ADCS Enrollment Web Service with Managed Service Accounts

This guide covers the deployment of the Active Directory Certificate Services (AD CS) Enrollment Web Service (CES) role using group Managed Service Accounts (gMSA) on Server Core. The Enrollment Web Service allows for automated certificate issuance to computers that are unable to directly reach the Certificate Authorities over the standard DCOM ports, such as external or DMZ housed computers. Users and computers can enroll for certificates from a CES server over HTTPS/443.

The Enrollment Web Service binds to an individual issuing Certificate Authority. To issue certificates from multiple CAs, multiple CES servers will need to be provisioned. The CES server requires that at least one Certificate Enrollment Policy Web Service (CEP) server be configured. The CES and CEP roles can both exist on the same system or can be deployed separately.

Requirements

  • Enterprise Administrator
  • Administrator permissions on the target Enterprise Certificate Authority.
  • A deployed and functional Enterprise PKI.
  • A deployed and enabled Certificate Enrollment Policy Web Service server.

Summary Steps

  • Enroll a Computer Certificate for the CES server IIS binding.
  • Install the Certificate Authority feature with the Enrollment Web Service role.
  • Create a group Managed Service Account (gMSA) for the IIS App Pool.
  • Assign the gMSA to the local IIS_IUSRS group on the CES server.
  • Assign a service principal name (SPN) to the gMSA.
  • Configure the gMSA for constrained delegation to the Certificate Authorities.
  • Assign the gMSA to the CES server IIS App Pool.

Enroll a Computer Certificate for the CES server IIS binding

The Certificate Enrollment Web Service must operate over HTTPS/443 and requires a certificate to be installed for the IIS binding. For non-core server installations, you can enroll a certificate using the certlm.msc MMC snap-in. For server core installations, you can enroll a certificate by command line from an available Enterprise Certificate Authority, if available in your environment.

certreq.exe -enroll -machine -q <templatename>

Enroll a Certificate by Command Line

Install the Certificate Authority feature with the Enrollment Web Service role

This step requires Enterprise Administrator permissions to create an Enterprise Certificate Authority.

Use Server Manager or Powershell to install the Certificate Authority feature with the Enrollment Web Service role. If operating on Server Core, use these tools remotely.

Specify credentials for configuration

Select role features

Select the Enterprise Certificate Authority for binding. This is the CA that the CES server will issue certificates from.

Select the CA for binding

Select the Authentication Type that the CES server should use to authenticate clients. The GUI installation only supports selection of a single authentication mechanism, but additional mechanisms can be configured later via Powershell with Install-AdcsEnrollmentWebService. This guide uses Windows Integrated Authentication which requires that client computer be domain joined.

Select the authentication type

Select the service account to use for the IIS App Pool, which is the service account used for authentication against the Certificate Authority. The installation wizard does not support using a group Managed Service Account, so we’ll select the built-in application pool identity for now and change it later.

Select the service account

Select the Certificate to use for the HTTPS/443 binding within IIS. This is the certificate we enrolled for earlier.

Select the IIS binding certificate

Confirm

Confirm

Results should be successful

Result

Create a group Managed Service Account (gMSA) for the IIS App Pool

This step requires Domain Administrator permissions, or delegated permissions to create and manage group Managed Service Accounts.

For instructions creating a group Managed Service Account, see Group Managed Service Accounts.

Assign the gMSA to the local IIS_IUSRS group on the CES server

The group Managed Service Account must be made a member of the IIS_IUSRS group on the CES server to be later added to the IIS App Pool.

Add the gMSA to the CES IIS_IUSRS group

Assign a Service Principal Name (SPN) to the gMSA

This step requires Domain Administrator permissions, or delegated permissions to manage Service Principal Names.

The group Managed Service Account must have a Service Principal Name associated with each CES server that will use the account.

The Service Principal Name can be set by command line with:

setspn -s http/CAFQDN domain\msa$

Set the service account SPN

The Service Principal Name can also be set using the Active Directory Users and Computers MMC snap-in. Select the group Managed Service Account, select the Attribute Editor tab, and edit the servicePrincipalName property. If the Attribute Editor tab is not visible, enable Advanced Features from the view menu on the toolbar.

Set the service account SPN by GUI

Note: Setting these SPN values will cause PS Remoting and some remote management tools to fail when attempting to connect to the referenced servers using their FQDNs in the future.

Configure the gMSA for constrained delegation to the Certificate Authorities

The group Managed Service Account must be configured for Kerberos Constrained Delegation for each Enterprise Certificate Authority that it will issue certificates from.

Using the Active Directory Users and Computers snap-in, enable Advanced Features from the view menu on the toolbar. Then open the service account object, select the Attribute Editor tab, and edit the msDS-AllowedToDelegateTo property. Add an entry for both HOST and rpcss for both the shortname and FQDN of each Certificate Authority.

Configure constrained delegation

Assign the gMSA to the CES server IIS App Pool

The group Managed Service Account is now ready to be assigned to the IIS App Pool. For non-core server versions, use the IIS Administrator to change the App Pool identity.

When setting the group Managed Service Account, the password field should be left blank.

Set the IIS App Pool identity

For Server Core installations, the App Pool identity can be changed using IIS Remote Administration and following the above steps. The App Pool identity can also be changed locally by command line.

\Windows\system32\inetsrv\appcmd.exe list apppool
\Windows\system32\inetsrv\appcmd.exe set apppool "WSEnrollmentServer" -processModel.identityType:SpecificUser
\Windows\system32\inetsrv\appcmd.exe set apppool "WSEnrollmentServer" -processModel.userName:domain\account$

Set the App Pool identity by command line

References