Configure the Certificate Enrollment Policy Web Service (CEP) to work with a domain account.

The following describes how to set up a Certificate Enrollment Policy Web Service (CEP) that the service runs under a domain account.

The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.

Operation with a domain account can only be guaranteed securely if the account has a complex password and this is changed at regular intervals. If it is possible in one's own environment, preference should always be given to using a Group Managed Service Account (gMSA) or (if it is a dedicated server also the integrated application pool identity).

Was CEP installed according to the following instructions, the service runs with the identity of the application pool after installation.

If CEP and CES are installed on the same server and a service account with delegation is used, the CEP and CES application pools must be run under the same account.

Requirements for the CEP service account

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

The CEP service account...

  • must be a member of the IIS_IUSRS local group.
  • requires a Service Principal Name (SPN), which must correspond to em fully qualified server name or the alias to be used, depending on the configuration.

Configuring the Service Principal Name (SPN) for the service account.

setspn -S HTTP/cep01.intra.adcslabor.de INTRA\Service_CEP

Add service account to IIS_IUSRS group on CEP server

The service account must be included in the IIS_IUSRS local security group to be used by the CEP. This can be done via the Local Users Management Console (lusrmgr.msc).

Configuring the service account in the CEP application pool

For the CEP service to work with the domain account, it must be set in the WSEnrollmentPolicyServer-application pool can be configured in the Internet Information Server (IIS) management console. To do this, right-click on the WSEnrollmentPolicyServer application pool and select the "Advanced Settings..." option.

In the "Identity" option, click on the "..." button on the right side. button.

In the following dialog, select "Custom account" and click on "Set...".

Now the domain account can be specified. The domain name must be specified here. If the password is entered incorrectly, you will receive an error message when you click on "OK".

Restarting the Web Server service

The Web Server service is then restarted with the iisreset command.

Related links:

Comments are closed.

en_USEnglish