Requesting certificates via Certificate Enrollment Web Service (CES) fails with error code "WS_E_ENDPOINT_FAILURE".

Assume the following scenario:

  • You try to request a certificate via a Certificate Enrollment Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
  • The operation fails with the following error message:
The remote endpoint could not process the request. 0x803d000f (-2143485937 WS_E_ENDPOINT_FAILURE)

The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.

The error occurs when the web application (the "endpoint") does not respond correctly ("failure"). This is usually the case when the CES web application fails to start. In this case the Event No. 2 logged.

Possible causes

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

Possible causes can be:

  • The CES server points to a certification authority that does not exist.
  • The CES service account cannot authenticate to the DCOM interface of the certificate authority.
  • The CES service account cannot authenticate at the RPC/DCOM interface of the certification authority, or the connection is blocked by a firewall

Details: The CES server points to a certification authority that does not exist.

The configured certificate authority can be checked in the "CAConfig" in the "Application Settings" section for the CES authentication method in the Internet Information Services (IIS) management console.

Details: The CES service account must have the right to request certificates on the certification authority

A missing right should be logged in the event log on the CES server.

Details: The CES service account cannot authenticate at the RPC/DCOM interface of the certification authority, or the connection is blocked by a firewall

CES performs a regular certificate request via DCOM. When the CES web application is started for the first time, the GetCAProperty method against the certification authority. For both, the firewall ports for the Requesting certificates via DCOM required.

Errors that may occur due to a problem with the network connection or authentication to the RPC/DCOM interface cause the RPC_S_SERVER_UNAVAILABLE error code.

For a detailed description of all possible causes, see the article "Certificate request fails with error message "The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)".„.

Related links:

en_USEnglish