Install and Configure Certificate Enrolment Policy Web Service

KB ID 0001250

Problem

A client had moved a domain joined server into their DMZ, and while they had opened the correct ports for Domain Authentication on their firewall, no one had considered the certificates on the server which had expired, and could not be renewed. 

Some research, pointed me towards Certificate Enrolment Web Service. Its job is to let clients enrol and renew certificates, from either non domain joined machines, or machines that cannot contact your PKI environment. This was just what I needed, I just need to test the concept. So I built a domain, setup a CA, and a DMZ (with the same firewall as my client, a Cisco ASA). Then moved a domain client into the DMZ, domain authentication as setup as follows;

Cisco ASA – Allowing Domain Trusts, and Authentication

 

Solution

Before starting I would suggest creating a ‘service account’  to run the enrolment service, you need to be an admin to install the services but this account does not need to be. (It does need to be in the LOCAL IIS_USERS group on your CES/CEP server(s)). Below you will see I’ve named my user svc_ca.

You need to already have a PKI/CA setup. You can split the CES ‘Web Service’ and CEP ‘Policy Web Service’ across different hosts if you want, but for this example I’m simply putting both roles on the same server.

Then you need to run the post deployment configuration.

Again I’m configuring both roles at the same time.

I’ve only got one, but choose the CA server on which to house the CES role.

As I mentioned above, I’m using Windows authentication, if you are deploying certs to a DMZ, yours may be better set to username/password.

Specify your service account, you created earlier.

Again choose your authentication method.

Now you need to create a ‘Service Principle Name’ SPN for your service account, that’s tied to your Certificate Enrolment Web Services server. Open an Administrative Command Window on the CES server and issue the following command;

[box]setspn -s http:/{FQDN-OF-Server} {Domain-Name}\{User-Name}[/box]

Now your user has an SPN, they will get another ‘Tab’ on their user object, called ‘Delegation‘ Add in the CES server for the following service types.

  • HOST
  • rpcss

On your certificate enrolment policy server, open the Internet Information Servers (IIS) Management console. Expand {Server-Name} > Sites > Default Web Site > ADPolicyProvider_CEP_Kerberos > Application Settings.

Locate the Friendly Name section > Locate the ‘Value‘ > Change its last hexadecimal character (0 to 9 or A to F) from what it is currently > OK.

Open an Administrative Command Window > Issue an IISRESET command.

Setup Enrolment Policies

To actually use the CES/CEP service your client needs to know where it is, there are TWO methods of letting them know, you can either use the certificate snap-in, or use a ‘Local Group Policy’ on the target machines.

Managing Enrolment Policies With Certificates Snap-In

Windows Key+R > MMC {Enter} > File > Add/Remove Snap-In > Certificates > Local Computer > When the console opens > Action > All Tasks > Advanced Operations > Manage Enrolment Policies.

Add > Enter the URI of the CEP Server;

[box]https://{FQDN-Of-CES-Server}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP[/box]

Note: To access via https, you may need to manually add a Web Server certificate for the URL/Common name of the CEP server. See the following article;

IIS: How to Create a Certificate Request

Validate Server > Add-

Managing Enrolment Policies With Certificates Local Group Policy

Windows Key+R > gpedit.msc {Enter} > Computer Configuration > Windows Settings > Security Settings > Public-Key Policies > Certificate Services Client – Certificate Enrolment Policy.

Add > Enter the URI of the CEP Server;

[box]https://{FQDN-Of-CES-Server}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP[/box]

Validate Server > Add.

If you already have an Active Directory Enrolment Policy listed, make sure it’s NOT selected, and your newly created CES policy is set as default > Apply.

Enrol Or Renew Certificates From CES

Now if you attempt to enrol for a certificate, your machine will use the CES policy.

 

Related Articles, References, Credits, or External Links

URI Was Validated Successfully But there Was No Friendly Name Returned

Certificate Enrolment – URI This ID conflicts with an Existing ID

15 thoughts on “Install and Configure Certificate Enrolment Policy Web Service

  1. Your screen shot where you go into Application Settings and find the “Friendly Name”, the verbiage does not match the screen shot. I learned this because you really need to access the ID and change the GUID by a couple characters or you get an error similar to: “The URI entered above has ID: “{GUID}”. This ID conflicts with an existing ID.” The remedy is to change the ID of the Application in IIS per the screen shot but not per the copy above it.

      • Hi Pete;

        I still see confusing information about the friendly name setting and the application GUID. BTW, I have learned you need to change the GUID for CEP/CES because it will default to the same GUID used by the default AD certificate enrollment policy.

      • I have an issue at this point where there is no ID listed just URI and CAConfig.
        Also it doesnt say Friendly name just Name. Thanks!!

  2. This document does not mention that an SSL certificate is required before you configure CEP, or you’re into the Bindings of IIS in general to select the SSL certificate you run out and get right after that section.

  3. Hey Pete;

    One more thing for ya, and this could be a little piece of gold – If you use WS2016 as a CA and also want to use CEP/CES, CEP cannot handle a template with a CA compatibility above WS2012R2.

    Learned this the really hard way.

  4. Pete, on your step where you set the SPN, your instructions omit the colon (:), however your screenshot includes the colon.

    “setspn -s http/{FQDN-OF-Server} {Domain-Name}\{User-Name}”

  5. From other MSFT Articles, this is a great post but has both services running on same node.. should CEP be separated as this indicates?

    “If both CES and CEP are using Kerberos (Integrating authentication), then they cannot be installed on the same server, as simply there will be SPN collision (both using same IIS application pool, and same protocol). That is why we recommend installing them on separate machines.”

Leave a Reply

Your email address will not be published. Required fields are marked *