Hi!
We have an issue with certificate enrollment to one of our Windows 7 clients (Enterprise x86-version). The client is a domain member. The CA is not a domain controller. ThePKIenvironment is2008 Enterprise.For every other client the certificate enrollment works just fine, it's just one client mocking with us. We've tried so many things so I'll probably forget to mention some of them. But we think that the problem is isolated to the client and not to the
server / CA-setup. The client receives the following event id's:
Event id 13
--
Certificate enrollment for DOMAIN\user failed to enroll for a User. Autoenroll certificate with request ID N/A from ca-server.domain\Issuing CA-server (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
--
Event id: 6
--
Automatic certificate enrollment for DOMAIN\user failed (0x800706ba) The RPC server is unavailable.
--
We have verified the communication between the client and the server (it works perfect for everyone else). We've disabled all firewalls between the client and the CA. We tried using other user accounts. We rejoined the domain with a new computer name. We tried
requesting booth user and machine certificates.
We have also looked at the traffic with Wireshark. What's strange here is that there is no traffic between the client and the CA-server when running the following command:
C:\>certutil -ping ca-server.domain
Connecting to ca-server.domain...
Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722)
CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722)
CertUtil: The RPC server is unavailable.
We tried ping to the ip-address instead of FQDN. No problem with a ordinary ping to the FQDN / IP-address. We did also try portqry and successfully ran "portqry -n ca-server.domain -e 135".
We also ran this command on the client: nltest /sc_verify:domain and it was sucesfull.
We suspect something is broken with certificate management on this specific client. But we thought we would give the forum one last chance to spread some light on this issue before we wipe the client.
I think I've read through every thread on this forum (any many others) regarding issues with certificate enrollment / RPC / 0x800706ba. So please don't give me the obvious questions regarding firewall, dns and/or RPC-services started or not.
Thank you for reading!
/Fredrik.