2.3 Hardware and software requirements

Refer to your Windows documentation for recommendations of the hardware and software needed for the Microsoft CA.

MyID supports the following:

If you need to work with an older version of Microsoft Certificate Services, contact Intercede quoting reference SUP-305.

Warning: The Microsoft CA can be installed in one of two modes – Enterprise and Standalone. MyID requires the Enterprise CA configuration.

2.3.1 User Account Control

If you are requesting a certificate from the certsrv web page, you may experience an error similar to:

Result: The RPC Server is unavailable. 0x800706ba (Win32:1722)

This is due to User Account Control (UAC) preventing the action. You must disable UAC on the server to correct the problem.

2.3.2 Failover clustering

MyID supports setting up a cluster of Microsoft CAs for failover purposes. The cluster appears to MyID as a single CA, so in the event of failover to a redundant CA, the process is transparent to MyID. See your Microsoft documentation for details of configuring failover clustering.

2.3.3 Firewall configuration

You must make sure that the firewall between the application server and your Microsoft CA or CAs is configured for port 135 (for RPC) as well as a DCOM range.

2.3.3.1 DCOM port ranges

To force the RPC system to use a specific range for its dynamic ports:

  1. From the Windows Administrative Tools, select Component Services.
  2. Browse to Console Root > Component Services > Computers.
  3. Right-click My Computer and select Properties.
  4. Select the Default Protocols tab, ensure Connection-oriented TCP/IP is selected in the list and click the Properties button.
  5. Set a port range.

    You should ensure the base port is above 1024. You need a range of at least 100 ports; for example, 5000-5099.

  6. Add the range, then click OK.

The port limit is not active until you reboot; however, you should set up the firewall before you reboot the machine.

2.3.3.2 Firewall configuration

You must open ports for the following:

See the documentation for the firewall you are using to open the necessary range of ports.

For example, to set up the default Windows firewall to use ports 5000-5099:

  1. From the Windows Administrative Tools, select Windows Firewall with Advanced Security.
  2. Select Inbound Rules and add a new rule using the Actions on the right.
  3. In the wizard that appears, select Port for the rule type and click Next.
  4. Select TCP.
  5. Provide a list of the ports you specified in Component Services.

    You can specify a range; for example:

    5000-5099

  6. Click Next.
  7. Select Allow the Connection then click Next.
  8. Make sure all three Apply rules are selected then click Next.
  9. Type a name for the rule.
  10. Finish the wizard.
  11. Ensure the firewall is switched on, then reboot the machine

Note: You must carry out this procedure on both the CA server and the application server.