Re: Wireless connection problem from XP Pro SP2 to SBS 2003

Been busy doing service the last couple days but I have a little time to
revisit this problem today.

Yes, AE was still failing after setting NLA auto and Windows Firewall was
always using domain settings I believe.

Remote Registry is turned on and automatic on this PC. Ipconfig /all shows
the correct domain and DNS server and the only error I'm getting in the logs
is the Autoenrollment failure.

I went to the working PC and grabbed the certificate and installed it on
this PC. Unfortunately that didn't fix the problem, however now if the
wireless is enabled on boot up the PC takes a really long time at the
"preparing network connections" before it loads the desktop. If I disable the
wireless and reboot it starts up normally - but I still get the autoenroll
failure at every boot up.

Any ideas?

Thanks for the help!

"Dave Nickason [SBS MVP]" wrote:

You did check that auto enrollment is still failing after setting NLA to
automatic, right? If before you made that change, the firewall was using
the non-domain settings, that could have been what was doing the blocking.
Firewall blocking enrollment would have been my first guess, ISA second, but
you've got both of those ruled out now.

Just out of curiosity, is the Remote Registry service running on the client
PC? I've seen RPC failures with that turned off, not in this context and I
kind of doubt it's related, but worth a quick look.

You're sure the workstation is properly joined to the domain, and in
ipconfig /all, it's pointing to the SBS for DNS? No other errors in the
logs?

I do think you should troubleshoot and repair the auto enrollment issue.
However, that said, in the interest of getting the workstation connected,
can you export the cert from the working PC and import it to the non-working
one? If you open Internet Options -> Content Tab -> Certificates, you
should be able to see the cert in Trusted Root Certification Authorities.
Export to a USB key or whatever, then just import it on the other PC by
r-clicking the exported file and choosing Install (or similar). Make sure
to manually choose to put it in Trusted Root Certification Authorities.



"Cuervolush" <Cuervolush@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:674A8D40-8A7F-4E90-AE85-FF58BBD39E37@xxxxxxxxxxxxxxxx
Looked in the ISA console and "Enforce strict RPC compliance" is not
checked,
"enable" is checked.

I will look through the link you've provided and see if I can find a
similar
issue.

"Dave Nickason [SBS MVP]" wrote:

See if there's any help here
http://eventid.net/display.asp?eventid=13&eventno=2719&source=AutoEnrollment&phase=1.

Also, on the SBS, open the ISA console. In the left pane, r-click
Firewall
Policy and choose Edit System Policy. In the resulting window, find
Authentication Services in the left pane, and under that, choose Active
Directory. Is the box called "Enforce strict RPC compliance" checked?
If
so, uncheck it and click the Apply button at the top of the console. The
"Enable" box should be left checked.

Strict RPC compliance will block certificate auto enrollment, so that
could
be part of the problem if it's checked. If so, after making the change,
reboot the workstation and see if you still get the error.

Normally, I'd think having a working workstation would rule that out.
However, since others have been involved in the configuration of this
network, I'm thinking that one of them may have manually installed the
certificate on the working workstation, or that they enabled strict RPC
compliance after that workstation was configured.



"Cuervolush" <Cuervolush@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:02C0BA16-3DDB-45FF-8DE8-1FB93E25A621@xxxxxxxxxxxxxxxx
Hi Dave

I've checked in CP -> Windows Firewall but there is no properties, just
a
General, Exceptions, and Advanced tab. No where on any of these screens
do
I
see it say Domain or Non-Domain. NLA was started but Manual, so I went
ahead
and made it automatic anyway and rebooted without success.

I just now found out that we are indeed running ISA, however we do have
a
workstation in the office that is running wirelessly correctly.


"Dave Nickason [SBS MVP]" wrote:

Please go to CP -> Windows Firewall and open the properties. At the
bottom
of the first tab, does it say it's using your Domain or Non-Domain
settings?
If non-domain, please set the Network Location Awareness service to
Automatic startup and reboot the workstation.

Do you have other wireless computers that are functioning as expected?
If
so, please resist the temptation to mess with anything on the server.
It
appears that auto-enrollment is failing on that one PC, which is
almost
certainly not a server or CA issue.

Are you running ISA? That can prevent auto-enrollment, and the fix is
to
disable strict RPC compliance. Post back if you need more info on
doing
that (and note it would only apply if there are no PCs where auto
enrollment
is working).

"Cuervolush" <Cuervolush@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:01A6F8E8-6FC8-4E83-89F1-62177BDE0DFE@xxxxxxxxxxxxxxxx
Our office is running SBS2003 and we recently had to rebuild a
workstation. After the rebuild, I can no longer connect wirelessly
to
the server. In Event Viewer I get the following:

Autoenrollment | Event 13

Automatic Certificate Enrollment for local system failed to enroll
for one Computer certificate. (0x800706ba). The RPC Server is
unavailable.

The wireless connection continuously tries to log in but comes back
with
status: Authentication Failed.

I've searched a bunch of places with this error but haven't been
able
to find an identical issue with a solution.

Unfortunately I did not set this server up, and have somewhat
limited
knowledge on the server side of things but know enough to be
dangerous. Any help would be much appreciated and I would be happy
to
provide any more information that would help in solving this
problem.

Thanks







.