Windows security permissions required for Certificate Authority Web Enrollment (CAWE)

Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will impact Certificate Authority Web Enrollment (CAWE).

The certificate authority web registration is a very old feature from Windows 2000 times - and was last adapted with the release of Windows Server 2003. Accordingly, the code is old and potentially insecure. Likewise, the function supports No certificate templates with version 3 or newer - This means that certificate templates that use functions introduced with Windows Vista / Windows Server 2008 or newer cannot be used. It is recommended that you do not use the certificate authority web registration and instead request certificates via on-board resources or the PSCertificateEnrollment PowerShell module.

Required permissions

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

The service account under which the CAWE is operated (The identity of the IIS application pool) requires the following rights for proper functioning:

On the Certification Authority...

  • Access this Computer over the Network (SeNetworkLogonRight) on the certification authority.

On the CAWE server...

  • Act as part of the operating system (SeTcbPrivilege).
  • Impersonate a Client after Authentication (SeImpersonatePrivilege).
  • Log on as a Batch Job (SeBatchLogonRight), if it is a Domain account acts or...
  • Log on as a Service (SeServiceLogonRight), if it is a Group Managed Service Account (gMSA) acts.

Related links:

External sources