If you’re facing the error
Certificate enrollment for Local system failed to enroll for a ClientCertificate certificate with request ID N/A from server\IssuingCA-01 (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE))
it’s almost certain your firewall is blocking the traffic.
In this case, you need to open port 135 (RPC traffic) in your firewall(s) FROM your client TO the certificate server
Please note your environment may have multiple firewalls on different levels. Check your central company wide firewall for dropped packets on port 135.
But also make sure your Windows Firewall is configured to
- allow outbound traffic (on your client) on port 135
- allow inbound traffic (on your certificate server) on port 135.
Inbound traffic is most likely being blocked, since that is the default setting in Windows nowadays.
To verify you have solved the issue by opening the firewall ports, you need to trigger the error to reoccur. You can do so by running a scheduled task on the client system:
- Open Task Scheduler
- Expand Task Scheduler (local) -> Task Scheduler Library -> \Microsoft\Windows\CertificateServicesClient
- Run the SystemTask and the UserTask
- Wait for a few minutes. Then recheck your Eventlog to verify the error does not appear
Similar errors that may come up in your eventviewer are:
Certificate enrollment for Local system failed (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).
Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID: 13
Certificate enrollment for Local system failed to enroll for a OasenClientCertificate certificate with request ID N/A from server\IssuingCA-01 (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).
DCOM was unable to communicate with the computer
Source: Microsoft-Windows-DistributedCOM
Event ID: 10028
DCOM was unable to communicate with the computer using any of the configured protocols; requested by PID 2eb4 (C:\Windows\system32\taskhost.exe).
Event ID: 82
Certificate enrollment for Local system failed in authentication to all urls for enrollment server associated with policy id: {B62A4538-E0C2-4C3D-A8FE-42201A0C8543} (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)). Failed to enroll for template: ClientCertificate
Event ID: 6
Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.
If you want to trigger a certificate renewal, you can also run this command:
certutil -pulse
Thank you for this additional info! Very appreciated!
Hi TrixM
How certutil -pulse will trigger and when it will trigger?
Thank you!
Very helpful!! Our issue turned out to be that it seems the PKI CA also needs *inbound* access to the DC when the auto-enroll feature is being used from Microsoft PKI (AD-integrated CA).
I saw that a DC didn’t have a certificate, and the PKI server could not reach port 135/tcp on the Domain Controller.
Thank you for your comment and additional info. Glad you found my article helpful!
If CA server is not on a Domain Controller, we could get RPC error even though RPC access is allowed on firewall. To fix this we have to add ‘Domain Computers“, “Domain Users” and “Domain Controllers” groups to “Distributed COM Users” group on the CA server (local group).