ADCS Enrollment Policy Web Service

Posted on by

This guide covers the deployment of the Active Directory Certificate Services (AD CS) Enrollment Policy Web Service (CEP) role on Server Core. The Certificate Enrollment Policy Web Service allows clients to retrieve Certificate Enrollment Policies from an Enterprise Certificate Authority when access to a Domain Controller is not possible, such as external or DMZ housed computers, or clients without permissions. Users and computers can retrieve enrollment policies from a CEP server over HTTPS/443.

The Certificate Enrollment Policy Web Service binds to Active Directory Domain Controllers over standard LDAP ports. A single CEP server can provide policy services for multiple Enterprise Certificate Authorities. A CEP server is required for clients to utilize a Certificate Enrollment Web Services server.

Requirements

  • Administrator privileges on the CEP server.
  • A deployed and functional Enterprise PKI.

Summary Steps

  • Enroll a Computer Certificate for the CEP server IIS binding.
  • Install the Certificate Authority feature with the Policy Web Enrollment Service role.
  • Determine the URI for client access to the CEP service.
  • Configure Group Policy to direct clients to the new CEP server.

Enroll a Computer Certificate for the CEP server IIS binding

The Certificate Enrollment Policy Web Service must operate over HTTPS/443 and requires a certificate to be installed for the IIS binding. For non-core server installations, you can enroll a certificate using the certlm.msc MMC snap-in. For server core installations, you can enroll a certificate by command line from an available Enterprise Certificate Authority, if available in your environment.

certreq.exe -enroll -machine -q <templatename>

Enroll a Certificate by Command Line

Install the Certificate Authority feature with the Policy Web Enrollment Service role

Install the Certificate Authority Role with Add/Remove Features or with PowerShell.
Ensure to select the Certificate Enrollment Policy Web Service under Role Services. This guide assumes the use of the Add/Remove Features wizard remotely using Server Manager.

Install the CEP Role

For Server Core installations, it may be helpful to select the Management Service under IIS Role Services. This installs the Web Management Service (WMSvc) for remote management capability with the IIS Manager for Remote Administration.

Install the IIS Management Service Role

Complete the Role Configuration steps.

Provide Installation Credentials

Select the CEP Service

Select the authentication type for this CEP server.
This guide uses Windows Integrated Authentication (Kerberos) for client requests, which requires that clients be domain joined. Additional authentication types are available if your situation does not allow for domain joined clients, but is not covered in this guide.

Select the authentication type

Select the certificate that IIS should bind to for HTTPS connections.

Select the IIS Binding certificate

Confirm and complete the role configuration.

Confirm the role configuration

Complete the role configuration

Pages: 1 2