Install and Configure Certificate Enrolment Policy Web Service

KB ID 0001250

Problem

A client had moved a domain joined server into their DMZ, and while they had opened the correct ports for Domain Authentication on their firewall, no one had considered the certificates on the server which had expired, and could not be renewed. 

Some research, pointed me towards Certificate Enrolment Web Service. Its job is to let clients enrol and renew certificates, from either non domain joined machines, or machines that cannot contact your PKI environment. This was just what I needed, I just need to test the concept. So I built a domain, setup a CA, and a DMZ (with the same firewall as my client, a Cisco ASA). Then moved a domain client into the DMZ, domain authentication as setup as follows;

Cisco ASA – Allowing Domain Trusts, and Authentication

 

Solution

Before starting I would suggest creating a ‘service account’  to run the enrolment service, you need to be an admin to install the services but this account does not need to be. (It does need to be in the LOCAL IIS_USERS group on your CES/CEP server(s)). Below you will see I’ve named my user svc_ca.

You need to already have a PKI/CA setup. You can split the CES ‘Web Service’ and CEP ‘Policy Web Service’ across different hosts if you want, but for this example I’m simply putting both roles on the same server.

Adding CEP and CES Roles

Then you need to run the post deployment configuration.

Configure role

Again I’m configuring both roles at the same time.

Configure CA Role

I’ve only got one, but choose the CA server on which to house the CES role.

Select CA

As I mentioned above, I’m using Windows authentication, if you are deploying certs to a DMZ, yours may be better set to username/password.

CES Authentication Type

Specify your service account, you created earlier.

CES Service Account

Again choose your authentication method.

CEP Authentication Type

Now you need to create a ‘Service Principle Name’ SPN for your service account, that’s tied to your Certificate Enrolment Web Services server. Open an Administrative Command Window on the CES server and issue the following command;

setspn -s http:/{FQDN-OF-Server} {Domain-Name}\{User-Name}

SetSPN for User

Now your user has an SPN, they will get another ‘Tab’ on their user object, called ‘Delegation‘ Add in the CES server for the following service types.

  • HOST
  • rpcss

User Delegation

On your certificate enrolment policy server, open the Internet Information Servers (IIS) Management console. Expand {Server-Name} > Sites > Default Web Site > ADPolicyProvider_CEP_Kerberos > Application Settings.

Fix1

Locate the Friendly Name section > Locate the ‘Value‘ > Change its last hexadecimal character (0 to 9 or A to F) from what it is currently > OK.

Fix2

Open an Administrative Command Window > Issue an IISRESET command.

Restart IIS

Setup Enrolment Policies

To actually use the CES/CEP service your client needs to know where it is, there are TWO methods of letting them know, you can either use the certificate snap-in, or use a ‘Local Group Policy’ on the target machines.

Managing Enrolment Policies With Certificates Snap-In

Windows Key+R > MMC {Enter} > File > Add/Remove Snap-In > Certificates > Local Computer > When the console opens > Action > All Tasks > Advanced Operations > Manage Enrolment Policies.

Manage Enrollment Polices

Add > Enter the URI of the CEP Server;

https://{FQDN-Of-CES-Server}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP

Note: To access via https, you may need to manually add a Web Server certificate for the URL/Common name of the CEP server. See the following article;

IIS: How to Create a Certificate Request

Validate Server > Add-

Enrollment Policy Certificate Snap-in

Managing Enrolment Policies With Certificates Local Group Policy

Windows Key+R > gpedit.msc {Enter} > Computer Configuration > Windows Settings > Security Settings > Public-Key Policies > Certificate Services Client – Certificate Enrolment Policy.

Enrollment Policy Local Group Policy

Add > Enter the URI of the CEP Server;

https://{FQDN-Of-CES-Server}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP

Validate Server > Add.

Configure URI for CES with Group Policy

If you already have an Active Directory Enrolment Policy listed, make sure it’s NOT selected, and your newly created CES policy is set as default > Apply.

GPO for CES Enrollment

Enrol Or Renew Certificates From CES

Now if you attempt to enrol for a certificate, your machine will use the CES policy.

CES CEP Policy Configured Automatically

 

Related Articles, References, Credits, or External Links

URI Was Validated Successfully But there Was No Friendly Name Returned

Certificate Enrolment – URI This ID conflicts with an Existing ID

Author: PeteLong

Share This Post On

14 Comments

  1. After the line “Open an Administrative Command Window > Issue an IISRESET command.” Is that the correct screenshot?

    Post a Reply
    • Good Spot – No it wasn’t, Fixed. ThanQ

      Post a Reply
  2. Your screen shot where you go into Application Settings and find the “Friendly Name”, the verbiage does not match the screen shot. I learned this because you really need to access the ID and change the GUID by a couple characters or you get an error similar to: “The URI entered above has ID: “{GUID}”. This ID conflicts with an existing ID.” The remedy is to change the ID of the Application in IIS per the screen shot but not per the copy above it.

    Post a Reply
    • Updated – Thanks for the feedback, sorry if it caused you some Grief!

      P

      Post a Reply
      • Hi Pete;

        I still see confusing information about the friendly name setting and the application GUID. BTW, I have learned you need to change the GUID for CEP/CES because it will default to the same GUID used by the default AD certificate enrollment policy.

        Post a Reply
  3. This document does not mention that an SSL certificate is required before you configure CEP, or you’re into the Bindings of IIS in general to select the SSL certificate you run out and get right after that section.

    Post a Reply
  4. Hey Pete;

    One more thing for ya, and this could be a little piece of gold – If you use WS2016 as a CA and also want to use CEP/CES, CEP cannot handle a template with a CA compatibility above WS2012R2.

    Learned this the really hard way.

    Post a Reply
  5. Pete, on your step where you set the SPN, your instructions omit the colon (:), however your screenshot includes the colon.

    “setspn -s http/{FQDN-OF-Server} {Domain-Name}\{User-Name}”

    Post a Reply
  6. From other MSFT Articles, this is a great post but has both services running on same node.. should CEP be separated as this indicates?

    “If both CES and CEP are using Kerberos (Integrating authentication), then they cannot be installed on the same server, as simply there will be SPN collision (both using same IIS application pool, and same protocol). That is why we recommend installing them on separate machines.”

    Post a Reply
    • I had no problems, but I’ll throw it open for comment 🙂

      P

      Post a Reply

Leave a Reply to Bege Cancel reply

Your email address will not be published. Required fields are marked *