Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Tuesday, January 11, 2011 5:20 PM
I setup a new 2008 R2 ent DC running Certificate services in our 2003 mixed domain and none of the machines, other than the CA, are able to request a machine cert. I verified that the built in local group Certificate Service DCOM Access had Domain Computers, Domain Users and Domain Controllers in it. I also verified that said group has both local and remote access granted under both Access and Launch and Activated permissions under the COM Security tab in Dcom settings.
But while I'm able to successfully run certutil -ping -config dc1.company.local\CA as a user, if I use psexec \localhost -s cmd to run it as system, it fails with the following error (tried both fqdn and host name with the same results). I'm also able to use the Certificates Snap-in to request a user certificate, but not machine.
CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722)
Both the CA and the client are running 2008 R2 with the same patches and are on the same subnet with their Windows Firewalls disabled for testing.
setspn -l dc1 and setspn -l client1 return both HOST/hostname and HOST/fqdn entries.
Any ideas what else I can check?
Wednesday, January 12, 2011 5:58 PM ✅Answered
I figured it out, it was a DCOM security issue. At some point in the past an administrator had configured a Group Policy and set the following values under: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Other\
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
Which made the Edit Limits button under Access Permissions and Launch and Activate Permissions on the COM Security tab greyed out.
I edited the GP, setting the two values to not configured, and then did a gpupdate /force on the Cert server.
Then I launched regedit and navigated to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\dcom
I right clicked on dcom and choose export and saved it. Then I deleted both machineaccessrestriction and machinelaunchrestriction keys.
Finally I ran:
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc
Ran the ping again as system from the client and it was successful. Did a gpupdate /force on the client and the cert was issued!