Requesting certificates via Certificate Enrollment Web Services fails with error message "Error: The remote endpoint is unable to process the request due to being overloaded. 0x803d0012 (-2143485934 WS_E_ENDPOINT_TOO_BUSY)".

Assume the following scenario:

• A user requests a certificate.
• An enrollment policy is configured for this, which points to a Certificate Enrollment Policy Web Service (CEP).
• The connection to the CEP fails and the user receives the following error message:

Error: The remote endpoint is unable to process the request due to being overloaded. 0x803d0012 (-2143485934 WS_E_ENDPOINT_TOO_BUSY)

The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.

Possible causes

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

This error usually occurs when the CEP server is accessible and the Web Server service is running, but the Application Pool for CEP (WSEnrollmentPolicyServer) or CES (WSEnrollmentServer) is not started.

If the Application Pool cannot be started, this can have several causes.

• There is a problem with the configured identity of the application pool, for example, if the service account is disabled or its password is incorrect or expired. Likewise, it is mandatory to configure the identity with prefixed domain name (e.g. INTRA\Service_CES).
• For the service account, an incorrect logon restriction (Logon Restriction via the userWorkstations Active Directory attribute set up, which is configured to the wrong server).
• The domain connection between the CEP server and the domain is broken, so logon cannot occur.
• The user account under which the CEP or CES Application Pool is configured requires the "Log on as a batch job" (SeBatchLogonRight) privilege if the service account is a domain account, or "Log on as a Service" (SeServiceLogonRight) if it is a Group Managed Service Account (gMSA).

Related links:

• Required Windows security permissions for the Certificate Enrollment Policy Web Service (CEP)
• Required Windows security permissions for the Certificate Enrollment Web Service (CES)
• Performing a functional test for the Certificate Enrollment Policy Web Service (CEP)