Re: RPC Server Unavailable When Requesting Computer Certificate
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 09/22/05
- Next message: Steven L Umbach: "Re: Serial/Thumbprint of Certificate attached to CA?"
- Previous message: Brian Komar [MVP]: "Re: RPC Server Unavailable When Requesting Computer Certificate"
- In reply to: Steven L Umbach: "Re: RPC Server Unavailable When Requesting Computer Certificate"
- Next in thread: Ben: "Re: RPC Server Unavailable When Requesting Computer Certificate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 Sep 2005 12:06:50 -0500
Brian explained what the solution was for Windows 2003 CA though that does
not look like a possibility for you unless you upgrade to Windows 2003
Server Enterprise Edition. What I would do is to enable the offline ipsec
template and then use the same method that you used to download the CA
certificate via Web Enrollment to request an offline ipsec certificate for
his computer via an advanced certificate request and being sure to select
the option to store certificate in local computer store. Otherwise you could
make the CA available to the user over the internet to request the
certificate via Web Enrollment even if just temporarily. By default the Web
Enrollment site uses integrated authentication which would not allow
anonymous access to the website. The server running IIS for Web Enrollment
does not have to be the CA either. --- Steve
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%23CWAG$rvFHA.2312@TK2MSFTNGP14.phx.gbl...
>I don't believe there is any documentation but I have tried it in the past
>and it worked on a Windows 2000 Certificate Authority. If I remember
>correctly the option to export the private key was changed so that it could
>not be disabled in Windows 2003 for offline ipsec. Let me know more about
>the CA you are using [ stand alone or enterprise] and the exact operating
>system it is installed on as I believe I did find a way to do it on a
>Windows 2003 Enterprise CA but I can't remember what I did offhand but I
>will look into it further. --- Steve
>
>
> "Ben" <bjblackmore@hotmail.com> wrote in message
> news:O6BfGnovFHA.252@TK2MSFTNGP09.phx.gbl...
>> Hi Steve,
>>
>> Thanks for the reply. I had looked into doing this, but I couldn't find
>> any documentation on how to request a certificate on behalf of another
>> computer (lots of documentation for doing another user). I've installed
>> the certificate for "enrollment agent (computer)", but if I do 'request
>> new certificate' and select computer, I don't get the option to enter the
>> other computer name, even if I select advanced, I can put it in the
>> friendly name, but at the end on the details screen, computer name is
>> still that of my computer. If I try to export this, I don't get the
>> option to export the private key, it's greyed out. And the only
>> certificate format I can export to is DER encoded, Base-64 or
>> Cryptographic message syntax, again the option for PFX is greyed out!
>> If you know of any documentation that exists, could you point me in the
>> right direction!
>>
>> Cheers
>>
>> Ben
>>
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:uJ70H0ivFHA.2064@TK2MSFTNGP09.phx.gbl...
>>> Your best bet would be to enable the "offline ipsec" certificate
>>> template for the CA and have him request that via Web Enrollment. The
>>> RPC error is usually because of a firewall problem or dns problem. If
>>> you had to you could manually request the certificate yourself for that
>>> computer and specify that computer name in the request. Then export the
>>> certificate/private key from your computer [select option to export
>>> whole certificate chain to include CA certificate] to a password
>>> protected.pfx file and send it to the user with instructions how to
>>> import it into the "computer" certificate store. Note that the user
>>> would need to be a local administrator to request and install the
>>> certificate. --- Steve
>>>
>>>
>>> "Ben" <bjblackmore@hotmail.com> wrote in message
>>> news:e85CT7quFHA.1256@TK2MSFTNGP09.phx.gbl...
>>>> Hi,
>>>>
>>>> I'm trying to set up a machine for use with our VPN. We will be using
>>>> L2TP & smartcards, so I need to request a computer certificate. Up till
>>>> now I've been able to configure most computer when people are in the
>>>> office, connected to the domain, using automatic certificate deployment
>>>> via group policy. However we have 1 user who is not going to be in the
>>>> office, but needs VPN access.
>>>>
>>>> So I've changed the VPN access to allow PPTP temporarily, and asked him
>>>> to connect, then I've used remote assistance to terminal service into
>>>> his machine. From there I've managed to use the web based enrollment to
>>>> download the CA certificate, and tried to use the certificates MMC snap
>>>> in to request a computer certificate. However I get the initial screen
>>>> up, asking which certificate I'd like, common name etc, but when I
>>>> press finish, the system hangs for about 10 seconds, then errors with
>>>> "RPC Server is unavailable".
>>>>
>>>> At first I thought this might be a firewall issue, as he was running
>>>> windows firewall, as well as Symantec firewall. So I disabled both, and
>>>> also the firewall on his 3com router. However after trying again, with
>>>> a number of reboots, it still errors. I can ping the CA, the domain,
>>>> and other computers.
>>>>
>>>> Does anyone have any ideas as to how I can successfully request a
>>>> computer certificate? Is there another way of doing it? I notice there
>>>> is no computer certificate option in the web enrollment form, even
>>>> though the template has been added to the CA.
>>>>
>>>> We're using ISA 2004 as the VPN server, and it's allowing all protocols
>>>> through from VPN > internal, and Internal > VPN. The DC is windows 2003
>>>> server, and the client machine is Windows XP pro SP2.
>>>>
>>>> Many thanks
>>>>
>>>> Ben
>>>>
>>>
>>>
>>
>>
>
>
- Next message: Steven L Umbach: "Re: Serial/Thumbprint of Certificate attached to CA?"
- Previous message: Brian Komar [MVP]: "Re: RPC Server Unavailable When Requesting Computer Certificate"
- In reply to: Steven L Umbach: "Re: RPC Server Unavailable When Requesting Computer Certificate"
- Next in thread: Ben: "Re: RPC Server Unavailable When Requesting Computer Certificate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
