Forum Discussion

Deleted's avatar
Deleted
Nov 16, 2022

Two Tier PKI AutoEnrollment & CertEnroll Errors

Hi,   I have a two tier PKI certificate system setup on windows server 2022.   All Windows 10/11 clients and domain controllers get the following errors in event viewer:   1) Automatic certific...
Windows Server
Deleted's avatar
Deleted
Nov 18, 2022

Hi Lain,

Thank you for your detailed response! I am starting to go through your post right now.

So far, I noticed that my subordinate/intermediate issuing CA has the four allow in-bound firewall rules enabled (the Certification authority enrollment and management protocol rules).

However, they do not exist on domain controllers or any workstations. Should they be there too? It seems my domain controllers don't even have those pre-defined rules to add on the firewalls. Or does my domain controller need to have certificate authority service installed?

 

P.S: thank you, I have re-enabled firewall across the domain

LainRobertson's avatar
LainRobertson
Silver Contributor
Nov 18, 2022

Deleted 

 

Hi,

 

Those four rules only exist and are enabled on the hosts running Certificate Services (which should not be the domain controllers - they should only ever run just one thing: Active Directory.)

 

What those four rules do is allow inbound traffic from other hosts to reach Certificate Services via RPC.

 

Given the four rules are there and enabled, I'd:

 

  1. Ensure the Certificate Services service (certsvc) is running on the Certificate Services host;
  2. Run a PortQry check from another host on the same subnet/virtual switch to see if it can access the Certificate Services host;
    • If it can then you know you something is blocking traffic from other more remote hosts from reaching your Certificate Services host;
    • If it cannot then the problem exists on the Certificate Services host itself.

 

Do you know if you have had Certificate Services installed within the forest ever before? If you have, it may be the case that you have a non-existent host reference lingering in your configuration - but this is an outside possibility.

 

Here's some commands you can use to check if you've ever had another certificate authority:

 

# This command lists all defined certificate authorities.
Get-ADObject -Filter { (objectClass -eq "certificationAuthority") } -SearchBase "CN=Certification Authorities,CN=Public Key Services,CN=Services,$((Get-ADRootDSE).configurationNamingContext)" -SearchScope OneLevel | Format-Table -AutoSize objectGUID, objectClass, name

# This command lists all enrolment service points (aka servers running Certificate Services.)
Get-ADObject -Filter { (objectClass -eq "pKIEnrollmentService") } -SearchBase "CN=Enrollment Services,CN=Public Key Services,CN=Services,$((Get-ADRootDSE).configurationNamingContext)" -SearchScope OneLevel -Properties dNSHostName | Format-Table -AutoSize objectGUID, objectClass, name, dNSHostName

 

Hopefully you only see entries that you know about. If you see strays that you didn't know existed (particularly from the second command) then you may have some long-lost things to clean up (aka delete.)

 

Cheers,

Lain

  • Deleted's avatar
    Deleted
    Nov 19, 2022

    LainRobertson 

     

    Hi Lain,

     

    1) Certificate service is running on my intermediate/subordinate issuing CA.

     

    2) I had certificate services installed before on another VM which was also a subordinate/intermediate issuing CA that had the same errors, so I re-built the subordinate CA VM fresh but still getting this error.

     

    3) Here is the output from command (on my domain controller):

    Get-ADObject -Filter { (objectClass -eq "certificationAuthority") } -SearchBase "CN=Certification Authorities,CN=Public Key Services,CN=Services,$((Get-ADRootDSE).configurationNamingContext)" -SearchScope OneLevel | Format-Table -AutoSize objectGUID, objectClass, name

     

     

    and output from command (on my domain controller):

    Get-ADObject -Filter { (objectClass -eq "pKIEnrollmentService") } -SearchBase "CN=Enrollment Services,CN=Public Key Services,CN=Services,$((Get-ADRootDSE).configurationNamingContext)" -SearchScope OneLevel -Properties dNSHostName | Format-Table -AutoSize objectGUID, objectClass, name, dNSHostName

     

    4) Here is the output from PortQry on a domain controller:

     

    PS C:\PortQryV2> .\portqry.exe -n vxxx-xxx.xxx.com -e 135

    Querying target system called:

    vxxx-xxx.xxx.com

    Attempting to resolve name to IP address...


    Name resolved to 10.x.x.x

    querying...

    TCP port 135 (epmap service): LISTENING

    Using ephemeral source port
    Querying Endpoint Mapper Database...
    Server's response:

    UUID: 51a227ae-825b-41f2-b4a9-1ac9557a1018 Ngc Pop Key Service
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

    UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be
    ncacn_np:vxxx-xxx.xxx.com[\\pipe\\cert]

    UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be
    ncacn_ip_tcp:vxxx-xxx.xxx.com[50055]

    UUID: 650a7e26-eab8-5533-ce43-9c1dfce11511 Vpn APIs
    ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\ROUTER]

    UUID: 367abb81-9844-35f1-ad32-98f038001003
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49711]

    UUID: 12345678-1234-abcd-ef00-0123456789ab
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

    UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

    UUID: ae33069b-a2a8-46ee-a235-ddfd339be281
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

    UUID: 4a452661-8290-4b36-8fbe-7f4093a94978
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

    UUID: 76f03f96-cdfd-44fc-a22c-64950a001209
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

    UUID: 29770a8f-829b-4158-90a2-78cd488501f7
    ncacn_np:vxxx-xxx.xxx.com[\\pipe\\SessEnvPublicRpc]

    UUID: 29770a8f-829b-4158-90a2-78cd488501f7
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49669]

    UUID: 7f1343fe-50a9-4927-a778-0c5859517bac DfsDs service
    ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\wkssvc]

    UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
    ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

    UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
    ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

    UUID: 33d84484-3626-47ee-8c6f-e7e98b113be1
    ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

    UUID: 86d35949-83c9-4044-b424-db363231fd0c
    ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

    UUID: 86d35949-83c9-4044-b424-db363231fd0c
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49668]

    UUID: 3a9ef155-691d-4449-8d05-09ad57031823
    ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

    UUID: 3a9ef155-691d-4449-8d05-09ad57031823
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49668]

    UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c Event log TCPIP
    ncacn_np:vxxx-xxx.xxx.com[\\pipe\\eventlog]

    UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c Event log TCPIP
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49666]

    UUID: 76f226c3-ec14-4325-8a99-6a46348418af
    ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\InitShutdown]

    UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
    ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\InitShutdown]

    UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49665]

    UUID: 12345778-1234-abcd-ef00-0123456789ac
    ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

    UUID: 12345778-1234-abcd-ef00-0123456789ac
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

    UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
    ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

    UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

    UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

    UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
    ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

    UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

    UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

    UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
    ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

    UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

    UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

    UUID: 8fb74744-b2ff-4c00-be0d-9ef9a191fe1b Ngc Pop Key Service
    ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

    UUID: 8fb74744-b2ff-4c00-be0d-9ef9a191fe1b Ngc Pop Key Service
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

    UUID: 8fb74744-b2ff-4c00-be0d-9ef9a191fe1b Ngc Pop Key Service
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

    UUID: 51a227ae-825b-41f2-b4a9-1ac9557a1018 Ngc Pop Key Service
    ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

    UUID: 51a227ae-825b-41f2-b4a9-1ac9557a1018 Ngc Pop Key Service
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

    Total endpoints found: 41

     

    ==== End of RPC Endpoint Mapper query response ====
    PS C:\PortQryV2>


    Here is the output from PortQry on a workstation:

     

    PS C:\PortQryV2> .\portqry -n vxxx-xxx.xxx.com -e 135

    Querying target system called:

    vxxx-xxx.xxx.com

    Attempting to resolve name to IP address...


    Name resolved to 10.x.x.x

    querying...

    TCP port 135 (epmap service): LISTENING

    Using ephemeral source port
    Querying Endpoint Mapper Database...
    Server's response:

    UUID: 51a227ae-825b-41f2-b4a9-1ac9557a1018 Ngc Pop Key Service
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

    UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be
    ncacn_np:vxxx-xxx.xxx.com[\\pipe\\cert]

    UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be
    ncacn_ip_tcp:vxxx-xxx.xxx.com[50055]

    UUID: 650a7e26-eab8-5533-ce43-9c1dfce11511 Vpn APIs
    ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\ROUTER]

    UUID: 367abb81-9844-35f1-ad32-98f038001003
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49711]

    UUID: 12345678-1234-abcd-ef00-0123456789ab
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

    UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

    UUID: ae33069b-a2a8-46ee-a235-ddfd339be281
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

    UUID: 4a452661-8290-4b36-8fbe-7f4093a94978
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

    UUID: 76f03f96-cdfd-44fc-a22c-64950a001209
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

    UUID: 29770a8f-829b-4158-90a2-78cd488501f7
    ncacn_np:vxxx-xxx.xxx.com[\\pipe\\SessEnvPublicRpc]

    UUID: 29770a8f-829b-4158-90a2-78cd488501f7
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49669]

    UUID: 7f1343fe-50a9-4927-a778-0c5859517bac DfsDs service
    ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\wkssvc]

    UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
    ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

    UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
    ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

    UUID: 33d84484-3626-47ee-8c6f-e7e98b113be1
    ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

    UUID: 86d35949-83c9-4044-b424-db363231fd0c
    ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

    UUID: 86d35949-83c9-4044-b424-db363231fd0c
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49668]

    UUID: 3a9ef155-691d-4449-8d05-09ad57031823
    ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

    UUID: 3a9ef155-691d-4449-8d05-09ad57031823
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49668]

    UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c Event log TCPIP
    ncacn_np:vxxx-xxx.xxx.com[\\pipe\\eventlog]

    UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c Event log TCPIP
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49666]

    UUID: 76f226c3-ec14-4325-8a99-6a46348418af
    ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\InitShutdown]

    UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
    ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\InitShutdown]

    UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49665]

    UUID: 12345778-1234-abcd-ef00-0123456789ac
    ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

    UUID: 12345778-1234-abcd-ef00-0123456789ac
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

    UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
    ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

    UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

    UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

    UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
    ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

    UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

    UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

    UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
    ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

    UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

    UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

    UUID: 8fb74744-b2ff-4c00-be0d-9ef9a191fe1b Ngc Pop Key Service
    ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

    UUID: 8fb74744-b2ff-4c00-be0d-9ef9a191fe1b Ngc Pop Key Service
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

    UUID: 8fb74744-b2ff-4c00-be0d-9ef9a191fe1b Ngc Pop Key Service
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

    UUID: 51a227ae-825b-41f2-b4a9-1ac9557a1018 Ngc Pop Key Service
    ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

    UUID: 51a227ae-825b-41f2-b4a9-1ac9557a1018 Ngc Pop Key Service
    ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

    Total endpoints found: 41

     

    ==== End of RPC Endpoint Mapper query response ====
    PS C:\PortQryV2>

     

    • Deleted's avatar
      Deleted
      Nov 27, 2022

      anyone know how i can remove some unwanted entries after running this command:

      Get-ADObject -Filter { (objectClass -eq "certificationAuthority") } -SearchBase "CN=Certification Authorities,CN=Public Key Services,CN=Services,$((Get-ADRootDSE).configurationNamingContext)" -SearchScope OneLevel | Format-Table -AutoSize objectGUID, objectClass, name

      Thanks
      Is it as simple as opening ADSI and navigating to: CN=Certification Authorities,CN=Public Key Services,CN=Services and deleting the unwanted entries?

Resources