Requesting certificates via the Certificate Enrollment Policy Web Service (CEP) fails with error message "Error: Access was denied by the remote endpoint. 0x803d0005 -2143485947 WS_E_ENDPOINT_ACCESS_DENIED".

Assume the following scenario:

• A user requests a certificate.
• An enrollment policy is configured for this, which points to a Certificate Enrollment Policy Web Service (CEP).
• The connection to the CEP fails and the user receives the following error message:

Error: Access was denied by the remote endpoint. 0x803d0005 -2143485947 WS_E_ENDPOINT_ACCESS_DENIED

The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.

This error may have the following causes:

• The Service Principal Name (SPN) is not or not correctly set on the CEP service account (here also check syntax error due to wrong command line input).
• The IIS application pool on the CEP server is running under the wrong service account.
• IIS Kernel Mode authentication is enabled for the CEP when not using the IIS application pool identity.
• The user is not authorized to log in to the CEP (for example, because one has logged in with a local account).
• Invalid credentials were entered when authenticating with username and password.

Examples

Related links:

• Configure the Certificate Enrollment Policy Web Service (CEP) to work with a domain account.
• Configure the Certificate Enrollment Policy Web Service (CEP) to work with a Group Managed Service Account (gMSA).