Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Sunday, October 8, 2017 11:32 AM
Hi All,
We are getting RPC server unavailable error while requesting certificate from Citrix machines. Tried both web enrollment and MMC, but both have failed and also tried to ping CA service using certutil -ping ... and we got failure message. Enrollment working fine from CA machine for the accounts that we tried from Citrix machine.
Please let me how I can isolate this issue and how to proceed with this to rectify? And what all possibilities can be checked? Really appreciate for any help.
Regards,
Mubasseer
All replies (2)
Tuesday, October 31, 2017 9:25 AM ✅Answered
Hi,
I am checking to see if the problem has been resolved. If there's anything you'd like to know, please feel free to ask.
Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Monday, October 9, 2017 7:02 AM
Hi,
》》We are getting RPC server unavailable error while requesting certificate from Citrix machines. Tried both web enrollment and MMC, but both have failed and also tried to ping CA service using certutil -ping ... and we got failure message. Enrollment working fine from CA machine for the accounts that we tried from Citrix machine.
According your description, it seems works fine in the Citrix platform, and failed when send request out of the Citrix, right?
For "The RPC server is unavailable"
- Check network connectivity to all of the available certification authorities listed in the Enrollment Services object listed in the Active Directory:CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=Domain,DC=com
- Verify that the Certificate Services service is running on the certification authority.
- Check for firewalls and proxy settings.
- Use Portqry to verify that the necessary RPC ports are opened.
And also check the CERTSVC_DCOM_ACCESS group permission:
On the CA server:
*- Verify membership of the CERTSVC_DCOM_ACCESS group.
*If you have more issuing CA’s on member servers, this will need to be checked on all of them for the local groups. verify that the following groups are members: Domain Users and Domain Computers.
If there are users or computers in other domains in the forest that also need to enroll against the CA, then those users and computers will also need to be added to the CERTSVC_DCOM_ACCESS group.
If a CA has been installed on a DC in the domain then this group may be a Domain Local group instead.
- Verify that CERTSVC_DCOM_ACCESS has been added to the DCOM Security Limits on the CA.
a. Click on Start, then Programs, then Administrative Tools, the Component Services.
b. Expand the Component Services node.
c. Expand the Computers node.
d. Right-click on My Computer and select Properties from the context menu.
e. Click on the COM Security tab.
f. Under Access Permissions, click Edit Limits.
g. Verify that the CERTSVC_DCOM_ACCESS group has been granted Allow Local Access and Allow Remote Access permissions.
h. Click Cancel.
i. Under Launch and Activation Permissions, click Edit Limits.
j. Verify that the CERTSVC_DCOM_ACCESS group has been granted All Local Activation and Allow Remote Activation permissions.
k. Click Cancel.
l. Click Cancel.
m. Close Component Services
If you had to change the permissions/members of the CertSVC_DCOM_ACCESS group then you may in certain cases need to run the following to get the CA to recognize the updated DCOM security settings.
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc
*On the clients:
*
- Verify distributed DCom is enabled:
Run dcomcnfg and select the tab “Default Properties” and verify they have “Enable Distributed COM on this computer”.
Also check for default authentication level" - Connect and the "default impersonation level" - Identify.
Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]