Configure Certificate Authority Web Enrollment (CAWE) for use with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate the CAWE with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

The certificate authority web registration is a very old feature from Windows 2000 times - and was last adapted with the release of Windows Server 2003. Accordingly, the code is old and potentially insecure. Likewise, the function supports No certificate templates with version 3 or newer - This means that certificate templates that use functions introduced with Windows Vista / Windows Server 2008 or newer cannot be used. It is recommended that you do not use the certificate authority web registration and instead request certificates via on-board resources or the PSCertificateEnrollment PowerShell module.

If the CAWE was installed according to the instructions in the article "Installing Certification Authority Web Enrollment (CAWE)" is installed, the service runs with the identity of the application pool after installation.

Prerequisites for the gMSA for the CAWE.

The gMSA for the CAWE...

• must be a member of the IIS_IUSRS local group.
• requires a Service Principal Name (SPN), which must correspond to the fully qualified server name or the alias to be used, depending on the configuration.
• requires Kerberos delegation to the certificate authority.

Parameters for the following instructions

The following instructions are based on the following parameters, which must be adapted to your own environment.

• The gMSA has the name gMSA_CAWE.
• The CAWE server has the name CAWE01.intra.adcslabor.com.
• The connected certificate authority runs on the server CA03.intra.adcslabor.com.
• The alias is getcerts.adcslabor.comwhich has been registered accordingly in advance in the Doain Name System (DNS).
• For the gMSA_CAWE becomes a Limited delegation with protocol transition configured to support other login methods besides Kerberos.

Creating the gMSA for Certificate Authority Web Enrollment

The gMSA for CEP can be created with the following PowerShell command, provided that a KDS root key is created in the Active Directory forest was:

New-ADServiceAccount -Name gMSA_CAWE -PrincipalsAllowedToRetrieveManagedPassword CAWE01$ -DNSHostName gMSA_CAWE.intra.adcslabor.de

The arguments given here mean the following:

• The Name argument specifies the name of the gMSA.
• The PrincipalsAllowedToRetrieveManagedPassword specifies the server which is allowed to retrieve the service account password.
• The DNSHostName argument specifies the contents of the account's dNSHostName attribute, since a gMSA technically functions like a computer account.

Configure the Service Principal Name (SPN) for the gMSA.

The following command creates the service principal name (SPN) for the gMSA.

setspn -S HTTP/getcerts.adcslabor.com INTRA\gMSA_CAWE$

Configuring the delegation settings for the gMSA

Unfortunately, for Group managed service accounts it is not possible to configure the delegation settings via graphical interface. The configuration must be done via Windows PowerShell.

The following settings are made:

• Limited delegation to the Certification Authority CA03.intra.adcslabor.com with Protocol transition (Protocol Transition, option "Use any authentication protocol") for the protocols "HOST" and "rpcss". The protocol transition is required so that other authentication methods besides Kerberos can be used, for example if you want to authenticate to the CAWE from a non-Windows system or a Windows system outside the Active Directory forest.

First, an array is created from the delegation targets and services.

$AllowedToDelegateTo = @(
 "rpcss/CA03",
 "rpcss/CA03.intra.adcslabor.com",
 "HOST/CA03",
 "HOST/CA03.intra.adcslabor.com"
)

Then, the delegation goals are applied to the gMSA.

Get-ADServiceAccount -Identity gMSA_CAWE | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"=$AllowedToDelegateTo}

In addition, the option "Account is sensitive and cannot be delegated" must be deactivated.

Get-ADServiceAccount -Identity gMSA_CAWE | Set-ADServiceAccount -AccountNotDelegated $False

Lastly, the following command changes the delegation settings for the gMSA from "Use Kerberos only" to "Use any authentication protocol".

Get-ADServiceAccount -Identity gMSA_CAWE | Set-ADAccountControl -TrustedToAuthForDelegation $True 

Installing the gMSA on the CAWE Server

First, the Active Directory management tools for PowerShell must be installed on the CAWE server.

Add-WindowsFeature RSAT-AD-PowerShell  

After that, the service account can be installed on the server with the following PowerShell command.

Install-ADServiceAccount gMSA_CAWE

The command returns nothing if it was successful.

You can check if this is really the case with the following command line command.

Test-ADServiceAccount gMSA_CAWE

This command returns True back when the gMSA has been successfully installed.

Add gMSA to the IIS_IUSRS group on the CAWE server.

The configured gMSA must now be added to the local security group IIS_IUSRS so that it can be used by CAWE. This can be done via the management console for local users (lusrmgr.msc).

Configuring the gMSA in the CAWE application pool

For the CAWE service to work with the installed gMSA, it must be installed in the DefaultAppPool-application pool can be configured in the Internet Information Server (IIS) management console. To do this, right-click on the DefaultAppPool application pool and select the "Advanced Settings..." option.

In the "Identity" option, click on the "..." button on the right side. button.

In the following dialog, select "Custom account" and click on "Set...".

When specifying the identity in the following dialog, some special features have to be considered:

• It is mandatory to specify the domain name.
• Since a gMSA works similarly to a computer account, a dollar sign must be specified at the end of the account noun.
• With a gMSA, no password is specified, so the two fields must remain empty.

Restarting the Web Server service

The Web Server service is then restarted with the iisreset command.

Related links:

• Installing Certification Authority Web Enrollment (CAWE)
• Configure the Certificate Authority Web Enrollment (CAWE) for use with a domain account.
• Configure Certificate Authority Web Enrollment (CAWE) for use with a Group Managed Service Account (gMSA).

External sources

• How to configure Kerberos Constrained Delegation (S4U2Proxy or Kerberos Only) on a custom service account for Web Enrollment proxy pages (Microsoft)
• How to configure the Windows Server 2008 CA Web Enrollment Proxy (Microsoft, archive.org)
• Highly Available Microsoft CA Web Enrollment Servers using DNS (Mike's Mishaps in IT)