Configure AD CS to use a static DCOM port


Normally when you start a Windows CA server it allocates a random high port number for the service to listen on. When clients want to enroll certificates they find this dynamic port number by asking the CA Server’s RPC Endpoint Mapper, that always listens on port 135.

If you use a firewall between the clients and the CA Server you have three choices:

  1. Open the firewall for all high ports 49152-65535
  2. Reduce the number of dynamic ports
  3. Configure the CA Server to use a static DCOM Port

If you use Windows versions older than Windows Vista or Windows Server 2008 then the port interval is 1025-65535. You can check the range with the following command:

netsh int ipv4 show dynamicport tcp


Note: You can change ipv4 to ipv6 and the tcp to upd in the command to suit your needs.

You can decrease this port interval by using the command

netsh int ipv4 set dynamicport tcp start=20000 num=1000

This example would set the interval to 20000-21000. This reduces the number of ports that needs to be open in the firewall, but it would be even better if the CA Server only would listen to a single port. You can not set this RPC port interval to use one port, since other services other than the CA Server might also need to allocate RPC ports.

Instead you should configure the CA Server to use a static DCOM port. Here are the steps:

  1. Log on with an account that has local administrator permission on the CA Server
  2. Open the Component Services snapin (dcomcnfg.exe).
  3. In the left pane of the Component Services snapin, expand Component Services, Computers, My Computer, and then click on DCOM Config.
  4. In the right pane, right-click on CertSrv Request and click Properties.
  5. On the Endpoints tab, click Add.
  6. Select Use static endpoint and  enter a TCP port number, for example 6666, and then click OK twice.
  7. Close the Component Services snapin.
  8. Restart the certification authority service:
        net stop certsvc
        net start certsvc
    Note! You may not be able to edit the properties of this component by default, since the registry key may be owned by Trusted Installer. In this case, you need to take ownership of a registry key that is the AppID of the DCOM Component “Cert Request” and grant Administrators Full Control to it. Do this by following the steps 9-12 (jump directly to step 14 if you successfully changed the DCOM component above):

  9. Start the Registry Editor
  10. Go to the following key:
  11. Right click the key {D99E6E74-FC88-11D0-B498-00A0C90312F3} and choose Permission
  12. Click Advanced and then the tab Owner. Select the local Administrators group and click OK. Make sure that that group has Full Control and click OK again.
  13. Repeat steps 1-8 again.

    Continue here if you already had permission to change the DCOM Config:

  14. No we disable RPC for the interface ICertPassage. In an elevated command prompt, run the following command:
        certutil -setreg ca\interfaceflags +0x8
    Verify that IF_NORPCICERTREQUEST is part of the InterfaceFlags under New Value in the commands output:
  15. Restart the certification authority service again:
        net stop certsvc
    net start certsvc
  16. Now you are done, but the CA Server will not change listening ports until a new certificate request comes in. You can verify what port the CA Server is listening to with the following command:
        netstat –anob
    Look for the row above [Certsrv.exe] that starts with “TCP <IP-address>:<Port>“:

    Here you can see that it is not listening to my configured port 6666 yet.
  17. After I requested a new certificate the CA Server listens to my chosen port and I can open only that port in the firewall:

About Tom Aafloen

IT Security Advisor @ Onevinn
This entry was posted in Okategoriserade and tagged , , , , , . Bookmark the permalink.

8 Responses to Configure AD CS to use a static DCOM port

  1. Steve Schmidlap says:

    This doesn’t work. It is insufficient. You clearly have NOT tested this thoroughly. If you did then you would find out that the CA initially responds to the Web Enrollment Server on a random port on which w3wp.exe is listening on the web server. This is the AppPool under which CertSrv is running on the enrollment server. This random port and all incoming replies to w3wp.exe from the CA are still blocked which prevents completion of the cert request. It is only AFTER the web server receives a reply from the CA that it then sends a CertSrv request via the static port we configured per your article. The CertSrv request is BLOCKED because the initial reply from the CA was blocked. If I turn off the firewall completely or add a rule from CA to web server that allows traffic to that port enrollment works, but neither is acceptable. The first defeats the purpose of having a firewall. The second is absurd as the port is random and the rule would have to be changed all the time to match.

  2. jamesavery336 says:

    All of your pics aren’t showing. Can you fix that? 🙂

  3. Mutti says:

    Hi, thanks you for this great post !

    • steve schmidlap says:

      I finally resolved this on my own, thank you. The key in my case that has never been mentioned anywhere is that a matching range of dynamic high end RPC/DCOM ports must be configured on BOTH ends – the server and client side. In my case the domain controller hosting the CA itself and the web server in the DMZ hosting the CA web enrollment pages.

      • Mike Elliott says:

        Sorry to dig up an old comment.

        In testing I found that the CA can be set to a fixed high port as described in these instructions. For the web enrolment server do you mean that you also needed to fix the outbound port that the RPC connection request is sent from, to satisfy your firewall requirements? If so what were the steps to do that?


  4. Iansus says:

    Using AD CS as an entreprise PKI, it is registered in the “Enrollment Services” container in the Active Directory.
    Using RPC, a workstation queries the RPC mapper on TCP/135 to get the random port chosen by AD CS.

    When you disable RPC, **how will the workstation know which port to use to contact the AD CS Enrollment Services ?**

    I am not talking about the Web based enrollment, just considering the “certreq -submit -config CA-HOST\CA-NAME …” case.

    Thanks in advance

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s