Thursday, July 28, 2016

MS - Certificate autoenrollment behind a firewall

For anyone who has autoenrollment for certificates on machines that are behind firewalls, here are the ports and servers you want to look at for setting up firewall rules:


Client to domain controller:
    Kerberos port 88 (UDP/TCP)
    Ldap (TCP 389)
    RPC (tcp 135)
    RPC on dynamic port (>1023 TCP)

Client to certificate server(s) with the template available 
    RPC (TCP 135)
    Dynamic RPC (TCP > 1023) for CA servers on windows 2003 and earlier
    Dynamic RPC (TCP > 49151) for CA servers on newer windows OS's


If you want to find the specific port that the certificate services server is listening on for RPC requests, you can find it in several different ways.  If you have access to logon to the server, you can use:

tasklist /svc |find /I "Certsvc"

In that output, look at the process ID number and use it in the command below.  If the port is 52775, use:

netstat -ano |find "LISTEN" | Find "52775"


If you do not have access to logon to the server to run these commands and you have access to the old windows resource kit files, you can use RPC dump to look for the uuid 91ae6020-9e3c-11cf-8d7c-00aa00c091be.  Use:

rpcdump /S nameofremoteserver /I /v /P ncacn_ip_tcp.

This will output more than what you need, so search through the output to find the guid in the UUID field.  The port will be what is listed as the Endpoint, or in the StringBinding.


ProtSeq:ncacn_ip_tcp
Endpoint:52775
NetOpt:
Annotation:
IsListening:YES
StringBinding:ncacn_ip_tcp:computername[52775]
UUID:91ae6020-9e3c-11cf-8d7c-00aa00c091be
ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT
VersMajor 0 VersMinor 0


Once you have obtained the port, you can use any port testing tool from the client to the CA server, like test-netconnection to see if that port, and port 135 is accessible to the client. 

1 comment:

  1. thank you for taking the time to post this information!

    ReplyDelete