Home  ›  Configure Windows Certificate Enrollment Web Service Again

Configure Windows Certificate Enrollment Web Service Again

Written By sexta-feira, 22 de abril de 2022 Add Comment Edit

KB ID 0001250

Problem

A client had moved a domain joined server into their DMZ, and while they had opened the correct ports for Domain Hallmark on their firewall, no one had considered the certificates on the server which had expired, and could not exist renewed.

Some research, pointed me towards Certificate Enrolment Web Service. Its job is to permit clients enrol and renew certificates, from either not domain joined machines, or machines that cannot contact your PKI environment. This was simply what I needed, I just need to exam the concept. So I built a domain, setup a CA, and a DMZ (with the same firewall as my client, a Cisco ASA). Then moved a domain client into the DMZ, domain authentication as setup as follows;

Cisco ASA – Allowing Domain Trusts, and Authentication

Solution

Before starting I would suggest creating a 'service account'  to run the enrolment service, yous need to be an admin to install the services but this account does not demand to be. (It does need to be in the LOCAL IIS_USERS grouping on your CES/CEP server(s)). Below you will see I've named my user svc_ca.

Y'all need to already have a PKI/CA setup. You can split the CES 'Web Service' and CEP 'Policy Web Service' beyond dissimilar hosts if you want, merely for this example I'k simply putting both roles on the same server.

Adding CEP and CES Roles

Then you need to run the post deployment configuration.

Configure role

Again I'm configuring both roles at the same time.

Configure CA Role

I've only got i, only cull the CA server on which to firm the CES part.

Select CA

As I mentioned above, I'grand using Windows hallmark, if yous are deploying certs to a DMZ, yours may be ameliorate set to username/password.

CES Authentication Type

Specify your service account, you created earlier.

CES Service Account

Over again choose your authentication method.

CEP Authentication Type

Now you need to create a 'Service Principle Proper noun' SPN for your service account, that's tied to your Certificate Enrolment Web Services server. Open up an Authoritative Command Window on the CES server and effect the following control;

setspn -s http:/{FQDN-OF-Server} {Domain-Proper noun}\{User-Name}

SetSPN for User

Now your user has an SPN, they will get another 'Tab' on their user object, called ' Delegation ' Add together in the CES server for the following service types.

  • HOST
  • rpcss

User Delegation

On your certificate enrolment policy server, open up the Net Information Servers (IIS) Management console. Expand {Server-Name} > Sites > Default Web Site > ADPolicyProvider_CEP_Kerberos > Application Settings.

Fix1

Locate the Friendly Name  section > Locate the ' Value ' > Change its final hexadecimal character (0 to ix or A to F) from what it is currently > OK.

Fix2

Open an Administrative Control Window > Issue an IISRESET  command.

Restart IIS

Setup Enrolment Policies

To actually apply the CES/CEP service your client needs to know where it is, in that location are 2 methods of letting them know, you tin can either apply the certificate snap-in, or use a 'Local Group Policy' on the target machines.

Managing Enrolment Policies With Certificates Snap-In

Windows Central+R > MMC {Enter} > File > Add/Remove Snap-In > Certificates > Local Computer > When the console opens > Action > All Tasks > Advanced Operations > Manage Enrolment Policies.

Manage Enrollment Polices

Add > Enter the URI of the CEP Server;

https://{FQDN-Of-CES-Server}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP

Note: To access via https, you may need to manually add a Web Server certificate for the URL/Common name of the CEP server. See the following commodity;

IIS: How to Create a Document Request

Validate Server > Add-

Enrollment Policy Certificate Snap-in

Managing Enrolment Policies With Certificates Local Group Policy

Windows Cardinal+R > gpedit.msc {Enter} > Estimator Configuration > Windows Settings > Security Settings > Public-Key Policies > Document Services Client – Certificate Enrolment Policy.

Enrollment Policy Local Group Policy

Add > Enter the URI of the CEP Server;

https://{FQDN-Of-CES-Server}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP

Validate Server > Add.

Configure URI for CES with Group Policy

If y'all already have an Active Directory Enrolment Policy listed, make certain it's Non selected, and your newly created CES policy is set up as default > Apply.

GPO for CES Enrollment

Enrol Or Renew Certificates From CES

At present if y'all attempt to enrol for a certificate, your automobile will utilise the CES policy.

CES CEP Policy Configured Automatically

Related Articles, References, Credits, or External Links

URI Was Validated Successfully Only there Was No Friendly Name Returned

Certificate Enrolment – URI This ID conflicts with an Existing ID

eileraborted.blogspot.com

Source: https://www.petenetlive.com/kb/article/0001250

0 Response to "Configure Windows Certificate Enrollment Web Service Again"

Enviar um comentário

Subscrever: Enviar feedback (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel