Create a group Managed Service Account (gMSA) for the IIS App Pool
This step requires Domain Administrator permissions, or delegated permissions to create and manage group Managed Service Accounts.
For instructions creating a group Managed Service Account, see Group Managed Service Accounts.
Assign the gMSA to the local IIS_IUSRS group on the CES server
The group Managed Service Account must be made a member of the IIS_IUSRS group on the CES server to be later added to the IIS App Pool.
Assign a Service Principal Name (SPN) to the gMSA
This step requires Domain Administrator permissions, or delegated permissions to manage Service Principal Names.
The group Managed Service Account must have a Service Principal Name associated with each CES server that will use the account.
The Service Principal Name can be set by command line with:
setspn -s http/CAFQDN domain\msa$
The Service Principal Name can also be set using the Active Directory Users and Computers MMC snap-in. Select the group Managed Service Account, select the Attribute Editor tab, and edit the servicePrincipalName property. If the Attribute Editor tab is not visible, enable Advanced Features from the view menu on the toolbar.
Note: Setting these SPN values will cause PS Remoting and some remote management tools to fail when attempting to connect to the referenced servers using their FQDNs in the future.
Configure the gMSA for constrained delegation to the Certificate Authorities
The group Managed Service Account must be configured for Kerberos Constrained Delegation for each Enterprise Certificate Authority that it will issue certificates from.
Using the Active Directory Users and Computers snap-in, enable Advanced Features from the view menu on the toolbar. Then open the service account object, select the Attribute Editor tab, and edit the msDS-AllowedToDelegateTo property. Add an entry for both HOST and rpcss for both the shortname and FQDN of each Certificate Authority.
Assign the gMSA to the CES server IIS App Pool
The group Managed Service Account is now ready to be assigned to the IIS App Pool. For non-core server versions, use the IIS Administrator to change the App Pool identity.
This guide installed the CES and CEP roles onto different servers and only sets the service account to the CES server. However, if you’ve co-installed both CES and CEP roles on the same server, then the same service account must be assigned to both application pools.
When setting the group Managed Service Account, the password field should be left blank.
For Server Core installations, the App Pool identity can be changed using IIS Remote Administration and following the above steps. The App Pool identity can also be changed locally by command line.
\Windows\system32\inetsrv\appcmd.exe list apppool \Windows\system32\inetsrv\appcmd.exe set apppool "WSEnrollmentServer" -processModel.identityType:SpecificUser \Windows\system32\inetsrv\appcmd.exe set apppool "WSEnrollmentServer" -processModel.userName:domain\account$
References
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831822(v=ws.11)
- https://social.technet.microsoft.com/wiki/contents/articles/15668.implementing-certificate-enrollment-web-services-in-windows-server-2012-that-uses-an-issuing-ca-with-spaces-in-the-name.aspx
- https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities
- https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/certificate-enrollment-web-services/ba-p/397385
- https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx