Requesting certificates via the Certificate Enrollment Policy Web Service (CEP) fails with error message "Error: Access was denied by the remote endpoint. 0x803d0005 -2143485947 WS_E_ENDPOINT_ACCESS_DENIED".

Assume the following scenario:

  • A user requests a certificate.
  • An enrollment policy is configured for this, which points to a Certificate Enrollment Policy Web Service (CEP).
  • The connection to the CEP fails and the user receives the following error message:
Error: Access was denied by the remote endpoint. 0x803d0005 -2143485947 WS_E_ENDPOINT_ACCESS_DENIED

The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.

Possible causes

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

This error may have the following causes:

  • The Service Principal Name (SPN) is not or not correctly set on the CEP service account (here also check syntax error due to wrong command line input).
  • The IIS application pool on the CEP server is running under the wrong service account.
  • IIS Kernel Mode authentication is enabled for the CEP when not using the IIS application pool identity.
  • The user is not authorized to log in to the CEP (for example, because one has logged in with a local account).
  • Invalid credentials were entered when authenticating with username and password.
  • This may occur on the first call after starting the service, so that a new attempt may bring the desired success.


Incorrect: Two service principal names were entered at once here,
Correct Here the service principal names were entered one after the other.

Related links: