CA Web enrollment(certsrv) behind VIP , load balancer

Prashant G 1 Reputation point
2021-05-11T16:51:44.703+00:00

Hello Team,

Is it a good recommendataion to move the CA WEB Enrollment role behind VIP , load balancer? I am getting an error while using the CA WEB Enrollement behind VIP , I am unable to request a certificate using https://<<VIP_NAME>>/certsrv and get below error message.

*Your request failed. An error occurred while the server was processing your request.
Contact your administrator for further assistance.

Request Mode:
newreq - New Request
Disposition:
(never set)
Disposition message:
(none)
Result:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
COM Error Info:
CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
LastStatus:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
Suggested Cause:*
This error can occur if the Certification Authority Service has not been started.

If i requrest the certificate usingFQDN address of the server , it works fine.

Please advise

Thanks,
-Prashant GIRENNAVAR.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,131 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,772 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 20,556 Reputation points Microsoft Vendor
    2021-05-12T01:56:01.903+00:00

    Hello @Prashant G ,

    Thank you for posting here.

    I checked in my lab.

    My SSL certificate is issued to FQDN of the server.
    95648-ssl11.png

    Then I request certificate using https://FQDN/certsrv/ (For example, https://2016-2.fabrikam.com/certsrv/certfnsh.asp)
    95772-ssl1.png

    Why do you use <<VIP_NAME>> instead of FQDN?
    Who is the SSL certificate binded the web page issued to?
    What is the relationship between <<VIP_NAME>>and the FQDN of the server?

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.
    0 comments
  2. Prashant G 1 Reputation point
    2021-05-12T03:32:14.1+00:00

    Thank you. DaisyZhou-MSFT

    I reason behind using VIP address , because , the traffic is distributed and we have availabilities of role if one of the server goes down.
    Since the traffic sent by network load balancer is in round robin , it appears , it does not work well with CA web enrollment , since the session cookies are not shared with all the hosts by load balancer.

    Am I correct?

    Thanks,
    -Prashant GIRENNAVAR.

  3. Vijay Kumar 161 Reputation points
    2024-04-25T17:15:05.3+00:00

    Hi Prashant

    Did you get this fixed ever ? I am also looking for the same as I have multiple SUBCAs handling enrollement web service and want to put those back behind F5 load balancer.

    Thanks

    Vijay

    0 comments