Applies To:
All versions of Venafi Trust Protection Platform (as of Dec 2016)
Symptom:
After pressing the 'Get Templates' button on a Microsoft CA Template object or on the Microsoft CA import, the following error occurs:
Communication with the CA has failed, please check the settings before trying again. System error: CCertAdmin::GetCAProperty: The version of OLE on the client and server and machines does not match. 0x80010110 (-2147417840 RPC_E_VERSION_MISMATCH)
Cause:
The TPP server is unable to communicate with the MSCA server on the designated RPC port.The default DCOM port is 135. Trust Protection Platform contacts the MSCA application on port 135; however, the application returns its response on a different port. This can pose a problem in a firewall environment. For information on configuring DCOM with firewalls, see the following Microsoft* Technical Document: http://support.microsoft.com/kb/154596. This error occurs when:
- The MSCA is not listening on the DCOM port (this is not port 135)
- There is a firewall blocking TPP's ability to communicate with the MSCA on the DCOM port (this is not port 135)
Testing
You can test TPPs ability to communicate with MSCA on the DCOM port:
- Open the Task Manager on the MSCA server to find the PID (process id) of the process called "certsrv.exe"
- Run the following command in a command prompt on the MSCA server: netstat -aon | findstr 0000 (replace 0000 with the pid found on step one)
This will give you an output that looks like this:
TCP | 0.0.0.0:1075 | 0.0.0.0:0 | LISTENING | 1404 |
TCP | [::]:1075 | [::]:0 | LISTENING | 1404 |
The port number in the second column (1075 in this example) is the port number we are looking for. If you do not see an output then the MSCA server is not listening on any port and needs to be enabled before continuing.
With the port number from the previous step, run the following command on the TPP server command line: rpcping -s HOSTNAME -e 1705 (replace HOSTNAME with the MSCA network hostname and 1705 with the port number from step 2)
If this command is successful you will see:
A failure looks like this:
Resolution:
Update the firewall rules, or enable MSCA RPC access. See this article for details: https://support.microsoft.com/en-us/kb/154596
Comments