This guide covers the deployment of the Active Directory Certificate Services (AD CS) Enrollment Web Service (CES) role using group Managed Service Accounts (gMSA) on Server Core. The Enrollment Web Service allows for automated certificate issuance to computers that are unable to directly reach the Certificate Authorities over the standard DCOM ports, such as external or DMZ housed computers. Users and computers can enroll for certificates from a CES server over HTTPS/443.
The Enrollment Web Service binds to an individual issuing Certificate Authority. To issue certificates from multiple CAs, multiple CES servers will need to be provisioned. The CES server requires that at least one Certificate Enrollment Policy Web Service (CEP) server be configured. The CES and CEP roles can both exist on the same system or can be deployed separately.
Requirements
- Enterprise Administrator
- Administrator permissions on the target Enterprise Certificate Authority.
- A deployed and functional Enterprise PKI.
- A deployed and enabled Certificate Enrollment Policy Web Service server.
Summary Steps
- Enroll a Computer Certificate for the CES server IIS binding.
- Install the Certificate Authority feature with the Enrollment Web Service role.
- Create a group Managed Service Account (gMSA) for the IIS App Pool.
- Assign the gMSA to the local IIS_IUSRS group on the CES server.
- Assign a service principal name (SPN) to the gMSA.
- Configure the gMSA for constrained delegation to the Certificate Authorities.
- Assign the gMSA to the CES server IIS App Pool.
Enroll a Computer Certificate for the CES server IIS binding
The Certificate Enrollment Web Service must operate over HTTPS/443 and requires a certificate to be installed for the IIS binding. For non-core server installations, you can enroll a certificate using the certlm.msc MMC snap-in. For server core installations, you can enroll a certificate by command line from an available Enterprise Certificate Authority, if available in your environment.
certreq.exe -enroll -machine -q <templatename>
Install the Certificate Authority feature with the Enrollment Web Service role
This step requires Enterprise Administrator permissions to create an Enterprise Certificate Authority.
Use Server Manager or Powershell to install the Certificate Authority feature with the Enrollment Web Service role. If operating on Server Core, use these tools remotely.
Select the Enterprise Certificate Authority for binding. This is the CA that the CES server will issue certificates from.
Select the Authentication Type that the CES server should use to authenticate clients. The GUI installation only supports selection of a single authentication mechanism, but additional mechanisms can be configured later via Powershell with Install-AdcsEnrollmentWebService. This guide uses Windows Integrated Authentication which requires that client computer be domain joined.
Select the service account to use for the IIS App Pool, which is the service account used for authentication against the Certificate Authority. The installation wizard does not support using a group Managed Service Account, so we’ll select the built-in application pool identity for now and change it later.
Select the Certificate to use for the HTTPS/443 binding within IIS. This is the certificate we enrolled for earlier.
Confirm
Results should be successful
Create a group Managed Service Account (gMSA) for the IIS App Pool
This step requires Domain Administrator permissions, or delegated permissions to create and manage group Managed Service Accounts.
For instructions creating a group Managed Service Account, see Group Managed Service Accounts.
Assign the gMSA to the local IIS_IUSRS group on the CES server
The group Managed Service Account must be made a member of the IIS_IUSRS group on the CES server to be later added to the IIS App Pool.
Assign a Service Principal Name (SPN) to the gMSA
This step requires Domain Administrator permissions, or delegated permissions to manage Service Principal Names.
The group Managed Service Account must have a Service Principal Name associated with each CES server that will use the account.
The Service Principal Name can be set by command line with:
setspn -s http/CAFQDN domain\msa$
The Service Principal Name can also be set using the Active Directory Users and Computers MMC snap-in. Select the group Managed Service Account, select the Attribute Editor tab, and edit the servicePrincipalName property. If the Attribute Editor tab is not visible, enable Advanced Features from the view menu on the toolbar.
Note: Setting these SPN values will cause PS Remoting and some remote management tools to fail when attempting to connect to the referenced servers using their FQDNs in the future.
Configure the gMSA for constrained delegation to the Certificate Authorities
The group Managed Service Account must be configured for Kerberos Constrained Delegation for each Enterprise Certificate Authority that it will issue certificates from.
Using the Active Directory Users and Computers snap-in, enable Advanced Features from the view menu on the toolbar. Then open the service account object, select the Attribute Editor tab, and edit the msDS-AllowedToDelegateTo property. Add an entry for both HOST and rpcss for both the shortname and FQDN of each Certificate Authority.
Assign the gMSA to the CES server IIS App Pool
The group Managed Service Account is now ready to be assigned to the IIS App Pool. For non-core server versions, use the IIS Administrator to change the App Pool identity.
This guide installed the CES and CEP roles onto different servers and only sets the service account to the CES server. However, if you’ve co-installed both CES and CEP roles on the same server, then the same service account must be assigned to both application pools.
When setting the group Managed Service Account, the password field should be left blank.
For Server Core installations, the App Pool identity can be changed using IIS Remote Administration and following the above steps. The App Pool identity can also be changed locally by command line.
\Windows\system32\inetsrv\appcmd.exe list apppool \Windows\system32\inetsrv\appcmd.exe set apppool "WSEnrollmentServer" -processModel.identityType:SpecificUser \Windows\system32\inetsrv\appcmd.exe set apppool "WSEnrollmentServer" -processModel.userName:domain\account$
References
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831822(v=ws.11)
- https://social.technet.microsoft.com/wiki/contents/articles/15668.implementing-certificate-enrollment-web-services-in-windows-server-2012-that-uses-an-issuing-ca-with-spaces-in-the-name.aspx
- https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities
- https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/certificate-enrollment-web-services/ba-p/397385
- https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx