The autoenrollment functionality fails when a Windows Vista-based computer uses version 2 (V2) certificates
Log Name: Application
Event ID: 13
Task Category: None
User: User SID
Computer: Computer Name
Certificate enrollment for Local system failed to enroll a template certificate from certification authority. (The RPC server is unavailable. 0x800706ba. (Win32:1722))
- On the domain controller that hosts the certification authority, verify that the CERTSVC_DCOM_ACCESS group exists. To do this, follow these steps on the domain controller:
- Click Start, click Run, type Dsa.msc, and then click OK.
- In the console tree, click Users.
- In the details pane, verify that the CERTSVC_DCOM_ACCESS group exists.
- Add following groups to the CERTSVC_DCOM_ACCESS group:
- The Domain Users group
- The Domain Computers group
- The Domain Controllers group
- To update the DCOM security settings for the certificate service, run the following commands at a command prompt:certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAGNote Press ENTER after each command.
net stop certsvc
net start certsvc
Network traceWhen this problem occurs, a network trace that resembles the following is generated:
No. Time Source Destination Protocol Info 10 0.042104 <Source IP address> <Destination IP address> DCERPC Fault: call_id: 2 ctx_id: 1 status: nca_s_fault_access_deniedFrame 10 (86 bytes on wire, 86 bytes captured)Ethernet II, Src: <Source MAC address>, Dst: <Destination MAC address>Internet Protocol, Src: <Source IP address>, Dst: <Destination IP address>Transmission Control Protocol, Src Port: <Source Port>, Dst Port: <Destination Port>, Seq: 286, Ack: 2554, Len: 32DCE RPC Fault, Fragment: Single, FragLen: 32, Call: 2, [Req: #9] Version: 5 Version (minor): 0 Packet type: Fault (3) Packet Flags: 0x03 0... .... = Object: Not set .0.. .... = Maybe: Not set ..0. .... = Did Not Execute: Not set ...0 .... = Multiplex: Not set .... 0... = Reserved: Not set .... .0.. = Cancel Pending: Not set .... ..1. = Last Frag: Set .... ...1 = First Frag: Set Data Representation: 10000000 Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Frag Length: 32 Auth Length: 0 Call ID: 2 Alloc hint: 32 Context ID: 1 Cancel count: 0 Status: nca_s_fault_access_denied (0x00000005) Opnum: 4 [Request in frame: 9] [Time from request: 0.000724000 seconds]
Article ID: 947237 - Last Review: 02/05/2008 18:42:22 - Revision: 1.1
- kbexpertiseadvanced kbtshoot kbprb KB947237