The autoenrollment functionality fails when a Windows Vista-based computer uses version 2 (V2) certificates. Additionally, an event that resembles the following is logged in the Application log:
Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Date: Date
Event ID: 13
Task Category: None
Level: Error
Keywords: Classic
User: User SID
Computer: Computer Name
Description:
Certificate enrollment for Local system failed to enroll a template certificate from certification authority. (The RPC server is unavailable. 0x800706ba. (Win32:1722))
Back to the top
To resolve this problem, follow these steps:
| 1. | On the domain controller that hosts the certification authority, verify that the CERTSVC_DCOM_ACCESS group exists. To do this, follow these steps on the domain controller:| a. | Click Start, click Run, type Dsa.msc, and then click OK. | | b. | In the console tree, click Users. | | c. | In the details pane, verify that the CERTSVC_DCOM_ACCESS group exists. |
|
| 2. | Add following groups to the CERTSVC_DCOM_ACCESS group:| • | The Domain Users group | | • | The Domain Computers group | | • | The Domain Controllers group |
|
| 3. | To update the DCOM security settings for the certificate service, run the following commands at a command prompt: certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc Note Press ENTER after each command. |
Back to the top
The CERTSVC_DCOM_ACCESS group is created after you install Windows Server 2003 Service Pack 1 (SP1) on the domain controller. By default, the Domain Users group and the Domain Computers group reside in the CERTSVC_DCOM_ACCESS group.
Back to the top
Network trace
When this problem occurs, a network trace that resembles the following is generated:
No. Time Source Destination Protocol Info
10 0.042104 <Source IP address> <Destination IP address> DCERPC Fault: call_id: 2 ctx_id: 1 status: nca_s_fault_access_denied
Frame 10 (86 bytes on wire, 86 bytes captured)
Ethernet II, Src: <Source MAC address>, Dst: <Destination MAC address>
Internet Protocol, Src: <Source IP address>, Dst: <Destination IP address>
Transmission Control Protocol, Src Port: <Source Port>, Dst Port: <Destination Port>, Seq: 286, Ack: 2554, Len: 32
DCE RPC Fault, Fragment: Single, FragLen: 32, Call: 2, [Req: #9]
Version: 5
Version (minor): 0
Packet type: Fault (3)
Packet Flags: 0x03
0... .... = Object: Not set
.0.. .... = Maybe: Not set
..0. .... = Did Not Execute: Not set
...0 .... = Multiplex: Not set
.... 0... = Reserved: Not set
.... .0.. = Cancel Pending: Not set
.... ..1. = Last Frag: Set
.... ...1 = First Frag: Set
Data Representation: 10000000
Byte order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Frag Length: 32
Auth Length: 0
Call ID: 2
Alloc hint: 32
Context ID: 1
Cancel count: 0
Status: nca_s_fault_access_denied (0x00000005)
Opnum: 4
[Request in frame: 9]
[Time from request: 0.000724000 seconds]
Back to the top
Help and Support
