The autoenrollment functionality fails when a Windows Vista-based computer uses version 2 (V2) certificates

The autoenrollment functionality fails when a Windows Vista-based computer uses version 2 (V2) certificates. Additionally, an event that resembles the following is logged in the Application log:

Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Date: Date
Event ID: 13
Task Category: None
Level: Error
Keywords: Classic
User: User SID
Computer: Computer Name
Certificate enrollment for Local system failed to enroll a template certificate from certification authority. (The RPC server is unavailable. 0x800706ba. (Win32:1722))

To resolve this problem, follow these steps:
  1. On the domain controller that hosts the certification authority, verify that the CERTSVC_DCOM_ACCESS group exists. To do this, follow these steps on the domain controller:
    1. Click Start, click Run, type Dsa.msc, and then click OK.
    2. In the console tree, click Users.
    3. In the details pane, verify that the CERTSVC_DCOM_ACCESS group exists.
  2. Add following groups to the CERTSVC_DCOM_ACCESS group:
    • The Domain Users group
    • The Domain Computers group
    • The Domain Controllers group
  3. To update the DCOM security settings for the certificate service, run the following commands at a command prompt:
    certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
    net stop certsvc
    net start certsvc
    Note Press ENTER after each command.
The CERTSVC_DCOM_ACCESS group is created after you install Windows Server 2003 Service Pack 1 (SP1) on the domain controller. By default, the Domain Users group and the Domain Computers group reside in the CERTSVC_DCOM_ACCESS group.

Network trace

When this problem occurs, a network trace that resembles the following is generated:
No.     Time        Source                Destination           Protocol Info     10 0.042104    <Source IP address> <Destination IP address>           DCERPC   Fault: call_id: 2 ctx_id: 1 status: nca_s_fault_access_deniedFrame 10 (86 bytes on wire, 86 bytes captured)Ethernet II, Src: <Source MAC address>, Dst: <Destination MAC address>Internet Protocol, Src: <Source IP address>, Dst: <Destination IP address>Transmission Control Protocol, Src Port: <Source Port>, Dst Port: <Destination Port>, Seq: 286, Ack: 2554, Len: 32DCE RPC Fault, Fragment: Single, FragLen: 32, Call: 2, [Req: #9]    Version: 5    Version (minor): 0    Packet type: Fault (3)    Packet Flags: 0x03        0... .... = Object: Not set        .0.. .... = Maybe: Not set        ..0. .... = Did Not Execute: Not set        ...0 .... = Multiplex: Not set        .... 0... = Reserved: Not set        .... .0.. = Cancel Pending: Not set        .... ..1. = Last Frag: Set        .... ...1 = First Frag: Set    Data Representation: 10000000        Byte order: Little-endian (1)        Character: ASCII (0)        Floating-point: IEEE (0)    Frag Length: 32    Auth Length: 0    Call ID: 2    Alloc hint: 32    Context ID: 1    Cancel count: 0    Status: nca_s_fault_access_denied (0x00000005)    Opnum: 4    [Request in frame: 9]    [Time from request: 0.000724000 seconds]

Article ID: 947237 - Last Review: 02/05/2008 18:42:22 - Revision: 1.1

Windows Vista Enterprise 64-bit Edition, Windows Vista Ultimate 64-bit Edition, Windows Vista Business, Windows Vista Business 64-bit Edition, Windows Vista Enterprise, Windows Vista Ultimate

  • kbexpertiseadvanced kbtshoot kbprb KB947237