Install and Configure Certificate Enrolment Policy Web Service

KB ID 0001250

Problem

A client had moved a domain joined server into their DMZ, and while they had opened the correct ports for Domain Authentication on their firewall, no one had considered the certificates on the server which had expired, and could not be renewed. 

Some research, pointed me towards Certificate Enrolment Web Service. Its job is to let clients enrol and renew certificates, from either non domain joined machines, or machines that cannot contact your PKI environment. This was just what I needed, I just need to test the concept. So I built a domain, setup a CA, and a DMZ (with the same firewall as my client, a Cisco ASA). Then moved a domain client into the DMZ, domain authentication as setup as follows;

Cisco ASA – Allowing Domain Trusts, and Authentication

 

Solution

Before starting I would suggest creating a ‘service account’  to run the enrolment service, you need to be an admin to install the services but this account does not need to be. (It does need to be in the LOCAL IIS_USERS group on your CES/CEP server(s)). Below you will see I’ve named my user svc_ca.

You need to already have a PKI/CA setup. You can split the CES ‘Web Service’ and CEP ‘Policy Web Service’ across different hosts if you want, but for this example I’m simply putting both roles on the same server.

Then you need to run the post deployment configuration.

Again I’m configuring both roles at the same time.

I’ve only got one, but choose the CA server on which to house the CES role.

As I mentioned above, I’m using Windows authentication, if you are deploying certs to a DMZ, yours may be better set to username/password.

Specify your service account, you created earlier.

Again choose your authentication method.

Now you need to create a ‘Service Principle Name’ SPN for your service account, that’s tied to your Certificate Enrolment Web Services server. Open an Administrative Command Window on the CES server and issue the following command;

[box]setspn -s http:/{FQDN-OF-Server} {Domain-Name}\{User-Name}[/box]

Now your user has an SPN, they will get another ‘Tab’ on their user object, called ‘Delegation‘ Add in the CES server for the following service types.

  • HOST
  • rpcss

On your certificate enrolment policy server, open the Internet Information Servers (IIS) Management console. Expand {Server-Name} > Sites > Default Web Site > ADPolicyProvider_CEP_Kerberos > Application Settings.

Locate the Friendly Name section > Locate the ‘Value‘ > Change its last hexadecimal character (0 to 9 or A to F) from what it is currently > OK.

Open an Administrative Command Window > Issue an IISRESET command.

Setup Enrolment Policies

To actually use the CES/CEP service your client needs to know where it is, there are TWO methods of letting them know, you can either use the certificate snap-in, or use a ‘Local Group Policy’ on the target machines.

Managing Enrolment Policies With Certificates Snap-In

Windows Key+R > MMC {Enter} > File > Add/Remove Snap-In > Certificates > Local Computer > When the console opens > Action > All Tasks > Advanced Operations > Manage Enrolment Policies.

Add > Enter the URI of the CEP Server;

[box]https://{FQDN-Of-CES-Server}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP[/box]

Note: To access via https, you may need to manually add a Web Server certificate for the URL/Common name of the CEP server. See the following article;

IIS: How to Create a Certificate Request

Validate Server > Add-

Managing Enrolment Policies With Certificates Local Group Policy

Windows Key+R > gpedit.msc {Enter} > Computer Configuration > Windows Settings > Security Settings > Public-Key Policies > Certificate Services Client – Certificate Enrolment Policy.

Add > Enter the URI of the CEP Server;

[box]https://{FQDN-Of-CES-Server}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP[/box]

Validate Server > Add.

If you already have an Active Directory Enrolment Policy listed, make sure it’s NOT selected, and your newly created CES policy is set as default > Apply.

Enrol Or Renew Certificates From CES

Now if you attempt to enrol for a certificate, your machine will use the CES policy.

 

Related Articles, References, Credits, or External Links

URI Was Validated Successfully But there Was No Friendly Name Returned

Certificate Enrolment – URI This ID conflicts with an Existing ID

Event ID 6 and 13

KB ID 0000473 

Problem

Event ID 6

Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment

Description:

Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

 

Event ID 13

Source: Microsoft-Windows-CertificateServicesClient-CertEnroll

Description:

Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from {hostname}{name of CA}(The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

 

Solution

Note: The pertinent information in the Event ID 13 above is 0x800706ba there are Other causes of this Event ID make sure yours is the same.

In my case I had an Exchange server that was using a certificate that had been “self signed”. And the Root CA that signed the certificate had been ungracefully removed from the domain. Take a note of the Root CA name from the Event ID error shown arrowed).

1. Launch Active Directory Sites and Services” > Select the top level object > View > Show Services Node.

2. Expand Services > Public Key Services > AIA > Delete the “Problem CA”.

3. Then select “Enrollment Services” > Delete the “Problem CA”.

If you have a New CA (in this example you would have seen it in step 2), then DO NOT perform the next two steps!!!

4. Providing you DONT have a CA now, select “Certificate Templates” and delete them all.

5. Providing you DONT have a CA now, select “Public Key Services” and delete the NTAuthCertificates item.

6. To tidy up, (On the server logging the error) run the following command:

[box] certutil -dcinfo deleteBad [/box]

7. Finally on the server logging the error run the following command to update the policies:

[box] gpupdate /force [/box]

Related Articles, References, Credits, or External Links

NA