Recently we noticed the following errors were occurring daily in our Event Logs for servers in our DMZ:
CertificateServicesClient-CertEnroll EventID 82
Certificate enrollment for Local system failed in authentication to all urls for enrollment
server associated with policy id: {00B9F3A7-...-50628BC5AE7E} (The RPC server is
unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)). Failed to enroll for
template: Machine
CertificateServicesClient-CertEnroll EventID 13
Certificate enrollment for Local system failed to enroll for a Machine certificate with
request ID N/A from NY-CA01.company.com\Company Internal Root CA (d0 7a ... f3 e4 70).
CertificateServicesClient-AutoEnrollment EventID 6
Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is
unavailable.
I suspect it is a firewall issue, and tried to use the certutil.exe tool to verify connectivity to the certificate authorities, but when running the -TCAInfo command I received the following error message:
PS C:\windows\system32> certutil -tcainfo
================================================================
CA Name: Company Internal Root CA
Machine Name: NY-CA01.Company.com
DS Location: CN=Company Internal Root CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=Company,DC=com
Cert DN: CN=CompanyInternal Root CA, DC=Company, DC=com
RegConnectRegistry/RegOpenKeyEx: The network path was not found. 0x80070035 (WIN32: 53 ERROR_BAD_NETPATH)
CA Registry Validity Period: ? ???
NotAfter: 10/11/2031 7:05 PM
Connecting to NY-CA01.Company.com\Company Internal Root CA ...
Server "Company Internal Root CA" ICertRequest2 interface is alive (47ms)
...
================================================================
NY-CA01.Company.com\Company Internal Root CA:
Enterprise Root CA
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800
b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Online
It appears to think that the CA is Online and alive, but there is an The network path was not found. error and the CA Registry Validity Period: ? ??? is unknown.
I confirmed that https://ny-ca01.company.com/certsrv/ is accessible from the DMZ servers, so what other ports are needed for renewing certificates?
I found this article which indicates the 53 ERROR_BAD_NETPATH error message might have something do do with the Remote Registry service. I verified that the service is running (no errors from non DMZ servers), but inside the DMZ calls to
Net Use \\RemoteMachine\Admin$
were failing with the same "Network Path was not found" error.Checking our Fortinet firewall rules, we already allowed HTTPS on port 443, and DCE-RPC on ports 135, but we did not allow SMB for CIFS/SAMBA access on port 445.
After adding rule for SMB access from DMZ to our CA servers, the above errors no longer occur when running certutil -TCAInfo