No certificate is requested via autoenrollment if a user is connected via Virtual Private Network (VPN)

Assume the following scenario:

• A user works remotely via Virtual Private Network (VPN)
• Actually, a certificate should be requested via autoenrollment, but this is not done
• A connection test (certutil -ping) to the certification authority throws the following error message:

Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE) -- (31ms)

CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
CertUtil: The RPC server is unavailable.

For a detailed description of how manual and automatic certificate request from an Active Directory integrated certificate authority works, see the article "Basics of manual and automatic Certificate Enrollment via Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call / Distributed Common Object Model (RPC/DCOM)„.

Example of a corresponding certutil command:

certutil ^
-config "ca02.intra.adcslabor.de\ADCS Lab Issuing CA 1" ^
-ping

Cause

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

In this case, the user changed his Active Directory password and continued to log in to his computer with the old password. The VPN connection was established only after the Windows logon, so there was never an update of the credentials against Active Directory.

Certutil incorrectly reports that the connection to the certification authority could not be established, this was an authentication error.

Locking the desktop and then unlocking it with the current password while the VPN connection was up solved the problem.

For a detailed description of what causes the RPC_S_SERVER_UNAVAILABLE error code, see the article "Certificate request fails with error message "The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)".„.

Related links:

• Clients connected via Virtual Private Network (VPN) do not renew certificates automatically