Two Tier PKI AutoEnrollment & CertEnroll Errors

New Contributor

Hi,

 

I have a two tier PKI certificate system setup on windows server 2022.

 

All Windows 10/11 clients and domain controllers get the following errors in event viewer:

 

1) Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

 

2) Certificate enrollment for Local system failed to enroll for a ComputerCertificate certificate with request ID N/A from Vxxx-xxx.xxx.com\xxx-Vxxx-xxx-CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).

 

3) Certificate enrollment for Local system failed in authentication to all urls for enrollment server associated with policy id: {59CE2990-AF3C-432A-A309-0CA7E3598B5C} (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)). Failed to enroll for template: ComputerCertificate

 

On my domain controllers, I get these additional errors:

 

1)  Certificate enrollment for Local system failed to enroll for a KerberosAuthentication certificate with request ID N/A from Vxxx-xxx.xxx.com\xxx-Vxxx-xxx-CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).

 

2) Certificate enrollment for Local system failed in authentication to all urls for enrollment server associated with policy id: {59CE2990-AF3C-432A-A309-0CA7E3598B5C} (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)). Failed to enroll for template: KerberosAuthentication

 

3) Certificate enrollment for Local system failed to enroll for a DomainControllerAuthentication certificate with request ID N/A from Vxxx-xxx.xxx.com\xxx-Vxxx-xxx-CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).

 

4) Certificate enrollment for Local system failed in authentication to all urls for enrollment server associated with policy id: {59CE2990-AF3C-432A-A309-0CA7E3598B5C} (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)). Failed to enroll for template: DomainControllerAuthentication

 

No computers are getting the subordinateCA cert under their local computer certificates -> Personal -> Certificates

 

I distributed the standalone root CA to all computers via group policy under "Trusted root certification authorities -> Certificates"

 

Weirdly, all computers under local certificates: Intermediate Certification Authorities -> Certificates seem to be receiving the subordinateCA certificate under there.

 

I've disabled all windows firewalls via GPO for testing.

my network firewall has all ports open from subordinateCA to domain controllers for testing

all workstations have ports open for subordinateCA for testing

 

Any help is greatly appreciated. Tried looking for solutions online to no success.

 

Thanks

5 Replies

@windows2190 

 

Howdy.

 

Error 1722 is pretty unambiguous.

 

The RPC endpoint mapper listens on TCP 135, and error 1722 only gets thrown if the source computer cannot reach TCP 135 on the target computer.

 

Disabling the Windows Firewall isn't the answer - not even for testing. It's straight-up dangerous in this current era, too.

 

Enable your firewall and ensure the following four ALLOW rules (boxed in green) are enabled. If they are missing or disabled then that's something you'd need to fix regardless.

 

LainRobertson_0-1668667811062.png

 

Additionally, ensure there are no BLOCK rules preventing access to TCP 135, as BLOCK rules will take precedence over ALLOW.

 

Next, download Microsoft's PortQry tool:

 

As you will need this for end-to-end testing. The portqry.exe will need to reside on the client from where you are doing your testing and are seeing error 1722.

 

Ensure the Certificate Services service us running

On your root (if it's not an offline root) and intermediate authorities, ensure the relevant service is running.

 

LainRobertson_1-1668668165013.png

 

Verifying if the RPC endpoint mapper is reachable

Using PortQry.exe (shows some returned output here, too) - obviously use your FQDN or IP address:

 

LainRobertson_2-1668668754519.png

 

I'd expect you will still be getting error 1722 at this stage though, but this is how you can prove end-to-end RPC connectivity (thereby proving you're past the error 1722 stage.)

 

A useful cross-reference is testing using PortQry from a host that lives on the same switch (physical or virtual) as the Certificate Services host. If that still fails, then I'd be going back and checking that the certsvc service is running, the Windows Firewall rules have been created and enabled, and that there are no Windows Firewall BLOCK rules overriding the ALLOW rules.

 

Assuming those checks come up fine, then despite what you said about the network firewall having all ports open to the domain controllers (which won't help your other clients, if you're looking to enrol certificates on those), something is blocking TCP 135 as it's basically in the "not possible" category that the endpoint mapper service isn't running. Even the most basic fresh installation of something like Server Core will still be running upwards of perhaps 60 RPC services through the endpoint mapper.

 

It's important to note that all clients (domain controllers, member servers, workstations, etc.) get their enterprise CA configuration from AD but they do the enrolment and get the certificates from the intermediate itself, meaning TCP 135 needs to be reachable from anywhere you expect a client needing a certificate might live, not just from the domain controllers themselves.

 

Additional note

Once you resolve the error 1722 RPC issue, also be sure that your CRL publication location is reachable. If this only contains the LDAP distribution point then you won't need to check this but as it's quite common (if not necessary) to run a HTTP publication point, you want to be sure clients can hit this from anywhere relevant or you'll run into more issues.

 

Cheers,

Lain

Hi Lain,

Thank you for your detailed response! I am starting to go through your post right now.

So far, I noticed that my subordinate/intermediate issuing CA has the four allow in-bound firewall rules enabled (the Certification authority enrollment and management protocol rules).

However, they do not exist on domain controllers or any workstations. Should they be there too? It seems my domain controllers don't even have those pre-defined rules to add on the firewalls. Or does my domain controller need to have certificate authority service installed?

 

P.S: thank you, I have re-enabled firewall across the domain

@windows2190 

 

Hi,

 

Those four rules only exist and are enabled on the hosts running Certificate Services (which should not be the domain controllers - they should only ever run just one thing: Active Directory.)

 

What those four rules do is allow inbound traffic from other hosts to reach Certificate Services via RPC.

 

Given the four rules are there and enabled, I'd:

 

  1. Ensure the Certificate Services service (certsvc) is running on the Certificate Services host;
  2. Run a PortQry check from another host on the same subnet/virtual switch to see if it can access the Certificate Services host;
    • If it can then you know you something is blocking traffic from other more remote hosts from reaching your Certificate Services host;
    • If it cannot then the problem exists on the Certificate Services host itself.

 

Do you know if you have had Certificate Services installed within the forest ever before? If you have, it may be the case that you have a non-existent host reference lingering in your configuration - but this is an outside possibility.

 

Here's some commands you can use to check if you've ever had another certificate authority:

 

# This command lists all defined certificate authorities.
Get-ADObject -Filter { (objectClass -eq "certificationAuthority") } -SearchBase "CN=Certification Authorities,CN=Public Key Services,CN=Services,$((Get-ADRootDSE).configurationNamingContext)" -SearchScope OneLevel | Format-Table -AutoSize objectGUID, objectClass, name

# This command lists all enrolment service points (aka servers running Certificate Services.)
Get-ADObject -Filter { (objectClass -eq "pKIEnrollmentService") } -SearchBase "CN=Enrollment Services,CN=Public Key Services,CN=Services,$((Get-ADRootDSE).configurationNamingContext)" -SearchScope OneLevel -Properties dNSHostName | Format-Table -AutoSize objectGUID, objectClass, name, dNSHostName

 

Hopefully you only see entries that you know about. If you see strays that you didn't know existed (particularly from the second command) then you may have some long-lost things to clean up (aka delete.)

 

Cheers,

Lain

@LainRobertson 

 

Hi Lain,

 

1) Certificate service is running on my intermediate/subordinate issuing CA.

 

2) I had certificate services installed before on another VM which was also a subordinate/intermediate issuing CA that had the same errors, so I re-built the subordinate CA VM fresh but still getting this error.

 

3) Here is the output from command (on my domain controller):

Get-ADObject -Filter { (objectClass -eq "certificationAuthority") } -SearchBase "CN=Certification Authorities,CN=Public Key Services,CN=Services,$((Get-ADRootDSE).configurationNamingContext)" -SearchScope OneLevel | Format-Table -AutoSize objectGUID, objectClass, name

 

windows2190_0-1668887988598.png

 

and output from command (on my domain controller):

Get-ADObject -Filter { (objectClass -eq "pKIEnrollmentService") } -SearchBase "CN=Enrollment Services,CN=Public Key Services,CN=Services,$((Get-ADRootDSE).configurationNamingContext)" -SearchScope OneLevel -Properties dNSHostName | Format-Table -AutoSize objectGUID, objectClass, name, dNSHostName

windows2190_1-1668888342864.png

 

4) Here is the output from PortQry on a domain controller:

 

PS C:\PortQryV2> .\portqry.exe -n vxxx-xxx.xxx.com -e 135

Querying target system called:

vxxx-xxx.xxx.com

Attempting to resolve name to IP address...


Name resolved to 10.x.x.x

querying...

TCP port 135 (epmap service): LISTENING

Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:

UUID: 51a227ae-825b-41f2-b4a9-1ac9557a1018 Ngc Pop Key Service
ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be
ncacn_np:vxxx-xxx.xxx.com[\\pipe\\cert]

UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be
ncacn_ip_tcp:vxxx-xxx.xxx.com[50055]

UUID: 650a7e26-eab8-5533-ce43-9c1dfce11511 Vpn APIs
ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\ROUTER]

UUID: 367abb81-9844-35f1-ad32-98f038001003
ncacn_ip_tcp:vxxx-xxx.xxx.com[49711]

UUID: 12345678-1234-abcd-ef00-0123456789ab
ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1
ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

UUID: ae33069b-a2a8-46ee-a235-ddfd339be281
ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

UUID: 4a452661-8290-4b36-8fbe-7f4093a94978
ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

UUID: 76f03f96-cdfd-44fc-a22c-64950a001209
ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

UUID: 29770a8f-829b-4158-90a2-78cd488501f7
ncacn_np:vxxx-xxx.xxx.com[\\pipe\\SessEnvPublicRpc]

UUID: 29770a8f-829b-4158-90a2-78cd488501f7
ncacn_ip_tcp:vxxx-xxx.xxx.com[49669]

UUID: 7f1343fe-50a9-4927-a778-0c5859517bac DfsDs service
ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\wkssvc]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

UUID: 33d84484-3626-47ee-8c6f-e7e98b113be1
ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncacn_ip_tcp:vxxx-xxx.xxx.com[49668]

UUID: 3a9ef155-691d-4449-8d05-09ad57031823
ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

UUID: 3a9ef155-691d-4449-8d05-09ad57031823
ncacn_ip_tcp:vxxx-xxx.xxx.com[49668]

UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c Event log TCPIP
ncacn_np:vxxx-xxx.xxx.com[\\pipe\\eventlog]

UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c Event log TCPIP
ncacn_ip_tcp:vxxx-xxx.xxx.com[49666]

UUID: 76f226c3-ec14-4325-8a99-6a46348418af
ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\InitShutdown]

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\InitShutdown]

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncacn_ip_tcp:vxxx-xxx.xxx.com[49665]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

UUID: 8fb74744-b2ff-4c00-be0d-9ef9a191fe1b Ngc Pop Key Service
ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

UUID: 8fb74744-b2ff-4c00-be0d-9ef9a191fe1b Ngc Pop Key Service
ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

UUID: 8fb74744-b2ff-4c00-be0d-9ef9a191fe1b Ngc Pop Key Service
ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

UUID: 51a227ae-825b-41f2-b4a9-1ac9557a1018 Ngc Pop Key Service
ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

UUID: 51a227ae-825b-41f2-b4a9-1ac9557a1018 Ngc Pop Key Service
ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

Total endpoints found: 41

 

==== End of RPC Endpoint Mapper query response ====
PS C:\PortQryV2>


Here is the output from PortQry on a workstation:

 

PS C:\PortQryV2> .\portqry -n vxxx-xxx.xxx.com -e 135

Querying target system called:

vxxx-xxx.xxx.com

Attempting to resolve name to IP address...


Name resolved to 10.x.x.x

querying...

TCP port 135 (epmap service): LISTENING

Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:

UUID: 51a227ae-825b-41f2-b4a9-1ac9557a1018 Ngc Pop Key Service
ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be
ncacn_np:vxxx-xxx.xxx.com[\\pipe\\cert]

UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be
ncacn_ip_tcp:vxxx-xxx.xxx.com[50055]

UUID: 650a7e26-eab8-5533-ce43-9c1dfce11511 Vpn APIs
ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\ROUTER]

UUID: 367abb81-9844-35f1-ad32-98f038001003
ncacn_ip_tcp:vxxx-xxx.xxx.com[49711]

UUID: 12345678-1234-abcd-ef00-0123456789ab
ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1
ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

UUID: ae33069b-a2a8-46ee-a235-ddfd339be281
ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

UUID: 4a452661-8290-4b36-8fbe-7f4093a94978
ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

UUID: 76f03f96-cdfd-44fc-a22c-64950a001209
ncacn_ip_tcp:vxxx-xxx.xxx.com[49685]

UUID: 29770a8f-829b-4158-90a2-78cd488501f7
ncacn_np:vxxx-xxx.xxx.com[\\pipe\\SessEnvPublicRpc]

UUID: 29770a8f-829b-4158-90a2-78cd488501f7
ncacn_ip_tcp:vxxx-xxx.xxx.com[49669]

UUID: 7f1343fe-50a9-4927-a778-0c5859517bac DfsDs service
ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\wkssvc]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

UUID: 33d84484-3626-47ee-8c6f-e7e98b113be1
ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncacn_ip_tcp:vxxx-xxx.xxx.com[49668]

UUID: 3a9ef155-691d-4449-8d05-09ad57031823
ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\atsvc]

UUID: 3a9ef155-691d-4449-8d05-09ad57031823
ncacn_ip_tcp:vxxx-xxx.xxx.com[49668]

UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c Event log TCPIP
ncacn_np:vxxx-xxx.xxx.com[\\pipe\\eventlog]

UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c Event log TCPIP
ncacn_ip_tcp:vxxx-xxx.xxx.com[49666]

UUID: 76f226c3-ec14-4325-8a99-6a46348418af
ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\InitShutdown]

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncacn_np:vxxx-xxx.xxx.com[\\PIPE\\InitShutdown]

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncacn_ip_tcp:vxxx-xxx.xxx.com[49665]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7 RemoteAccessCheck
ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

UUID: 8fb74744-b2ff-4c00-be0d-9ef9a191fe1b Ngc Pop Key Service
ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

UUID: 8fb74744-b2ff-4c00-be0d-9ef9a191fe1b Ngc Pop Key Service
ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

UUID: 8fb74744-b2ff-4c00-be0d-9ef9a191fe1b Ngc Pop Key Service
ncacn_ip_tcp:vxxx-xxx.xxx.com[49670]

UUID: 51a227ae-825b-41f2-b4a9-1ac9557a1018 Ngc Pop Key Service
ncacn_np:vxxx-xxx.xxx.com[\\pipe\\lsass]

UUID: 51a227ae-825b-41f2-b4a9-1ac9557a1018 Ngc Pop Key Service
ncacn_ip_tcp:vxxx-xxx.xxx.com[49664]

Total endpoints found: 41

 

==== End of RPC Endpoint Mapper query response ====
PS C:\PortQryV2>

 

anyone know how i can remove some unwanted entries after running this command:

Get-ADObject -Filter { (objectClass -eq "certificationAuthority") } -SearchBase "CN=Certification Authorities,CN=Public Key Services,CN=Services,$((Get-ADRootDSE).configurationNamingContext)" -SearchScope OneLevel | Format-Table -AutoSize objectGUID, objectClass, name

Thanks
Is it as simple as opening ADSI and navigating to: CN=Certification Authorities,CN=Public Key Services,CN=Services and deleting the unwanted entries?