ADCS Enrollment Web Service with Managed Service Accounts

Posted on by

This guide covers the deployment of the Active Directory Certificate Services (AD CS) Enrollment Web Service (CES) role using group Managed Service Accounts (gMSA) on Server Core. The Enrollment Web Service allows for automated certificate issuance to computers that are unable to directly reach the Certificate Authorities over the standard DCOM ports, such as external or DMZ housed computers. Users and computers can enroll for certificates from a CES server over HTTPS/443.

The Enrollment Web Service binds to an individual issuing Certificate Authority. To issue certificates from multiple CAs, multiple CES servers will need to be provisioned. The CES server requires that at least one Certificate Enrollment Policy Web Service (CEP) server be configured. The CES and CEP roles can both exist on the same system or can be deployed separately.

Requirements

  • Enterprise Administrator
  • Administrator permissions on the target Enterprise Certificate Authority.
  • A deployed and functional Enterprise PKI.
  • A deployed and enabled Certificate Enrollment Policy Web Service server.

Summary Steps

  • Enroll a Computer Certificate for the CES server IIS binding.
  • Install the Certificate Authority feature with the Enrollment Web Service role.
  • Create a group Managed Service Account (gMSA) for the IIS App Pool.
  • Assign the gMSA to the local IIS_IUSRS group on the CES server.
  • Assign a service principal name (SPN) to the gMSA.
  • Configure the gMSA for constrained delegation to the Certificate Authorities.
  • Assign the gMSA to the CES server IIS App Pool.

Enroll a Computer Certificate for the CES server IIS binding

The Certificate Enrollment Web Service must operate over HTTPS/443 and requires a certificate to be installed for the IIS binding. For non-core server installations, you can enroll a certificate using the certlm.msc MMC snap-in. For server core installations, you can enroll a certificate by command line from an available Enterprise Certificate Authority, if available in your environment.

certreq.exe -enroll -machine -q <templatename>

Enroll a Certificate by Command Line

Install the Certificate Authority feature with the Enrollment Web Service role

This step requires Enterprise Administrator permissions to create an Enterprise Certificate Authority.

Use Server Manager or Powershell to install the Certificate Authority feature with the Enrollment Web Service role. If operating on Server Core, use these tools remotely.

Specify credentials for configuration

Select role features

Select the Enterprise Certificate Authority for binding. This is the CA that the CES server will issue certificates from.

Select the CA for binding

Select the Authentication Type that the CES server should use to authenticate clients. The GUI installation only supports selection of a single authentication mechanism, but additional mechanisms can be configured later via Powershell with Install-AdcsEnrollmentWebService. This guide uses Windows Integrated Authentication which requires that client computer be domain joined.

Select the authentication type

Select the service account to use for the IIS App Pool, which is the service account used for authentication against the Certificate Authority. The installation wizard does not support using a group Managed Service Account, so we’ll select the built-in application pool identity for now and change it later.

Select the service account

Select the Certificate to use for the HTTPS/443 binding within IIS. This is the certificate we enrolled for earlier.

Select the IIS binding certificate

Confirm

Confirm

Results should be successful

Result

Pages: 1 2