This guide covers the deployment of the Active Directory Certificate Services (AD CS) Enrollment Policy Web Service (CEP) role on Server Core. The Certificate Enrollment Policy Web Service allows clients to retrieve Certificate Enrollment Policies from an Enterprise Certificate Authority when access to a Domain Controller is not possible, such as external or DMZ housed computers, or clients without permissions. Users and computers can retrieve enrollment policies from a CEP server over HTTPS/443.
The Certificate Enrollment Policy Web Service binds to Active Directory Domain Controllers over standard LDAP ports. A single CEP server can provide policy services for multiple Enterprise Certificate Authorities. A CEP server is required for clients to utilize a Certificate Enrollment Web Services server.
Requirements
- Administrator privileges on the CEP server.
- A deployed and functional Enterprise PKI.
Summary Steps
- Enroll a Computer Certificate for the CEP server IIS binding.
- Install the Certificate Authority feature with the Policy Web Enrollment Service role.
- Determine the URI for client access to the CEP service.
- Configure Group Policy to direct clients to the new CEP server.
Enroll a Computer Certificate for the CEP server IIS binding
The Certificate Enrollment Policy Web Service must operate over HTTPS/443 and requires a certificate to be installed for the IIS binding. For non-core server installations, you can enroll a certificate using the certlm.msc
MMC snap-in. For server core installations, you can enroll a certificate by command line from an available Enterprise Certificate Authority, if available in your environment.
certreq.exe -enroll -machine -q <templatename>
Install the Certificate Authority feature with the Policy Web Enrollment Service role
Install the Certificate Authority Role with Add/Remove Features or with PowerShell.
Ensure to select the Certificate Enrollment Policy Web Service under Role Services. This guide assumes the use of the Add/Remove Features wizard remotely using Server Manager.
For Server Core installations, it may be helpful to select the Management Service under IIS Role Services. This installs the Web Management Service (WMSvc) for remote management capability with the IIS Manager for Remote Administration.
Complete the Role Configuration steps.
Select the authentication type for this CEP server.
This guide uses Windows Integrated Authentication (Kerberos) for client requests, which requires that clients be domain joined. Additional authentication types are available if your situation does not allow for domain joined clients, but is not covered in this guide.
Select the certificate that IIS should bind to for HTTPS connections.
Confirm and complete the role configuration.
Determine the URI for client access to the CEP service
Connect to the IIS Management Service using the Remote Manager.
Expand the Default Web Site and select the ADPolicyProvider_CEP_* application. This guide assumes that we selected Windows Integrated Authentication as the authentication type, so the application should be named ADPolicyProvider_CEP_Kerberos
.
Select Application Settings.
Supply a Friendly Name. Make note of this name in the future.
Record the URI displayed. This is the location clients use to reach the CEP server. You will need this value to configure Group Policy.
Configure Group Policy to direct clients to the new CEP server
Use the Group Policy Management Console (GPMC) to edit or create a Group Policy Object that will direct clients to use the new CEP server.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
Select Certificate Services Client – Certificate Enrollment Policy
Enable the policy.
The policy will contain the default LDAP configuration to direct clients to a Domain Controller. Remove the existing policy.
Select Add to add a new policy.
Enter the URI you recorded from the previous step. For Authentication Type, select the authentication type you selected during installation. This guide used Windows Integrated.
Select Validate Server.
Select Add.
Repeat this process for any additional CEP servers that are utilized for high availability.
Select OK.
Clients will need to refresh policy before using the new CEP servers for policy retrieval. The CEP servers refresh policy from Active Directory every 30 minutes by default, and clients retain a local cache for even longer; so be aware that Certificate Template changes may not be reflected immediately when polled by clients.
The CEP servers can forced to refresh their cache from Active Directory by issuing the iisreset
command.
The client caches are located in the following paths and can be cleared to force a refresh
- Computer: %ProgramData%\Microsoft\Windows\X509Enrollment
- User:%USERPROFILE%\AppData\Local\Microsoft\Windows\X509Enrollment
References
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831625(v=ws.11)
- https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx#Policy_Server_Configuration_and_Selection