Tracking down the cause of a 537 login problem

Recently I re-installed my desktop software on to a different disk drive and I started getting several event ID 537 error messages in the server security log. The workstation was not showing any operational problems so this is a low priority problem. The biggest problem is that the shear number of errors distorts my server monitoring report. Its annoying me about a non-critical problem. Somewhere in my past I had fixed this problem but unfortunately I could not remember how I did it. In fact I am not sure I ever knew how I fixed it! This particular error occurs with a status code of 0xC00002EE. Microsoft has an ambiguous explanation for this error message. Suffice to say there explanation was not helpful. Yesterday I got annoyed enough to solve the problem.

If you search the web for the 537 event ID, you will find several proposed solutions. Here are some of the solutions:

  1. Check to see if your workstation has a different time than the server.
  2. Remove HP printer monitoring software.
  3. Remove network interface card monitoring software.

None these solutions applied to me so I had to dig deeper into the problem.  The first thing I found out was that these errors appeared in clusters of three at periodic intervals. It looked like something at the workstation was triggering this error at periodic intervals so I started browsing the event logs on the workstation for an error at this time. I found that the automatic certificate enrollment was failing. Hmm….

When you look at the error message for the automatic certificate enrollment, you can see that it was failing because the “RPC server is unavailable”. So I cranked up the certificate snap-in and saw that the computer did not have a computer certificate. I also figured out that I could trigger the enrollment error by manually asking for a new certificate. Although there are a lot of causes of enrollment errors, I quickly focused on problems related to the ISA 2004 server and the RPC filter. ISA is a great firewall but sometimes it can be over protective. One of the recommended fixes was  to turn off “strict RPC Compliance”.  So I disabled that option, restarted the ISA firewall, and manually asked for a certificate. No Luck! I got the same error.

The next trick that some people advised was to disable the RPC filter in ISA. So I disabled the RPC filter, restarted the firewall, and manually asked for the certificate again. This time it worked and I have a computer certificate that is valid for a year. I enabled the RPC filter and restarted the firewall to put everything back to normal.

This morning I checked the log file on both the server and the workstation. Both log files look normal. The errors are gone and no new errors have appeared. Since I believe that I am running a fully patched ISA server, the RPC problem is a curious problem. For kicks I checked the date on the rpcflter.dll. It looks like the latest and greatest version so I suspect that the RPC problem probably lies elsewhere. Oh well! At least I know how to get rid of the problem for a year.