How to: Use the Certificate Enrollment MMC in the TMG host machine
When you are using the Certificate MMC snap-in and/or try to perform a certificate auto-enrollment in your localhost/TMG server you’ll most likely run into an error message on-screen that reads ” RPC failure “. If you try requesting a certificate on other computers joined to your domain you won’t be experiencing this issue, only on your TMG
DCOM is required in order to request a certificate and if you take a look at your TMG’s System Firewall Policy you will see that your AD connectivity has both flags selected: Enable RPC and Enable strict RPC compliance. For some reason having selected the Enable strict RPC compliance option blocks the DCOM traffic and hence you get an RPC failure when requesting a certificate. One proposed solution is rather simple: Disable that option when you are requesting certificates from your Active Directory Certificate Authority (AD CA). I am sure there must be a way to create a rule with higher priority and force that DCOM / RPC traffic to go through a static port… too much hassle for me. Hopefully you won’t mind checking and unchecking some boxes, and if strict RPC compliance is not a business need then might as well considering leaving that check box unselected. Hope this helps!