Introduction
While not strictly a typical networking topic, I get to work with digital certificates a lot when it comes to setting up secure network access solutions, and every now and then I run into very odd, specific issues regarding this.
Recently when attempting to request a digital certificate via the web service of a Windows Server running AD Certificate Services, I encountered a very weird issue preventing the requested certificate from being issued. After creating a Certificate Signing Request (“CSR”) on the system that wanted to get a certificate issued to it, and then pasting the contents of the CSR into the CertSrv web service to get the certificate signed and created, we were instead greeted with this error message below instead of a download link to the completed certificate.
Strange error - “The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE”
Per the “Suggested Cause” we double-checked that Certificate Services were actually up and running and that certificates for real clients and computers are being issued left and right, we started trying to access the CertSrv-services in different ways to see if there was something else in the environment that was not working correctly.
Using accounts with different domain permissions we tried again and again and again to issue the certificate and eventually, it worked, but probably not for the reasons you think.
Below is a recollection of our different certificate attempts.
What didn’t work:
From an administrator’s client PC, accessing the CertSrv web service using https://<server-dns-name>/certsrv as a domain administrator.
From an administrator’s client PC, accessing the CertSrv web service using https://<server-IP-address>/certsrv as a domain administrator.
Locally on the server running AD Certificate Services, accessing the CertSrv web service using https://<server-dns-name>/certsrv as a domain administrator.
Locally on the server running AD Certificate Services, accessing the CertSrv web service using https://<server-IP-address>/certsrv as a domain administrator.
Locally on the server running AD Certificate Services, accessing the CertSrv web service using https://127.0.0.1/certsrv as a domain administrator.
What did work
Locally on the server running AD Certificate Services, accessing the CertSrv web service using https://localhost/certsrv as a domain administrator.
Pretty weird, right? As someone who doesn’t do professional system administration day-to-day, I’m not completely sure why it worked to issue a certificate by using the localhost method and not using any of the others. I’ve been browsing through Microsoft’s community forum “TechNet” without finding a definitive answer, however, several of the forums threads I went through were speculating that this is an issue with the User Account Control feature, also known as UAC, incorrectly blocking access to CertSrv for some reason, when you try to access the service using the IP-address. UAC acting up paired with certain odd local firewall settings seems to be what most people think is the cause of this issue.
Now, there are probably a lot of different scenarios that can cause this particular error message to appear when you are trying to issue a certificate (and lots of different solutions to this issue depending on different parameters), but this is the thing that worked for me, so I thought I might as well write it down in case I run into the issue again in the future.