Certification Authority Enhanced RPC security

Certification Authority 2012/2012R2 and XP clients

Some Customers still have Windows XP though it is in End of Support since 8 April 2014. I found one of this *#$%ยง clients where I have an 802.1x implementation with an Enterprise Certification Authority with Windows Server 2012 R2.

Why I detailed my configuration? Because Windows 2012 and newer raised RPC security settings even on PKI CA and this cause failing certificate requests on Windows XP/Windows Server 2003.
When trying to issue certificate on Windows XP I got the error “The certificate request failed. The permissions on this certification authority do not allow the current user to enroll for certificates. ”

At first glance it has to be Permissions issue but when I verify them on CA and on the template level they are ok. If we go to the “Failed Request” container on CA we cannot see any request which has been denied by the CA. This is because the request is never delivered to the server.

So how to let Windows XP enroll certificates from Windows 2012/2012R2 Certification Authority?

  1. Upgrade Windows clients to higher OS as XP is not supported anymore
  2. Disable Enhanced RPC security for certificate requests

In my case, the first option wasn’t viable.

Read More