Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with error code "RPC_S_SERVER_UNAVAILABLE".

Assume the following scenario:

• A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
• The role is installed on a separate server, not on the certification authority directly.
• A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
• The request fails with the following error message:

Your request failed. An error occurred while the server was processing your request. Contact your administrator for further assistance.

In the details of the error message you will find the following note:

CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)

The certificate authority web registration is a very old feature from Windows 2000 times - and was last adapted with the release of Windows Server 2003. Accordingly, the code is old and potentially insecure. Likewise, the function supports No certificate templates with version 3 or newer - This means that certificate templates that use functions introduced with Windows Vista / Windows Server 2008 or newer cannot be used. It is recommended that you do not use the certificate authority web registration and instead request certificates via on-board resources or the PSCertificateEnrollment PowerShell module.

Possible causes can be:

• The Certification Authority cannot be reached, for example because a firewall prevents the connection. If the firewall drops the packets without notifying the sender, this is reflected in the CAWE by the request "hanging" for a very long time before the error message is generated.
• The service account under which the CAWE is running is not configured for delegation or is not configured correctly.
• The service account under which the CAWE is running is not a member of the Windows Authorization Access security group.
• The user account with which the certificate was requested may not be delegated.
• No authentication is possible at the RPC/DCOM interface of the certification authority or the connection is blocked by a firewall

Details: The service account under which the CAWE is running is not or not correctly configured for delegation.

Unfortunately, the error messages issued by CAWE are not very meaningful. The RPC_S_SERVER_UNAVAILABLE error occurs, among others, when the delegation of user authentication to the CA fails and the CAWE is running with the identity of the IIS application pool.

For delegation variants that only allow Kerberos-only authentication, NTLM authentication is no longer possible. These are:

• "Trust this User for delegation to any service (Kerberos only)".
• "Trust this user for delegation to specified services only" in conjunction with "Use Kerberos only".

Therefore, for proper functioning of CAWE, it is recommended to set the delegation settings to "Trust this user for delegation to specified services only" in conjunction with "Use any authentication protocol".

See also the following articles:

• Configure Certificate Authority Web Enrollment (CAWE) for use with a Group Managed Service Account (gMSA).
• Configure the Certificate Authority Web Enrollment (CAWE) for use with a domain account.

Details: The user account with which the certificate was requested must not be delegated.

If the "Account is sensitive and cannot be delegated" option is enabled on the user account (LDAP flag ADS_ON_NOT_DELEGATED) is enabled, CAWE cannot impersonate the user to request the certificate. The same applies if the user is a member of the Protected Users group.

Details: No authentication is possible at the RPC/DCOM interface of the certification authority, or the connection is blocked by a firewall

The CAWE assumes a regular responsibility vis-à-vis the Certification Authority. Requesting certificates via DCOM before. Errors that may occur due to a problem with the network connection or authentication on the RPC/DCOM interface cause the RPC_S_SERVER_UNAVAILABLE error code.

For a detailed description of all possible causes, see the article "Certificate request fails with error message "The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)".„.

Related links:

• Required firewall rules for certification authority web registration
• Configure Certificate Authority Web Enrollment (CAWE) for use with a Group Managed Service Account (gMSA).
• Configure the Certificate Authority Web Enrollment (CAWE) for use with a domain account.

External sources

• Some applications and APIs require access to authorization information on account objects (Microsoft)
• Highly Available Microsoft CA Web Enrollment Servers using DNS (Mike's Mishaps in IT)