“RPC Server Unavailable” error while requesting IP-HTTPS certificate on UAG

by Shijaz Abdulla on 09.01.2011 at 20:30

If your enabling DirectAccess on Forefront Unified Gateway in a lab, and you try to request an IP-HTTPS certificate for the UAG machine from your Enterprise CA, you might run into the following error:

“RPC Server Unavailable 0x800706ba”

This is because Forefront Unified Access Gateway is already installed on the machine, and TMG (Threat Management Gateway) is blocking DCOM/RPC traffic that is required to request a certificate using the MMC snap-in.

To avoid this issue, Tom Shinder’s documentation suggests that you request the IP-HTTPS certificate before you install UAG.

However, if you have already installed UAG, follow these steps to request and install the IP-HTTPS certificate:

1. Open Notepad, and paste the following code to make the INF file for the request. The only text that may need to be changed are in red.

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=uag1.contoso.com" ; (Replace the subject name with the external FQDN of your UAG server)
Exportable = FALSE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
SMIME = FALSE
RequestType = CMC

[Strings]
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
[Extensions]
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%"

[RequestAttributes]
CertificateTemplate = WebServer2008

Replace WebServer2008 with the name of your IP-HTTPS certificate template.

1. Run Command Prompt as Administrator

2. Convert the INF file to a request file (.req)
certreq  –new  ip-https.inf  ip-https.req

3. Copy the request file to your CA server (or any server that has unrestricted access to the CA machine)

4. Go to the CA server, open Command Prompt as Administrator

5. Submit the REQ file to the CA
certreq  –submit  IP-HTTPS.req

6. Choose the CA in the popup window.

select-CA

7. Save the file as IP-HTTPS.CER when prompted.

10. Copy the IP-HTTPS.CER file back to the UAG machine.

11. On the UAG machine, open the Command prompt as Administrator

12. Type:
certreq  –accept  IP-HTTPS.cer

This will add the certificate to the local store.

13. (optional) Open the Certificates MMC for Local Computer. Open Properties for the uag1.contoso.com certificate. Give a Friendly Name “IP-HTTPS Certificate” and click OK.

If you’re looking to test DirectAccess scenarios, I highly recommend that you check out Dr. Tom Shinder’s test lab guides published on the Microsoft website.

Trackback Permanent Link

One Response to “RPC Server Unavailable” error while requesting IP-HTTPS certificate on UAG

  1. microsoftnow says:

    “RPC Server Unavailable” error while requesting IP-HTTPS certificate on UAG http://bit.ly/eQOb4A

Leave a Reply