question

PrashantG-5650 avatar image
0 Votes"
PrashantG-5650 asked DaisyZhou-MSFT commented

CA Web enrollment(certsrv) behind VIP , load balancer

Hello Team,

Is it a good recommendataion to move the CA WEB Enrollment role behind VIP , load balancer? I am getting an error while using the CA WEB Enrollement behind VIP , I am unable to request a certificate using https://<<VIP_NAME>>/certsrv and get below error message.

*Your request failed. An error occurred while the server was processing your request.
Contact your administrator for further assistance.


Request Mode:
newreq - New Request
Disposition:
(never set)
Disposition message:
(none)
Result:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
COM Error Info:
CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
LastStatus:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
Suggested Cause:*
This error can occur if the Certification Authority Service has not been started.


If i requrest the certificate usingFQDN address of the server , it works fine.

Please advise

Thanks,
-Prashant GIRENNAVAR.

windows-active-directorywindows-server-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I would say that it is recommended to get rid of web enrollment at all. It is a very old and legacy thing. There is little to no practical use of web enrollment.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
1 Vote"
DaisyZhou-MSFT answered

Hello @PrashantG-5650,

Thank you for posting here.

I checked in my lab.

My SSL certificate is issued to FQDN of the server.
95648-ssl11.png

Then I request certificate using https://FQDN/certsrv/ (For example, https://2016-2.fabrikam.com/certsrv/certfnsh.asp)
95772-ssl1.png


Why do you use <<VIP_NAME>> instead of FQDN?
Who is the SSL certificate binded the web page issued to?
What is the relationship between <<VIP_NAME>>and the FQDN of the server?


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



ssl11.png (17.6 KiB)
ssl1.png (19.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PrashantG-5650 avatar image
0 Votes"
PrashantG-5650 answered DaisyZhou-MSFT commented

Thank you. DaisyZhou-MSFT

I reason behind using VIP address , because , the traffic is distributed and we have availabilities of role if one of the server goes down.
Since the traffic sent by network load balancer is in round robin , it appears , it does not work well with CA web enrollment , since the session cookies are not shared with all the hosts by load balancer.

Am I correct?

Thanks,
-Prashant GIRENNAVAR.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @PrashantG-5650,

Thank you for your update.

I think we should only be able to use https://FQDN/certsrv/, which the server with the FQDN is installed and configured with CA web enrollment role.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·