This comes “as is” from a Microsoft forum:
1) Is the CA machine reachable from the client machine on which the request
is being generated
2) The client machine should be in the same domain as the CA machine or both
of them should be in the same domain for DCOM to be able to request
certificates
Discuss This Question: 4  Replies
In case your server is not part of a domain, such that adapting the group settings for CERTSVC_DCOM_ACCESS does not apply:
If remote login is denied due to unknown username/password, you may add on the server side a user and corresponding password matching the user that on the client side needing access to the service.
Also make sure that the respecitive access rights are granted, for instance:
Start->All Programs->Administrative Tools->Component Services (Expand)-> Computers (Expand)->My Computer (right-click)->Properties.
In the COM Security tab:
Access Permission->Edit Limits->Everyone->Remote Access
Launch and Activation Permissions->Edit Limits->Everyone->Remote Launch