificate' and select computer, I don't get the option to enter the
> other computer name, even if I select advanced, I can put it in the
> friendly name, but at the end on the details screen, computer name is
> still that of my computer. If I try to export this, I don't get the option
> to export the private key, it's greyed out. And the only certificate
> format I can export to is DER encoded, Base-64 or Cryptographic message
> syntax, again the option for PFX is greyed out!
> If you know of any documentation that exists, could you point me in the
> right direction!
>
> Cheers
>
> Ben
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:uJ70H0ivFHA.2064@TK2MSFTNGP09.phx.gbl...
>> Your best bet would be to enable the "offline ipsec" certificate template
>> for the CA and have him request that via Web Enrollment. The RPC error is
>> usually because of a firewall problem or dns problem. If you had to you
>> could manually request the certificate yourself for that computer and
>> specify that computer name in the request. Then export the
>> certificate/private key from your computer [select option to export whole
>> certificate chain to include CA certificate] to a password protected.pfx
>> file and send it to the user with instructions how to import it into the
>> "computer" certificate store. Note that the user would need to be a local
>> administrator to request and install the certificate. --- Steve
>>
>>
>> "Ben" <bjblackmore@hotmail.com> wrote in message
>> news:e85CT7quFHA.1256@TK2MSFTNGP09.phx.gbl...
>>> Hi,
>>>
>>> I'm trying to set up a machine for use with our VPN. We will be using
>>> L2TP & smartcards, so I need to request a computer certificate. Up till
>>> now I've been able to configure most computer when people are in the
>>> office, connected to the domain, using automatic certificate deployment
>>> via group policy. However we have 1 user who is not going to be in the
>>> office, but needs VPN access.
>>>
>>> So I've changed the VPN access to allow PPTP temporarily, and asked him
>>> to connect, then I've used remote assistance to terminal service into
>>> his machine. From there I've managed to use the web based enrollment to
>>> download the CA certificate, and tried to use the certificates MMC snap
>>> in to request a computer certificate. However I get the initial screen
>>> up, asking which certificate I'd like, common name etc, but when I press
>>> finish, the system hangs for about 10 seconds, then errors with "RPC
>>> Server is unavailable".
>>>
>>> At first I thought this might be a firewall issue, as he was running
>>> windows firewall, as well as Symantec firewall. So I disabled both, and
>>> also the firewall on his 3com router. However after trying again, with a
>>> number of reboots, it still errors. I can ping the CA, the domain, and
>>> other computers.
>>>
>>> Does anyone have any ideas as to how I can successfully request a
>>> computer certificate? Is there another way of doing it? I notice there
>>> is no computer certificate option in the web enrollment form, even
>>> though the template has been added to the CA.
>>>
>>> We're using ISA 2004 as the VPN server, and it's allowing all protocols
>>> through from VPN > internal, and Internal > VPN. The DC is windows 2003
>>> server, and the client machine is Windows XP pro SP2.
>>>
>>> Many thanks
>>>
>>> Ben
>>>
>>
>>
>
>

Ben
Thu Sep 22 05:52:46 CDT 2005

Hi Steve,

Thanks for your help.

We're running Windows 2003 standard server SP1, with an Enterprise CA.
Clients are Windows XP SP2. Firewall/VPN server is ISA 2004 SP1.

Ben

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%23CWAG$rvFHA.2312@TK2MSFTNGP14.phx.gbl...
>I don't believe there is any documentation but I have tried it in the past
>and it worked on a Windows 2000 Certificate Authority. If I remember
>correctly the option to export the private key was changed so that it could
>not be disabled in Windows 2003 for offline ipsec. Let me know more about
>the CA you are using [ stand alone or enterprise] and the exact operating
>system it is installed on as I believe I did find a way to do it on a
>Windows 2003 Enterprise CA but I can't remember what I did offhand but I
>will look into it further. --- Steve
>
>
> "Ben" <bjblackmore@hotmail.com> wrote in message
> news:O6BfGnovFHA.252@TK2MSFTNGP09.phx.gbl...
>> Hi Steve,
>>
>> Thanks for the reply. I had looked into doing this, but I couldn't find
>> any documentation on how to request a certificate on behalf of another
>> computer (lots of documentation for doing another user). I've installed
>> the certificate for "enrollment agent (computer)", but if I do 'request
>> new certificate' and select computer, I don't get the option to enter the
>> other computer name, even if I select advanced, I can put it in the
>> friendly name, but at the end on the details screen, computer name is
>> still that of my computer. If I try to export this, I don't get the
>> option to export the private key, it's greyed out. And the only
>> certificate format I can export to is DER encoded, Base-64 or
>> Cryptographic message syntax, again the option for PFX is greyed out!
>> If you know of any documentation that exists, could you point me in the
>> right direction!
>>
>> Cheers
>>
>> Ben
>>
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:uJ70H0ivFHA.2064@TK2MSFTNGP09.phx.gbl...
>>> Your best bet would be to enable the "offline ipsec" certificate
>>> template for the CA and have him request that via Web Enrollment. The
>>> RPC error is usually because of a firewall problem or dns problem. If
>>> you had to you could manually request the certificate yourself for that
>>> computer and specify that computer name in the request. Then export the
>>> certificate/private key from your computer [select option to export
>>> whole certificate chain to include CA certificate] to a password
>>> protected.pfx file and send it to the user with instructions how to
>>> import it into the "computer" certificate store. Note that the user
>>> would need to be a local administrator to request and install the
>>> certificate. --- Steve
>>>
>>>
>>> "Ben" <bjblackmore@hotmail.com> wrote in message
>>> news:e85CT7quFHA.1256@TK2MSFTNGP09.phx.gbl...
>>>> Hi,
>>>>
>>>> I'm trying to set up a machine for use with our VPN. We will be using
>>>> L2TP & smartcards, so I need to request a computer certificate. Up till
>>>> now I've been able to configure most computer when people are in the
>>>> office, connected to the domain, using automatic certificate deployment
>>>> via group policy. However we have 1 user who is not going to be in the
>>>> office, but needs VPN access.
>>>>
>>>> So I've changed the VPN access to allow PPTP temporarily, and asked him
>>>> to connect, then I've used remote assistance to terminal service into
>>>> his machine. From there I've managed to use the web based enrollment to
>>>> download the CA certificate, and tried to use the certificates MMC snap
>>>> in to request a computer certificate. However I get the initial screen
>>>> up, asking which certificate I'd like, common name etc, but when I
>>>> press finish, the system hangs for about 10 seconds, then errors with
>>>> "RPC Server is unavailable".
>>>>
>>>> At first I thought this might be a firewall issue, as he was running
>>>> windows firewall, as well as Symantec firewall. So I disabled both, and
>>>> also the firewall on his 3com router. However after trying again, with
>>>> a number of reboots, it still errors. I can ping the CA, the domain,
>>>> and other computers.
>>>>
>>>> Does anyone have any ideas as to how I can successfully request a
>>>> computer certificate? Is there another way of doing it? I notice there
>>>> is no computer certificate option in the web enrollment form, even
>>>> though the template has been added to the CA.
>>>>
>>>> We're using ISA 2004 as the VPN server, and it's allowing all protocols
>>>> through from VPN > internal, and Internal > VPN. The DC is windows 2003
>>>> server, and the client machine is Windows XP pro SP2.
>>>>
>>>> Many thanks
>>>>
>>>> Ben
>>>>
>>>
>>>
>>
>>
>
>

Brian
Thu Sep 22 10:19:20 CDT 2005

In article <uKZbFP2vFHA.2792@tk2msftngp13.phx.gbl>,
bjblackmore@hotmail.com says...
> Hi Steve,
>
> Thanks for your help.
>
> We're running Windows 2003 standard server SP1, with an Enterprise CA.
> Clients are Windows XP SP2. Firewall/VPN server is ISA 2004 SP1.
>
> Ben
>
Ben,
The biggest issue you face is that you can only issue certificates based
on version 1 templates in your configuration. An enterprise CA running
on standard edition cannot issue certificates based on version 2
templates.

Why I am harping on this is that if the CA was running on enterprise
edition, you could then create a custom v2 certificate template that
provides the subject in the request, and allows private key export.

brian

Steven
Thu Sep 22 12:06:50 CDT 2005

Brian explained what the solution was for Windows 2003 CA though that does
not look like a possibility for you unless you upgrade to Windows 2003
Server Enterprise Edition. What I would do is to enable the offline ipsec
template and then use the same method that you used to download the CA
certificate via Web Enrollment to request an offline ipsec certificate for
his computer via an advanced certificate request and being sure to select
the option to store certificate in local computer store. Otherwise you could
make the CA available to the user over the internet to request the
certificate via Web Enrollment even if just temporarily. By default the Web
Enrollment site uses integrated authentication which would not allow
anonymous access to the website. The server running IIS for Web Enrollment
does not have to be the CA either. --- Steve



"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%23CWAG$rvFHA.2312@TK2MSFTNGP14.phx.gbl...
>I don't believe there is any documentation but I have tried it in the past
>and it worked on a Windows 2000 Certificate Authority. If I remember
>correctly the option to export the private key was changed so that it could
>not be disabled in Windows 2003 for offline ipsec. Let me know more about
>the CA you are using [ stand alone or enterprise] and the exact operating
>system it is installed on as I believe I did find a way to do it on a
>Windows 2003 Enterprise CA but I can't remember what I did offhand but I
>will look into it further. --- Steve
>
>
> "Ben" <bjblackmore@hotmail.com> wrote in message
> news:O6BfGnovFHA.252@TK2MSFTNGP09.phx.gbl...
>> Hi Steve,
>>
>> Thanks for the reply. I had looked into doing this, but I couldn't find
>> any documentation on how to request a certificate on behalf of another
>> computer (lots of documentation for doing another user). I've installed
>> the certificate for "enrollment agent (computer)", but if I do 'request
>> new certificate' and select computer, I don't get the option to enter the
>> other computer name, even if I select advanced, I can put it in the
>> friendly name, but at the end on the details screen, computer name is
>> still that of my computer. If I try to export this, I don't get the
>> option to export the private key, it's greyed out. And the only
>> certificate format I can export to is DER encoded, Base-64 or
>> Cryptographic message syntax, again the option for PFX is greyed out!
>> If you know of any documentation that exists, could you point me in the
>> right direction!
>>
>> Cheers
>>
>> Ben
>>
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:uJ70H0ivFHA.2064@TK2MSFTNGP09.phx.gbl...
>>> Your best bet would be to enable the "offline ipsec" certificate
>>> template for the CA and have him request that via Web Enrollment. The
>>> RPC error is usually because of a firewall problem or dns problem. If
>>> you had to you could manually request the certificate yourself for that
>>> computer and specify that computer name in the request. Then export the
>>> certificate/private key from your computer [select option to export
>>> whole certificate chain to include CA certificate] to a password
>>> protected.pfx file and send it to the user with instructions how to
>>> import it into the "computer" certificate store. Note that the user
>>> would need to be a local administrator to request and install the
>>> certificate. --- Steve
>>>
>>>
>>> "Ben" <bjblackmore@hotmail.com> wrote in message
>>> news:e85CT7quFHA.1256@TK2MSFTNGP09.phx.gbl...
>>>> Hi,
>>>>
>>>> I'm trying to set up a machine for use with our VPN. We will be using
>>>> L2TP & smartcards, so I need to request a computer certificate. Up till
>>>> now I've been able to configure most computer when people are in the
>>>> office, connected to the domain, using automatic certificate deployment
>>>> via group policy. However we have 1 user who is not going to be in the
>>>> office, but needs VPN access.
>>>>
>>>> So I've changed the VPN access to allow PPTP temporarily, and asked him
>>>> to connect, then I've used remote assistance to terminal service into
>>>> his machine. From there I've managed to use the web based enrollment to
>>>> download the CA certificate, and tried to use the certificates MMC snap
>>>> in to request a computer certificate. However I get the initial screen
>>>> up, asking which certificate I'd like, common name etc, but when I
>>>> press finish, the system hangs for about 10 seconds, then errors with
>>>> "RPC Server is unavailable".
>>>>
>>>> At first I thought this might be a firewall issue, as he was running
>>>> windows firewall, as well as Symantec firewall. So I disabled both, and
>>>> also the firewall on his 3com router. However after trying again, with
>>>> a number of reboots, it still errors. I can ping the CA, the domain,
>>>> and other computers.
>>>>
>>>> Does anyone have any ideas as to how I can successfully request a
>>>> computer certificate? Is there another way of doing it? I notice there
>>>> is no computer certificate option in the web enrollment form, even
>>>> though the template has been added to the CA.
>>>>
>>>> We're using ISA 2004 as the VPN server, and it's allowing all protocols
>>>> through from VPN > internal, and Internal > VPN. The DC is windows 2003
>>>> server, and the client machine is Windows XP pro SP2.
>>>>
>>>> Many thanks
>>>>
>>>> Ben
>>>>
>>>
>>>
>>
>>
>
>