Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will have an impact on the CEP components.
The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.
The service account under which the CEP service is operated (The identity of the IIS application pool) requires the following rights for proper functioning:
- Log on as a Batch Job (SeBatchLogonRight), if it is a domain account or...
- Log on as a Service (SeServiceLogonRight) if it is a Group Managed Service Account (gMSA).
Related links:
- Installing a Certificate Enrollment Policy Web Service (CEP)
- Configure the Certificate Enrollment Policy Web Service (CEP) to work with a Group Managed Service Account (gMSA).
External sources
- User Rights Assignment (Microsoft)
English 
Deutsch
One thought on “Benötigte Windows-Sicherheitsberechtigungen für den Certificate Enrollment Policy Web Service (CEP)”
Comments are closed.