Perfect Forward Secrecy (PFS) for IIS, TMG and UAG (and other services)

Traditionally during a client and a server establishes a SSL/TLS session they exchange a secret to protect this session. This secret is the same for all sessions established using the same certificate private key.

SSL web browser - server handshake (simplified):
1. Browser opens a connection to https://www.mywebsite.com
2. Server sends its public certificate
3. Web browser runs certificate verification and sends a message encrypted with the servers public key back
4. Web browser creates a secret session password
5. Server acknowledges the secret session password

If a attacker gets access to the web server's private key he can reveal the password and decrypt a previously recorded session.
That is where PFS is stepping in using Diffie-Hellman. Diffie-Hellman is a "magic" algorithm where 2 communication parties can create a secret without ever sending the secret over the wire. So even the attacker has the private key he cannot re-create the session password.

Quick facts:

- Perfect Forward Secrecy helps to mitigate attacks, when the attacker has access to the web server's private key and has a recording of previous sessions.
- PFS is not supported on all platforms and devices, but it seems we have reached a large enough volume and for legacy clients you should keep accepting at least one of the non-PFS ciphers.
- PFS has a performance overhead of 15 percent (in best case) depending on the exact cipher, depending on the overall traffic on your website this is a small or big number


Windows settings e.g. for IIS as reg file (update 11/15/2013):


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001
"DisableRenegoOnClient"=dword:00000001
"DisableRenegoOnServer"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"

To test you web server I recommend:

Qualys SSL Labs - https://www.ssllabs.com/ssltest/

For further reading:

Vincent Bernat about PFS including performance benchmarks - http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html

Wikipedia article about PFS - http://en.wikipedia.org/wiki/Perfect_forward_secrecy

GUI for changing Windows SSL settings - https://www.nartac.com/Products/IISCrypto/Default.aspx

Diffie- Hellman - http://en.wikipedia.org/wiki/Diffie-Hellman

Bitlocker Data Recovery Agent Certificate

Microsoft BitLocker supports Data Recovery Agents in Windows 7 and above.
That is a great way for large organizations to ensure that the corporate IT or Information Security has access to data for if the individual pass-phrase recovery is not working and for forensics.

To setup a Data Recovery Agent you can follow Microsofts blog post http://blogs.technet.com/b/askcore/archive/2010/10/11/how-to-use-bitlocker-data-recovery-agent-to-unlock-bitlocker-protected-drives.aspx

If you do not see the BitLocker Drive Encryptin and BitLocker Data Recovery Agent extended key usage (EKU) listed in the GUI install the BitLocker feature on your management machine. Even feature installation does not require a reboot, you will not see the EKU showing up in the last until you do so.

If you Certification Authority is running on Windows 2003 you have to add the EKUs manually. For this you need the OIDs, here you go.

Bitlocker Drive Encryption - 1.3.6.1.4.1.311.67.1.1

Bitlocker Data Recovery Agent - 1.3.6.1.4.1.311.67.1.2

Microsoft DNS server migration or IP address change

The IP address of a DNS server is almost a in stone written number. That is because the client DNS settings contain the IP address of the DNS server. Some clients are configured via DHCP, others manually, other clients are not known for using this DNS server. But you want catch them all.
So if you come into the situation to relocate your DNS server on the network, build a new machine but you cannot take the IP with you or if you are in the middle of a Active Directory migration project and you have already changed the DHCP settings and you need to find all manually configured machines, especially the unknowns; you can turn on debugging in the Microsoft DNS.

First of all enable the DNS debug logging. Open the DNS management console and click on properties of DNS server. Go to the Debug Logging tab.

Enable Log packets for debugging but disable Outgoing  under Packet direction.


Here the PowerShell script to process the debug files.


New-Variable -Name RegexIP -Force -Description "A regular expression object which matches and validates IP addresses." -Value ([regex]'(?<First>2[0-4]\d|25[0-5]|[01]?\d\d?)\.(?<Second>2[0-4]\d|25[0-5]|[01]?\d\d?)\.(?<Third>2[0-4]\d|25[0-5]|[01]?\d\d?)\.(?<Fourth>2[0-4]\d|25[0-5]|[01]?\d\d?)')
$Files = Get-Content "c:\system\DNS\log1.dns.txt" 

$RegexIP.Matches($Files)|Group value | foreach { 

$chkip=$_."Name"

try { [System.Net.Dns]::GetHostbyAddress($chkip).Hostname }

catch { write-host $chkip  }
#write-host $_.Exception.Message
}

The script does two things. First it reads all IP addresses from the log file and group them, and in a second step it tries to get from DNS the hostnames. If it cannot find a hostname for a an IP address it will just list the IP address in the output list.

output example:

PS C:\system> .\ipstat.ps1
win5010.frontoso.com
win5014.frontoso.com
win5052.frontoso.com
win5510.group.frontoso.com
10.0.1.11
10.0.1.10
win5012.frontoso.com


Now you have a list you start from the top, to change the DNS settings of those machines.
Because not every machine is connected every day you may want run the debug more often or for a longer period of time.
If you have multiple DNS servers you can process them all at once. Just append the debug log file name to $Files, seperated all files names by comma

This article targets DNS but if you get a logfile from any other service you could use the same method to identify who is accessing your server/service. e.g. with IIS log files.

Error opening SSL protected web sites running on IIS from a Windows XP computer

Recently I have experienced an error accessing a HTTPS web site using Internet Explorer 8. Even this is not the most current setup I thought I should share what happened.

1. A SSL certificate is installed on the Windows Server and is configured in IIS on the default web site or any other web site you have.

2. The client is a Windows XP machine and you use Internet Explorer to access the web site. (The problem does not occur if you use Chrome or Firefox.)

3. The problem: IE reports a "Internet Explorer cannot display the webpage" immediately when you try to access the web site. This is the same message you see if the web site or server does not exist or the DNS name cannot be resolved.

4. Accessing the same web site from Windows 7 using Internet Explorer works with no issues.

So what is wrong?

To investigate the problem I used Fiddler and the information from the server's event log that the browser and the web server could not found a common encryption cipher.
Because the server was just using the default settings I thought it would be good to verify the local machine's certificate store.
So I run a certutil.exe -store my on the server and I found out that the SSL certificate was installed using the Microsoft Strong Cryptographic provider. So I exported it and I have imported it using the certutil.exe -importpfx command to the Microsoft RSA SChannel Cryptographic Provider CSP. After that the access from the XP machines worked again.

btw: Qualys runs a free service with a excellent test drive for SSL web sites (including explanations what and why to configure) at https://www.ssllabs.com/ssltest/

How to transfer binary files through a RDP session

This post can a) help you to transfer binary files to a server over the RDP session or b) it can help you to close a gap in your server hardening procedures.


a)
Transferring a simple text file is just open the file on your local machine and copy&paste to the file on the server. But what if you have a binary file or you need to transfer multiple files which you have packed into a zip container?
All Windows PKI users should know the certutil.exe command line utility. Besides many other functions, it can also encode and decode files from and to base64. Originally this was planned to convert certificates between the base64 format and the binary format. You can also write a powershell script an use the ToBase64String and FromBase64String method. If you are not familiar with powershell you want use certutil.exe what is pre-installed on Windows 7, 2008 R2, Windows 8, Windows 2012.

1. to get your file prepared for the transfer run:

certutil.exe -encode file.zip filezip.txt

2. next, open the filezip.txt with Notepad and mark all and copy it to the clipboard

3. Open Notepad on the server with the same file name

notepad.exe filezip.txt

and paste the content from the clipboard. Save the file.

4. Last step is to convert the file back to binary using certutil again:

certutil.exe -decode filezip.txt file.zip

Now you can extract your files from the file.zip on the server.

According to comments made to this article http://blogs.msdn.com/b/rds/archive/2006/11/20/why-does-my-shared-clipboard-not-work-part-2.aspx
you cannot transfer any size of data through the RDP session. But you can transfer files in slices you have only to split the text file. And don't worry about the ---- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE ----- line in the text file.



b)
To prevent these transfers you must disable the RDP clipboard in the RDP server settings directly or over Group Policy settings. It seems that this is a server-wide setting and cannot be set on a user-base. Well, you lose a lot of convenience in working with the server console but it is more secure.

PowerShell script to enhance the Windows CA SMTP exit module

Windows CA SMTP exit module

the Windows Certification Authority has a built in feature (Windows Enterprise SKU) to send out emails to inform the PKI administrators if a new pending certificate request waiting for approval or if a new certificate has been issued. Just 2 examples.

The configuration must be done in the registry: See here for an example
http://social.technet.microsoft.com/wiki/contents/articles/2004.active-directory-certificate-services-smtp-exit-module-for-windows-server-2008-r2-example.aspx

Unfortunately you cannot configure it to send the issued certificate to the certificate requestor. For that I wrote a PowerShell script what is also working with the Windows Server 2008 R2 Standard Server.

Config file - sendcert_inc.ps1:

$sendcertpath=".\sendcert"
$msgFrom='noreply@frontoso.com'
$smtphost='127.0.0.1'
$certtmpl="1.3.6.1.4.1.311.21.8.5245527.10310595.8014498.11013764.15833798.137.13192380.4508386" #CorpWebServer
$certfileExt="txt" # fyi: extensions cer and der are blocked by Outlook
$mailbody="mailbody.txt"
$dbscanperiod="03:00" # 01:00 = 1 day, 1:15 = 1 day 15 hours; $dbscanperiod is the max time (now - $dbscanperiod) sendcert goes back in the certificate database, e.g. useful if you have already issued certs for years and you going to enable sendcert now

Mailbody.txt

Hello, attached is the requested certificate.

Please download the certificate and proceed with the SSL/TLS setup of your application.

For your convenience the certificate can be found as attachment and in the mail body.


Thank you,


----------------------------------------------------------------------------
Do not reply to this message. It was sent from an unmonitored email account.




sendcert.ps1

#
# Author: lutz.mueller-hipper@tribaldi.net
# Updates: lutz.mueller-hipper@insight.com
# Date: May 23, 2013 - v3.1
#
clear

import-module ActiveDirectory
# if not yet installed please install the ActiveDirectory PowerShell module
#dism /online /enable-feature /featurename:ActiveDirectory-PowerShell

if (-not (Test-Path .\sendcert_inc.ps1))
{
  write-host "Error: sendcert_inc.ps1 configuration file not found." >>sendcert.log
  exit;
} else {
  . .\sendcert_inc.ps1
}

if (-not (Test-Path $sendcertpath)) { mkdir $sendcertpath >$null}

$Arr_SendCert = @()

write-host "=========================="
write-host Start Send certificate via email to certificate requestor
write-host "=========================="
write-host

#Disposition Description
#20 certificate was issued
#21 certificate is revoked
#30 certificate request failed
#31 certificate request is denied

$reqid_db = @()
$reqid_db = get-content $sendcertpath\reqid_do_not_remove.txt

$reqid_db2 = @()

foreach ( $line in $reqid_db) {
 write-host "Line: "$line
 $reqid_db2 = $reqid_db2 + $line
}

certutil.exe -view -out "Request.requestid,Request.requestid" -restrict "CertificateTemplate=$certtmpl,Disposition=20,NotBefore>now-$dbscanperiod" csv > $sendcertpath\sendcert_scope.csv
$collection = @(Import-CSV $sendcertpath\sendcert_scope.csv)
write-host Issued certs during period: $collection.count

if ($collection.count -gt 0) {
  foreach($CADBentry in $collection)
  {

    $reqid = $CADBentry."request id"

    if ($reqid_db2 -notcontains $reqid) {  
    write-host 'Preparing email for request: ' $reqid

    $certview = certutil.exe -view -out "rawcertificate" -restrict "Request.requestid=$reqid"

    $certemail = @()
    $certattach = @()
    foreach($line in $certview)
     {
     #write-host "Line: " $line

     if ( $line -eq "-----BEGIN CERTIFICATE-----" ) { $certbegin="1" }
     if ( $certbegin -eq "1") {
       #write-host "next person in line pls"
       $certemail = $certemail + $line.trim() + "`n" #+ "`r`n"
       $certattach = $certattach + $line.trim() # + "`n" #+ "`r`n"
     
     }
     if ( $line -eq "-----END CERTIFICATE-----" ) { $certbegin="0" }

    }
    $cadb_requser= certutil.exe -view -out "Requester Name" -restrict "Request.requestid=$reqid" csv
    $requser = $cadb_requser[1]
    $requser = $requser.split("\")
    $user = $requser[1]
    $requser = $user.split("`"")
    $user = $requser[0]

$aduser=""

try {
 $aduser = get-aduser $user -Properties mail
  #$aduser.mail
}

catch [Exception] {
   write-host $_.Exception.Message
}

if ($aduser.mail.length -lt 1) {
  write-host "no email address found"
} else {

    $certattach > $sendcertpath\$reqid"."$certfileExt

$msg=new-object System.Net.Mail.MailMessage
$msg.From=$msgFrom
$msg.to.Add($aduser.mail)
$msg.Subject=$env:computername + ": SSL certificate " + $reqid
$msg.IsBodyHtml=$false
$mailbody = @()
$getmailbody = Get-Content mailbody.txt
foreach ($line in $getmailbody) {
  $mailbody = $mailbody + $line + "`n"
}
$msg.Body=@"

$mailbody

$certemail

-
Ref $reqid_$env:computername

"@

$att = new-object Net.Mail.Attachment($sendcertpath + "\" + $reqid + "." + $certfileExt)
$msg.Attachments.Add($att)


$smtp=new-object System.Net.Mail.SmtpClient
$smtp.host=$smtphost

try {
  $smtp.Send($msg)
  $reqid >> $sendcertpath\reqid_do_not_remove.txt
}
catch {
 write-host $_.Exception.Message
}
finally {
  $smtp.dispose
  $att.dispose()
    }
   }
  }
 }
}

Cannot request a certificate and Error 1722: The RPC server is unavailable

RPC errors can be ugly and are often not that easy to identify. In the last months I had two Windows PKI Installations where I ran into the error 1722 RPC server not available. In both cases the Windows CA was up and running but I could not enroll or autoenroll certificates. So I check the firewall rules, the CA server time and date and I used certutil.exe -ping CAhostname to verify RPC network communication.

I ran certutil -ping one time with the netbios name of the CA and all worked. That's why no one had an issued with the machine before for file transfer or a ping with the netbios name.


C:\system\>certutil -ping win5011
Connecting to win5011 ...
Server "AAA Frontoso R3" ICertRequest2 interface is alive
CertUtil: -ping command completed successfully.


But the certutil -ping for the full qualified hostname failed.


C:\system\adhc>certutil -ping win5011.frontoso.com
Connecting to win5011.frontoso.com ...
Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722)

CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722)
CertUtil: The RPC server is unavailable.


So it turned out that in both cases the client used a non-MS DNS server for the Active Directory environment and the FQDN name of the CA server was incorrectly configured there. After adjusting the IP address in DNS certutil -ping with the FQDN name worked and the certificate enrollment as well.