Required Windows security permissions for the Certificate Enrollment Web Service (CES)

Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will impact the CES components.

The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.

Required permissions

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

The service account under which the CES service is operated (The identity of the IIS application pool) requires the following rights for proper functioning:

  • Access this Computer over the Network (SeNetworkLogonRight) on the certification authority
  • Impersonate a Client after Authentication (SeImpersonatePrivilege) on the CES Server
  • Log on as a Batch Job (SeBatchLogonRight), if it is a domain account or...
  • Log on as a Service (SeServiceLogonRight) if it is a Group Managed Service Account (gMSA).

Related links:

External sources