Configure the Certificate Enrollment Policy Web Service (CEP) to work with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate the CEP with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.

Was CEP named after the company described in the article "Installing a Certificate Enrollment Policy Web Service (CEP)" described instructions, the service runs with the identity of the application pool after installation.

If CEP and CES are installed on the same server and a service account with delegation is used, the CEP and CES application pools must be run under the same account.

Requirements for the CEP service account

The CEP service account...

• must be a member of the IIS_IUSRS local group.
• requires a Service Principal Name (SPN), which must correspond to the fully qualified server name or the alias to be used, depending on the configuration.

Creating the gMSA for the Certificate Enrollment Policy Web Service

The gMSA for CEP can be created with the following PowerShell command, provided that a KDS root key is created in the Active Directory forest was:

New-ADServiceAccount `
    -Name gMSA_CEP `
    -PrincipalsAllowedToRetrieveManagedPassword CEP01$ `
    -DNSHostName gMSA_CEP.intra.adcslabor.com

The arguments given here mean the following:

• The Name argument specifies the name of the gMSA.
• The PrincipalsAllowedToRetrieveManagedPassword specifies the server which is allowed to retrieve the service account password.
• The DNSHostName argument specifies the contents of the account's dNSHostName attribute, since a gMSA technically functions like a computer account.

Configure the Service Principal Name (SPN) for the gMSA.

The following command creates the service principal name (SPN) for the gMSA.

setspn -S HTTP/cep01.intra.adcslabor.de INTRA\gMSA_CEP$

Installing the gMSA on the CEP Server

First, the Active Directory management tools for PowerShell must be installed on the CEP server.

Add-WindowsFeature RSAT-AD-PowerShell 

After that, the service account can be installed on the server with the following PowerShell command.

Install-ADServiceAccount gMSA_CEP

The command returns nothing if it was successful.

You can check if this is really the case with the following command line command.

Test-ADServiceAccount gMSA_CEP

This command returns True back when the gMSA has been successfully installed.

Include gMSA in the IIS_IUSRS group on the CEP server.

The configured gMSA must now be added to the local security group IIS_IUSRS so that it can be used by the CEP. This can be done via the management console for local users (lusrmgr.msc).

Configuring the gMSA in the CEP application pool

For the CEP service to work with the installed gMSA, it must be installed in the WSEnrollmentPolicyServer-application pool can be configured in the Internet Information Server (IIS) management console. To do this, right-click on the WSEnrollmentPolicyServer application pool and select the "Advanced Settings..." option.

In the "Identity" option, click on the "..." button on the right side. button.

In the following dialog, select "Custom account" and click on "Set...".

When specifying the identity in the following dialog, some special features have to be considered:

• It is mandatory to specify the domain name.
• Since a gMSA works similarly to a computer account, a dollar sign must be specified at the end of the account noun.
• With a gMSA, no password is specified, so the two fields must remain empty.

Restarting the Web Server service

The Web Server service is then restarted with the iisreset command.

Related links:

• Installing a Certificate Enrollment Policy Web Service (CEP)
• Requesting certificates via the Certificate Enrollment Web Policy Service (CEP) fails with error message "Error: Access was denied by the remote endpoint. 0x803d0005 -2143485947 WS_E_ENDPOINT_ACCESS_DENIED".