So I have a few Microsoft ISA 2006 servers floating around the environment, and have recently started to deploy a PKI infrastructure, to include an online enterprise root CA in one domain, and enterprise subordinate ca’s for various functions in both the internal and external domain. With the introduction of an enterprise CA, I am starting to see some things crop up on various systems that I am chasing down. On my ISA 2006 servers, which are used to web proxy sites to the Internet, I noticed the following error repeatedly in the event log…
Type: Warning
Source: Schannel
Category: None
Event ID: 36872
No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
I also have been having problems with ISA 2006 FBA processing password changes, which cropped up about the same time that I installed the subordinate CA in the environment. Hoping that the problems are related, and thinking that installing a computer certificate would be an easy fix, I decided to use the certificates snap-in to the mmc to enroll a compter certificate. Having admin rights to the ISA server, I launched the certificates mmc I already created with the local computer store, and ran the wizard to enroll a computer certificate. After filling in the required fields, the process errored, stating that the RPC service is not available on the remote machine.
Well first I checked to make sure the CA was online and running…it was. Then I checked the ISA server’s event log, and noticed a DCOM error.
Type: Error
Source: DCOM
Category: None
Event ID: 10009
DCOM was unable to communicate with the computer CA’s FQDN using any of the configured protocols.
Chasing that error led me to making sure that domain users and domain computers were both members of the CA’s local group CERTSVC_DCOM_ACCESS since what was in that group was /Everyone…which looked weird. That made no difference either.
I then tried to get a computer certificate from another computer (not an ISA server) and had no problems, so I figured it had to be related to something on ISA.
The next step was to make sure that the Firewall or System Policy was not blocking. I checked the ISA Monitoring, specifying the CA as the destination ip.addr, and tried again to enroll a certificate. All rpc connections to the CA were permitted. I checked the System Policy, and the rule "Allow RPC from ISA Server to trusted servers" was enabled. In this lab setup, "trusted servers" == the Internal network.
But something jogged my memory, so I looked to edit the policy. There is an option "Enforce strict RPC compliance" which was checked by default. The explanation text is
"When ‘Enforce strict RPC compliance’ checkbox is not selected, additional RPC type protocols, such as DCOM, will be enabled."
BINGO!
So I cleared the checkbox, applied the changes to ISA, and tried to enroll a certificate again…SUCCESS. I guess even Microsoft doesn’t strictly follow RPC standards.
Summary…
ISA Server 2006 needs to enroll machine certificates. Make sure RPC is permitted to trusted servers in ISA System Policy, that the CA is included in trusted servers, and that "Enforce strict RPC compliance" is NOT enabled.
keywords: ISA 2006, certificates, dcom 10009, rpc, schannel 36872
I hope you find this useful, and if you do, please comment. If you find anything above that needs to be changed, or if your environment needed additional tweaking, please also comment so I can either revise the information above, or so that others with similar situations can see what you did differently. Thanks!
You might also enjoy:
{ 3 comments… read them below or add one }
Hi,
Thanks for the article. I’m having the same problem at work, and the DCOM error is present in the event log. I don’t suppose you have any suggestions for ISA 2004, do you? I’m a novice with ISA so any hints would be great.
Thanks,
Rick Bull.
Thank you very much for this advice. It took me hours trying to get a computer certificate on my ISA2006 box.
Your advice made may day.
Jürgen
Rick,
Sorry I didn’t see this sooner…I guess I need to check my notifications.
As to ISA 2004, I have never touched the product…I went straight to 2006. However, I keep getting told by MS when I ask about MOC class that the two versions are so similar, I should just look at the 2004 material. Yeah, right. If the stuff I put in about 2006 doesn’t seem to apply directly to 2004, take a look at a network trace and see if you are generating traffic. If you are, there should be enough in the decode for you to see if it is a perms issue or not. You may also try to stop the “microsoft firewall” service long enough to enroll your cert….if it is the ISA services blocking you, that is a dirty but quick fix that may get you past the roadblock.
Good luck!