Certification Authority Enhanced RPC security

Certification Authority 2012/2012R2 and XP clients

Some Customers still have Windows XP though it is in End of Support since 8 April 2014. I found one of this *#$%§ clients where I have an 802.1x implementation with an Enterprise Certification Authority with Windows Server 2012 R2.

Why I detailed my configuration? Because Windows 2012 and newer raised RPC security settings even on PKI CA and this cause failing certificate requests on Windows XP/Windows Server 2003.
When trying to issue certificate on Windows XP I got the error “The certificate request failed. The permissions on this certification authority do not allow the current user to enroll for certificates. ”

At first glance it has to be Permissions issue but when I verify them on CA and on the template level they are ok. If we go to the “Failed Request” container on CA we cannot see any request which has been denied by the CA. This is because the request is never delivered to the server.

So how to let Windows XP enroll certificates from Windows 2012/2012R2 Certification Authority?

  1. Upgrade Windows clients to higher OS as XP is not supported anymore
  2. Disable Enhanced RPC security for certificate requests

In my case, the first option wasn’t viable.

Disable Enhanced RPC security for certificate requests

To accomplish this task I need to remove the flag on the CA and restart the service:

certutil -setreg CAInterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST
net stop certsvc
net start certsvc

Note: if the step 1 throw an error, probably your Certification Authority didn’t have the registry key to handle Enhanced RPC security settings because it is enabled by default (registry key path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CAInterfaceFlags). To solve you should run

certutil -setreg CAInterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST

to create the key and then do the sequence to disable the Enchanced RPC security settings.

When the last Windows XP client will be rid off from the LAN, you could restore the default settings.