Assume the following scenario:
- A user works remotely via Virtual Private Network (VPN)
- Actually, a certificate should be requested via autoenrollment, but this is not done
- A connection test (certutil -ping) to the certification authority throws the following error message:
Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE) -- (31ms) CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE) CertUtil: The RPC server is unavailable.
For a detailed description of how manual and automatic certificate request from an Active Directory integrated certificate authority works, see the article "Basics of manual and automatic Certificate Enrollment via Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call / Distributed Common Object Model (RPC/DCOM)„.
Example of a corresponding certutil command:
certutil ^ -config "ca02.intra.adcslabor.de\ADCS Lab Issuing CA 1" ^ -ping
Cause
In this case, the user changed his Active Directory password and continued to log in to his computer with the old password. The VPN connection was established only after the Windows logon, so there was never an update of the credentials against Active Directory.
Certutil incorrectly reports that the connection to the certification authority could not be established, this was an authentication error.
Locking the desktop and then unlocking it with the current password while the VPN connection was up solved the problem.
For a detailed description of what causes the RPC_S_SERVER_UNAVAILABLE error code, see the article "Certificate request fails with error message "The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)".„.
English 
Deutsch
2 thoughts on “Es wird kein Zertifikat per Autoenrollment beantragt, wenn ein Benutzer per Virtual Private Network (VPN) verbunden ist”
Comments are closed.