Service Principal Name (SPN)

Configuring the Network Device Enrollment Service (NDES) for use with an alias.

The following describes the steps required to configure the Network Device Enrollment Service (NDES) for use with an alias.

The term alias means that the service is not called with the name of the server on which it is installed, but with a generic name independent of this name. The use of an alias allows the service to be moved to another system at a later time without having to inform all participants of the new address.

Configure the Certificate Enrollment Web Service (CES) to work with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate the CES with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

Configure the Certificate Authority Web Enrollment (CAWE) for use with a domain account.

The following describes how to set up Certificate Authority Web Enrollment (CAWE) so that the service runs under a domain account.

Configure Certificate Authority Web Enrollment (CAWE) for use with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate the CAWE with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

Requesting certificates via the Certificate Enrollment Policy Web Service (CEP) fails with error message "Error: Access was denied by the remote endpoint. 0x803d0005 -2143485947 WS_E_ENDPOINT_ACCESS_DENIED".

Assume the following scenario:

A user requests a certificate.
An enrollment policy is configured for this, which points to a Certificate Enrollment Policy Web Service (CEP).
The connection to the CEP fails and the user receives the following error message:

Error: Access was denied by the remote endpoint. 0x803d0005 -2143485947 WS_E_ENDPOINT_ACCESS_DENIED

Configure the Certificate Enrollment Policy Web Service (CEP) to work with a domain account.

The following describes how to set up a Certificate Enrollment Policy Web Service (CEP) that the service runs under a domain account.

Configure the Certificate Enrollment Policy Web Service (CEP) to work with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate the CEP with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

When calling the Network Device Enrollment Service (NDES) administration web page (certsrv/mscep_admin), one is always prompted to log in.

Assume the following scenario:

An NDES server is configured on the network.
The NDES server is called under a DNS alias.
Despite entering the correct login data, you are always prompted to log in again when you access the NDES administration web page (certsrv/mscep_admin).