I want to request a certificate on a standalone certification authority, and I have the next issue:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
I did these tasks, but the problem follows:
Disable the firewall on the CA (OK)
Get-WmiObject Win32_ComputerSystem –ComputerName (OK)
netstat -ano | find "135" (OK)
sc query Winmgmt and sc query rpcss (OK)
service Remote Procedure Call (RPC) is running (OK)
Test-NetConnection IP -port 135 (OK)
Test-NetConnection IP -port 49703 (WARNING: TCP connect to (IP : 49703) failed)
Event Viewer: Security (The application-specific permission settings do not grant Local Activation permission for the COM Server
application with CLSID {D99E6E74-FC88-11D0-B498-00A0C90312F3} and
APPID {D99E6E74-FC88-11D0-B498-00A0C90312F3} to the user SID
(S-1-5-21-2052401950-75243191-622671684-9855) from address LocalHost
(Using LRPC) running in the application container Unavailable SID
(Unavailable). This security permission can be modified using the
Component Services administrative tool.)
Add Domain Users, Domain Controllers, Domain Computers groups to Certificate Service DCOM Access
Update the DCOM security settings on the server with the CA role (certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG / net
stop certsvc & net start certsvc)
Nltest /Server:dc01 /query (OK)
Certutil -ping (OK)
Thank so much.
I would suggest you to please check the TCP RPC Dynamic Ports on the client side. The RPC dynamic port range is 49152-65535. Also ensure that TCP Port 135 is also opened along with the RPC Dynamic Ports. These ports should be open outbound from the system requesting the certificate from the Certification Authority to the Domain controller and the CA Server.
Also, please check whether 'Windows Remote Management' service is set to 'Manual' or not as well as it should be started. Please ensure the same status about 'Background Intelligence Transfer Service' also on the system requesting the certificate. Once, the above said provisions are done, your issue while requesting a certificate should be resolved.
Related
We have two Windows 2012 servers reside on the same subnet on domain "FACTORY".
And we have intermittent authentication issue(3rd party app) with users from domain "OFFICE".
During troubleshooting using nltest command, something which I don't understand.
Here is the output from the first Windows 2021 server:
nltest /dclist:OFFICE
Get list of DCs in domain 'OFFICE' from '\\DC01'.
You don't have access to DsBind to OFFICE (\\DC01) (Trying NetServerEnum).
I_NetGetDCList failed: Status = 6118 0x17e6 ERROR_NO_BROWSER_SERVERS_FOUND
Here is the output from the second Windows 2012 server:
nltest /dclist:OFFICE
Get list of DCs in domain 'OFFICE' from '\\DC02'.
You don't have access to DsBind to OFFICE (\\DC02) (Trying NetServerEnum).
List of DCs in Domain OFFICE
\\DC03 (PDC)
The command completed successfully
Why the 2nd Windows 2012 could get list of DCs in Domain OFFICE? Both servers are located on the same network subnet, both have the same network settings, no WINS. I can see that the nltest was using different DC (DC01 vs DC02) to get the result, which I also don't understand.
I was reading a lot of articles about the error ERROR_NO_BROWSER_SERVERS_FOUND, which pointed to "Computer Browser Service". However, this service is disabled on both servers.
The intermittent authentication issue has never been reported from the 2nd Windows 2012, so I would suspect this nltest result might contribute to that.
What's the domain topology?
What kind of trust is it?
Are there any error events from NETLOGON in the DC event logs on either side?
Does nltest /trusted_domains show the correct info on the FACTORY DCs
Does nltest /sc_query:OtherDomain show any errors on the Trusting side?
Same with netdom trust TrustingDomainName /domain:TrustedDomainName /verify on each of the DCs on each side of the trust? (Or you can check it in AD Domains and Trusts). Unlike nltest, this requires credentials.
Are all the required ports, including all the required RPC ports, open between all the DCs in each domain? And in Windows Firewall? The most important aspect is that the Trusting domain DCs must be able to get to the PDCE in the Trusted domain. At the very least, you need these ports: LDAP (389 UDP and TCP), SMB (445 TCP), Kerberos (88 UDP), RPC portmapper (135 TCP), DNS (53 UDP and TCP)
Have you tried DNS queries from all the DCs to see if you can resolve the SRVs on each side? e.g. nslookup -q=SRV _ldap._tcp.mydomain.com (and the same for _kerberos.tcp and _kerberos.udp)
Do any of the DCs in either domain have the same hostname? Or duplicate SIDs? If the DCs were built from a custom image, were they Sysprepped?
Is the time in sync on all DCs on both sides of the trust? (Within 5 minutes, maximum)
Any errors in NETLOGON.LOG? You can enable NETLOGON debug logging for richer information, but only leave it on for a short time.
We changed the network gateway at the office so we need to reconfigure all virtual servers to the correct new gateway. Afeter this, we were no longer able to connect to the Windows servers throught RDP from Remmina. The error logged by the process runing from terminal was:
[...919] [...] [ERROR][com.freerdp.core] - failed to connect to 192.168.11.104
[...919] [...] [ERROR][com.freerdp.core.nego] - Protocol Security Negotiation Failure
[...919] [...] [ERROR][com.freerdp.core] - freerdp_set_last_error ERRCONNECT_SECURITY_NEGO_CONNECT_FAILED [0x0002000C]
[...919] [...] [ERROR][com.freerdp.core.connection] - Error: protocol security negotiation or connection failure
Remmine's GUI does not provide much information about the error.
I have already tried deleting the known_hosts file, connecting with all security protocols and event with the old network configuration. But no way to connect.
Finally the problem was in the new Windows network profile established after changing the gateway. It was automatically set to Public, but needed Private.
Since I couldn't change it from the operating system GUI, I had to force the change manually from the terminal with the following steps:
Find out the index number of the current connection profile:
Get-NetConnectionProfile
Set profile as private:
Set-NetConnectionProfile -InterfaceIndex <index number> -NetworkCategory Private
After changing the profile to Private I was able to connect again from Remmina.
I'm trying to install a self-host WCF service on a server with Windows Server 2012.
I was following these steps:
import my pfx file with mmc
run "netsh http add sslcert ipport=0.0.0.0:49000 certhash=e09280ded2322eb858b38b3250e1a488f797b269 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}"
install my service and start it
At first it works well. But after a few hours the ssl crashes and I can only get error msg at client as below
An unhandled exception of type 'System.ServiceModel.CommunicationException' occurred in mscorlib.dll.
Additional information: An error occurred while making the HTTP request to https://servername:49000/WCFServiceName. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.
run "netsh http delete sslcert ipport=0.0.0.0:49000"
and delete the imported pfx and then redo step1 and 2 can make ssl works again, but the problem will still appears in a few hours.
It's definitely not the SecurityProtocol problem, for I have already tried adding
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
before request. And both server and client uses .Net Framework 4.5.2
I've tried "netsh http show sslcert", and got below result:
IP:port : 0.0.0.0:49000
Certificate Hash : e09280ded2322eb858b38b3250e1a488f797b269
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
I've tried delete the sslcert binding on port 49000 and created an empty website binding to port 49000 in IIS and make my service listening to that port then. It works the first time and lasted for about a week before the same error pops out.
Where should I begin to locate and solve this wired problem?
First, we should ensure that the certificate private key could be accessed by WCF. The Network Service account (or Everyone account) should be added in the certificate READ/Writer group, then we run the application (windows service, or console?) with corresponding account.
https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-make-x-509-certificates-accessible-to-wcf
Second, as you know, TLS version need OS and Dotnetframework support, the default protocol version is ssl3.0/tls1.0(auto-negotiate, could not be configured). We had better use the latest OS version and .netframework4.7. I think this may be the cause of unstable communications.
Please refer to the below document.
https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls
Feel free to let me know if the problem still exists.
Server1 sends WinRM Get request -
Server2 has been listening -
I guarantee that CertificateThumbprint and IP addresses in both servers match (Sorry part of IP addresses and CertificateThumbprint have to be removed since I am not allowed to publish all here).
I don't know why WinRM still has the error "The WS-Management service cannot find the certificate that was requested" presented.
I've found a solution to this problem. You must create a CSR, from the CSR you use digicert utility to create the certificate. That you import, and export again with the private key. Import that in the Certificate store and use winrm create to create the listener.
All found in my post.
There are probably many reasons for this error. In my case we were using the existing IIS SSL cert which was working for WinRM on some machines but not others. The difference was the certificate was marked as exportable on the ones that worked.
Try re-importing the certificate and making sure it is marked as exportable.
Export/Import certificates:
https://www.digicert.com/ssl-support/pfx-import-export-iis-7.htm
I'm using the windows command net user user id /domain to check the groups for windows ids. When i make the call I get the error system error 1722
C:\folder\net user userid /domain
The request will be processed at a domain controller for domain XXX.YYY.
System error 1722 has occurred.
The RPC server is unavailable.
Where / how can this issue to be solved?
Enable NetBIOS over TCP/IP in advanced TCP/IP Settings