Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with error code "RPC_S_SERVER_UNAVAILABLE".

Assume the following scenario:

  • A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
  • The role is installed on a separate server, not on the certification authority directly.
  • A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
  • The request fails with the following error message:
Your request failed. An error occurred while the server was processing your request. Contact your administrator for further assistance.

In the details of the error message you will find the following note:

CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)

The certificate authority web registration is a very old feature from Windows 2000 times - and was last adapted with the release of Windows Server 2003. Accordingly, the code is old and potentially insecure. Likewise, the function supports No certificate templates with version 3 or newer - This means that certificate templates that use functions introduced with Windows Vista / Windows Server 2008 or newer cannot be used. It is recommended that you do not use the certificate authority web registration and instead request certificates via on-board resources or the PSCertificateEnrollment PowerShell module.

Possible causes can be:

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

  • The Certification Authority cannot be reached, for example because a firewall prevents the connection. If the firewall drops the packets without notifying the sender, this is reflected in the CAWE by the request "hanging" for a very long time before the error message is generated.
  • The service account under which the CAWE is running is not configured for delegation or is not configured correctly.
  • The service account under which the CAWE is running is not a member of the Windows Authorization Access security group.
  • The user account with which the certificate was requested may not be delegated.
  • No authentication is possible at the RPC/DCOM interface of the certification authority or the connection is blocked by a firewall

Details: The service account under which the CAWE is running is not or not correctly configured for delegation.

Unfortunately, the error messages issued by CAWE are not very meaningful. The RPC_S_SERVER_UNAVAILABLE error occurs, among others, when the delegation of user authentication to the CA fails and the CAWE is running with the identity of the IIS application pool.

For delegation variants that only allow Kerberos-only authentication, NTLM authentication is no longer possible. These are:

  • "Trust this User for delegation to any service (Kerberos only)".
  • "Trust this user for delegation to specified services only" in conjunction with "Use Kerberos only".

Therefore, for proper functioning of CAWE, it is recommended to set the delegation settings to "Trust this user for delegation to specified services only" in conjunction with "Use any authentication protocol".

See also the following articles:

Details: The user account with which the certificate was requested must not be delegated.

If the "Account is sensitive and cannot be delegated" option is enabled on the user account (LDAP flag ADS_ON_NOT_DELEGATED) is enabled, CAWE cannot impersonate the user to request the certificate. The same applies if the user is a member of the Protected Users group.

Details: No authentication is possible at the RPC/DCOM interface of the certification authority, or the connection is blocked by a firewall

The CAWE assumes a regular responsibility vis-à-vis the Certification Authority. Requesting certificates via DCOM before. Errors that may occur due to a problem with the network connection or authentication on the RPC/DCOM interface cause the RPC_S_SERVER_UNAVAILABLE error code.

For a detailed description of all possible causes, see the article "Certificate request fails with error message "The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)".„.

Related links:

External sources

2 thoughts on “Die Beantragung eines Zertifikats über die Zertifizierungsstellen-Webregistrierung (CAWE) schlägt fehl mit Fehlercode „RPC_S_SERVER_UNAVAILABLE“”

Comments are closed.

en_USEnglish