KB ID 0000921 Dtd 01/02/14
ProblemI was trying to get Windows 7 to auto enroll with a CA on Windows 2008 R2, after a couple of reboots the certificates were simply not appearing on the test client I was working on.
Solution1. Test to make sure the client can see the CA, and is able to communicate with it, issue the following command;
CertUtil: -pulse command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.
I then ran the command window 'as administrator' and it completed, this was the first inkling I had, that permissions were probably not right.
2. Run mmc on an affected machine, and add in the certificates (local computer*) snap-in. right click the 'personal container' > attempt to get the certificate you have published manually.
*Or local user if you are auto enrolling user certificates.
Active Directory Enrollment Policy
The RPC server is unavailable.
3. The most common cause for that error, is the membership of the 'Certificate Service DCOM Access' group is incorrect, check yours and make sure it matches the one below.
CA Server launch the Certification Authority management tool and look at the properties of the CA Server itself, on the security tab make sure yours looks like this, (Domain computer and domain controllers should have the 'request certificates' rights).
CA Server, check the permissions on the C:\Windows\System 32\certsrv directory, authenticated users should have Read & Execute rights.