I was working with a customer that had implemented Active Directory segmented by firewalls. We had implemented PKI earlier, but that was before the AD segmentation, and on time there was no requirements for Certificate enrollment services. But after the AD segmentation, we would like to implement auto-enrollment for computers one “the other side of the FW”. Therefore we decided to implement CES/CEP on the existing CA server. This way we can only open port 443 to CA server.
For more information about CES/CEP read: http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx and http://blogs.technet.com/b/askds/archive/2010/02/01/certificate-enrollment-web-services.aspx
I will not document the whole installation as this is pretty straight forward. But here are some key points of the installation:
- Installed both Web service and policy web service on the same server, which actually also happens to be the CA enterprise Issuing server (two-hierarchy).
- Used integrated authentication
- Used a own service account and NOT the built-in-application pool identity
- Added the service account into the local IIS_IUSRS group on the CES/CEP server
- Set the SPN setspn -s http/<computernameFQDN> <domainname><serviceaccountname>
So I was ready to test certificate enrollment. Then this error was thrown in my face. “Access was denied by the remote endpoint”
I goggled, and tried many things. But could not find any answers.
I was looking for some answers in the Application Pools, and there I saw this:
I have two application pools related to CES/CEP. But only one that is using the service account CES i created. I went into advanced settings on the app pool that did not had the service account specified and changed the identity,
Before
After
I then tried enrollment again after an IISRESET and the result:
🙂
It wasn’t working because you had the wrong pool set, either via wizard or otherwise.
Only the WSEnrollmentPolicyServer needs a kerberos delegation user with SPN setup.
Also, you should use a CNAME for your SPN so winrm works for the machine.
SPNs for the computer should have HTTP/hostname and HTTP/fqdn
SPNs for the IIS CES user should be HTTP/cname