How to: Use the Certificate Enrollment MMC in the TMG host machine

by Juan Carlos · March 14, 2013

How to: Use the Certificate Enrollment MMC in the TMG host machine

Behavior:

When you are using the Certificate MMC snap-in and/or try to perform a certificate auto-enrollment in your localhost/TMG server you’ll most likely run into an error message on-screen that reads ” RPC failure “. If you try requesting a certificate on other computers joined to your domain you won’t be experiencing this issue, only on your TMG

Solution:

DCOM is required in order to request a certificate and if you take a look at your TMG’s System Firewall Policy you will see that your AD connectivity has both flags selected: Enable RPC and Enable strict RPC compliance. For some reason having selected the Enable strict RPC compliance option blocks the DCOM traffic and hence you get an RPC failure when requesting a certificate. One proposed solution is rather simple: Disable that option when you are requesting certificates from your Active Directory Certificate Authority (AD CA). I am sure there must be a way to create a rule with higher priority and force that DCOM / RPC traffic to go through a static port… too much hassle for me. Hopefully you won’t mind checking and unchecking some boxes, and if strict RPC compliance is not a business need then might as well considering leaving that check box unselected. Hope this helps!

Additional resources:

RPC Filter and “Enable strict RPC compliance”

How to: Manage the Certificate Store on your local machine using the command prompt or PowerShell

How to: Use the Certificate Enrollment MMC in the TMG host machine