Requirements<\/h1>\n\n- Administrator privileges on the CEP server.<\/li>\n
- A deployed and functional Enterprise PKI.<\/li>\n<\/ul>\n
Summary Steps<\/h1>\n\n- Enroll a Computer Certificate for the CEP server IIS binding.<\/li>\n
- Install the Certificate Authority feature with the Policy Web Enrollment Service role.<\/li>\n
- Determine the URI for client access to the CEP service.<\/li>\n
- Configure Group Policy to direct clients to the new CEP server.<\/li>\n<\/ul>\n
<\/p>\n
Enroll a Computer Certificate for the CEP server IIS binding<\/h2>\n
The Certificate Enrollment Policy Web Service must operate over HTTPS\/443 and requires a certificate to be installed for the IIS binding. For non-core server installations, you can enroll a certificate using the certlm.msc<\/code> MMC snap-in. For server core installations, you can enroll a certificate by command line from an available Enterprise Certificate Authority, if available in your environment.<\/p>\ncertreq.exe -enroll -machine -q <templatename><\/pre>\n![\"Enroll](\"https:\/\/www.matthewschacherbauer.com\/wp\/wp-content\/uploads\/2020\/08\/adcs-cep-01-300x157.png\")
<\/a><\/p>\nInstall the Certificate Authority feature with the Policy Web Enrollment Service role<\/h2>\n
Install the Certificate Authority Role with Add\/Remove Features or with PowerShell.
\nEnsure to select the Certificate Enrollment Policy Web Service under Role Services. This guide assumes the use of the Add\/Remove Features wizard remotely using Server Manager.<\/p>\n
![\"Install](\"https:\/\/www.matthewschacherbauer.com\/wp\/wp-content\/uploads\/2020\/08\/adcs-cep-02-300x214.png\")
<\/a><\/p>\nFor Server Core installations, it may be helpful to select the Management Service under IIS Role Services. This installs the Web Management Service (WMSvc)<\/a> for remote management capability with the IIS Manager for Remote Administration<\/a>.<\/p>\n![\"Install](\"https:\/\/www.matthewschacherbauer.com\/wp\/wp-content\/uploads\/2020\/08\/adcs-cep-03-300x214.png\")
<\/a><\/p>\nComplete the Role Configuration steps.<\/p>\n
![\"Provide](\"https:\/\/www.matthewschacherbauer.com\/wp\/wp-content\/uploads\/2020\/08\/adcs-cep-04-300x221.png\")
<\/a><\/p>\n![\"Select](\"https:\/\/www.matthewschacherbauer.com\/wp\/wp-content\/uploads\/2020\/08\/adcs-cep-05-300x221.png\")
<\/a><\/p>\nSelect the authentication type for this CEP server.
\nThis guide uses Windows Integrated Authentication (Kerberos) for client requests, which requires that clients be domain joined. Additional authentication types are available if your situation does not allow for domain joined clients, but is not covered in this guide.<\/p>\n
![\"Select](\"https:\/\/www.matthewschacherbauer.com\/wp\/wp-content\/uploads\/2020\/08\/adcs-cep-06-300x221.png\")
<\/a><\/p>\nSelect the certificate that IIS should bind to for HTTPS connections.<\/p>\n
![\"Select](\"https:\/\/www.matthewschacherbauer.com\/wp\/wp-content\/uploads\/2020\/08\/adcs-cep-07-300x221.png\")
<\/a><\/p>\nConfirm and complete the role configuration.<\/p>\n
![\"Confirm](\"https:\/\/www.matthewschacherbauer.com\/wp\/wp-content\/uploads\/2020\/08\/adcs-cep-08-300x221.png\")
<\/a><\/p>\n![\"Complete](\"https:\/\/www.matthewschacherbauer.com\/wp\/wp-content\/uploads\/2020\/08\/adcs-cep-09-300x221.png\")
<\/a><\/p>\nDetermine the URI for client access to the CEP service<\/h2>\n
Connect to the IIS Management Service using the Remote Manager.<\/p>\n
Expand the Default Web Site and select the ADPolicyProvider_CEP_* application. This guide assumes that we selected Windows Integrated Authentication as the authentication type, so the application should be named ADPolicyProvider_CEP_Kerberos<\/code>.
\nSelect Application Settings.<\/p>\n![\"Select](\"https:\/\/www.matthewschacherbauer.com\/wp\/wp-content\/uploads\/2020\/08\/adcs-cep-10-300x166.png\")
<\/a><\/p>\nSupply a Friendly Name. Make note of this name in the future.
\nRecord the URI displayed. This is the location clients use to reach the CEP server. You will need this value to configure Group Policy.<\/p>\n
![\"Set](\"https:\/\/www.matthewschacherbauer.com\/wp\/wp-content\/uploads\/2020\/08\/adcs-cep-11-300x166.png\")
<\/a><\/p>\nConfigure Group Policy to direct clients to the new CEP server<\/h2>\n
Use the Group Policy Management Console (GPMC) to edit or create a Group Policy Object that will direct clients to use the new CEP server.<\/p>\n
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
\nSelect Certificate Services Client – Certificate Enrollment Policy<\/p>\n
![\"Configure](\"https:\/\/www.matthewschacherbauer.com\/wp\/wp-content\/uploads\/2020\/08\/adcs-cep-12-300x210.png\")
<\/a><\/p>\nEnable the policy.
\nThe policy will contain the default LDAP configuration to direct clients to a Domain Controller. Remove the existing policy.<\/p>\n
![\"Enable](\"https:\/\/www.matthewschacherbauer.com\/wp\/wp-content\/uploads\/2020\/08\/adcs-cep-13-300x210.png\")
<\/a><\/p>\nSelect Add to add a new policy.
\nEnter the URI you recorded from the previous step. For Authentication Type, select the authentication type you selected during installation. This guide used Windows Integrated.
\nSelect Validate Server.<\/p>\n
![\"Add](\"https:\/\/www.matthewschacherbauer.com\/wp\/wp-content\/uploads\/2020\/08\/adcs-cep-14-300x210.png\")
<\/a><\/p>\nSelect Add.
\nRepeat this process for any additional CEP servers that are utilized for high availability.<\/p>\n
![\"Save](\"https:\/\/www.matthewschacherbauer.com\/wp\/wp-content\/uploads\/2020\/08\/adcs-cep-15-300x210.png\")
<\/a><\/p>\nSelect OK.<\/p>\n
Clients will need to refresh policy before using the new CEP servers for policy retrieval. The CEP servers refresh policy from Active Directory every 30 minutes by default, and clients retain a local cache for even longer; so be aware that Certificate Template changes may not be reflected immediately when polled by clients.<\/p>\n
The CEP servers can forced to refresh their cache from Active Directory by issuing the iisreset<\/code> command.<\/p>\nThe client caches are located in the following paths and can be cleared to force a refresh<\/p>\n
\n- Computer: %ProgramData%\\Microsoft\\Windows\\X509Enrollment<\/li>\n
- User:%USERPROFILE%\\AppData\\Local\\Microsoft\\Windows\\X509Enrollment<\/li>\n<\/ul>\n
References<\/h1>\n\n- https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2012-R2-and-2012\/hh831625(v=ws.11)<\/a><\/li>\n
- https:\/\/social.technet.microsoft.com\/wiki\/contents\/articles\/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx#Policy_Server_Configuration_and_Selection<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
This guide covers the deployment of the Active Directory Certificate Services (AD CS) Enrollment Policy Web Service (CEP) role on Server Core. The Certificate Enrollment Policy Web Service allows clients to retrieve Certificate Enrollment Policies from an Enterprise Certificate Authority … Continue reading
Summary Steps<\/h1>\n\n- Enroll a Computer Certificate for the CEP server IIS binding.<\/li>\n
- Install the Certificate Authority feature with the Policy Web Enrollment Service role.<\/li>\n
- Determine the URI for client access to the CEP service.<\/li>\n
- Configure Group Policy to direct clients to the new CEP server.<\/li>\n<\/ul>\n
<\/p>\n
Enroll a Computer Certificate for the CEP server IIS binding<\/h2>\n
The Certificate Enrollment Policy Web Service must operate over HTTPS\/443 and requires a certificate to be installed for the IIS binding. For non-core server installations, you can enroll a certificate using the certlm.msc<\/code> MMC snap-in. For server core installations, you can enroll a certificate by command line from an available Enterprise Certificate Authority, if available in your environment.<\/p>\ncertreq.exe -enroll -machine -q <templatename><\/pre>\n<\/a><\/p>\nInstall the Certificate Authority feature with the Policy Web Enrollment Service role<\/h2>\n
Install the Certificate Authority Role with Add\/Remove Features or with PowerShell.
\nEnsure to select the Certificate Enrollment Policy Web Service under Role Services. This guide assumes the use of the Add\/Remove Features wizard remotely using Server Manager.<\/p>\n
<\/a><\/p>\nFor Server Core installations, it may be helpful to select the Management Service under IIS Role Services. This installs the Web Management Service (WMSvc)<\/a> for remote management capability with the IIS Manager for Remote Administration<\/a>.<\/p>\n<\/a><\/p>\nComplete the Role Configuration steps.<\/p>\n
<\/a><\/p>\n<\/a><\/p>\nSelect the authentication type for this CEP server.
\nThis guide uses Windows Integrated Authentication (Kerberos) for client requests, which requires that clients be domain joined. Additional authentication types are available if your situation does not allow for domain joined clients, but is not covered in this guide.<\/p>\n
<\/a><\/p>\nSelect the certificate that IIS should bind to for HTTPS connections.<\/p>\n
<\/a><\/p>\nConfirm and complete the role configuration.<\/p>\n
<\/a><\/p>\n<\/a><\/p>\nDetermine the URI for client access to the CEP service<\/h2>\n
Connect to the IIS Management Service using the Remote Manager.<\/p>\n
Expand the Default Web Site and select the ADPolicyProvider_CEP_* application. This guide assumes that we selected Windows Integrated Authentication as the authentication type, so the application should be named ADPolicyProvider_CEP_Kerberos<\/code>.
\nSelect Application Settings.<\/p>\n<\/a><\/p>\nSupply a Friendly Name. Make note of this name in the future.
\nRecord the URI displayed. This is the location clients use to reach the CEP server. You will need this value to configure Group Policy.<\/p>\n
<\/a><\/p>\nConfigure Group Policy to direct clients to the new CEP server<\/h2>\n
Use the Group Policy Management Console (GPMC) to edit or create a Group Policy Object that will direct clients to use the new CEP server.<\/p>\n
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
\nSelect Certificate Services Client – Certificate Enrollment Policy<\/p>\n
<\/a><\/p>\nEnable the policy.
\nThe policy will contain the default LDAP configuration to direct clients to a Domain Controller. Remove the existing policy.<\/p>\n
<\/a><\/p>\nSelect Add to add a new policy.
\nEnter the URI you recorded from the previous step. For Authentication Type, select the authentication type you selected during installation. This guide used Windows Integrated.
\nSelect Validate Server.<\/p>\n
<\/a><\/p>\nSelect Add.
\nRepeat this process for any additional CEP servers that are utilized for high availability.<\/p>\n
<\/a><\/p>\nSelect OK.<\/p>\n
Clients will need to refresh policy before using the new CEP servers for policy retrieval. The CEP servers refresh policy from Active Directory every 30 minutes by default, and clients retain a local cache for even longer; so be aware that Certificate Template changes may not be reflected immediately when polled by clients.<\/p>\n
The CEP servers can forced to refresh their cache from Active Directory by issuing the iisreset<\/code> command.<\/p>\nThe client caches are located in the following paths and can be cleared to force a refresh<\/p>\n
\n- Computer: %ProgramData%\\Microsoft\\Windows\\X509Enrollment<\/li>\n
- User:%USERPROFILE%\\AppData\\Local\\Microsoft\\Windows\\X509Enrollment<\/li>\n<\/ul>\n
References<\/h1>\n\n- https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2012-R2-and-2012\/hh831625(v=ws.11)<\/a><\/li>\n
- https:\/\/social.technet.microsoft.com\/wiki\/contents\/articles\/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx#Policy_Server_Configuration_and_Selection<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
This guide covers the deployment of the Active Directory Certificate Services (AD CS) Enrollment Policy Web Service (CEP) role on Server Core. The Certificate Enrollment Policy Web Service allows clients to retrieve Certificate Enrollment Policies from an Enterprise Certificate Authority … Continue reading
<\/p>\n
Enroll a Computer Certificate for the CEP server IIS binding<\/h2>\n
The Certificate Enrollment Policy Web Service must operate over HTTPS\/443 and requires a certificate to be installed for the IIS binding. For non-core server installations, you can enroll a certificate using the Install the Certificate Authority Role with Add\/Remove Features or with PowerShell. For Server Core installations, it may be helpful to select the Management Service under IIS Role Services. This installs the Web Management Service (WMSvc)<\/a> for remote management capability with the IIS Manager for Remote Administration<\/a>.<\/p>\n Complete the Role Configuration steps.<\/p>\n Select the authentication type for this CEP server. Select the certificate that IIS should bind to for HTTPS connections.<\/p>\n Confirm and complete the role configuration.<\/p>\n Connect to the IIS Management Service using the Remote Manager.<\/p>\n Expand the Default Web Site and select the ADPolicyProvider_CEP_* application. This guide assumes that we selected Windows Integrated Authentication as the authentication type, so the application should be named Supply a Friendly Name. Make note of this name in the future. Use the Group Policy Management Console (GPMC) to edit or create a Group Policy Object that will direct clients to use the new CEP server.<\/p>\n Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies Enable the policy. Select Add to add a new policy. Select Add. Select OK.<\/p>\n Clients will need to refresh policy before using the new CEP servers for policy retrieval. The CEP servers refresh policy from Active Directory every 30 minutes by default, and clients retain a local cache for even longer; so be aware that Certificate Template changes may not be reflected immediately when polled by clients.<\/p>\n The CEP servers can forced to refresh their cache from Active Directory by issuing the The client caches are located in the following paths and can be cleared to force a refresh<\/p>\n This guide covers the deployment of the Active Directory Certificate Services (AD CS) Enrollment Policy Web Service (CEP) role on Server Core. The Certificate Enrollment Policy Web Service allows clients to retrieve Certificate Enrollment Policies from an Enterprise Certificate Authority … Continue reading certlm.msc<\/code> MMC snap-in. For server core installations, you can enroll a certificate by command line from an available Enterprise Certificate Authority, if available in your environment.<\/p>\ncertreq.exe -enroll -machine -q <templatename><\/pre>\n
<\/a><\/p>\nInstall the Certificate Authority feature with the Policy Web Enrollment Service role<\/h2>\n
\nEnsure to select the Certificate Enrollment Policy Web Service under Role Services. This guide assumes the use of the Add\/Remove Features wizard remotely using Server Manager.<\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n
\nThis guide uses Windows Integrated Authentication (Kerberos) for client requests, which requires that clients be domain joined. Additional authentication types are available if your situation does not allow for domain joined clients, but is not covered in this guide.<\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\nDetermine the URI for client access to the CEP service<\/h2>\n
ADPolicyProvider_CEP_Kerberos<\/code>.
\nSelect Application Settings.<\/p>\n<\/a><\/p>\n
\nRecord the URI displayed. This is the location clients use to reach the CEP server. You will need this value to configure Group Policy.<\/p>\n<\/a><\/p>\nConfigure Group Policy to direct clients to the new CEP server<\/h2>\n
\nSelect Certificate Services Client – Certificate Enrollment Policy<\/p>\n<\/a><\/p>\n
\nThe policy will contain the default LDAP configuration to direct clients to a Domain Controller. Remove the existing policy.<\/p>\n<\/a><\/p>\n
\nEnter the URI you recorded from the previous step. For Authentication Type, select the authentication type you selected during installation. This guide used Windows Integrated.
\nSelect Validate Server.<\/p>\n<\/a><\/p>\n
\nRepeat this process for any additional CEP servers that are utilized for high availability.<\/p>\n<\/a><\/p>\niisreset<\/code> command.<\/p>\n\n
References<\/h1>\n
\n