Configurations in CEP/CES machine

  1. CEP/CES Installation

    To install the Certificate Enrollment Services on the CEP/CES server:

    1. Open the Server Manager.
    2. Click Add Roles and Features, and click Next.
    3. Select Role-based or feature-based installation, and click Next.
    4. Choose Select a server from the server pool, and click Next.
    5. Expand the Active Directory Certificate Services, select Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service, and click Next.
    6. Proceed until the Confirmation page, and click Install.
  2. CEP/CES Configuration
    1. Click the new task shown in the Server Manager notifications: Configure Active Directory Certificate Services on the destination server.
    2. In the credentials panel shown, click Change.
    3. Enter an account service account which we created, click OK and then click Next.
    4. Select Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service and click Next.
    5. Select the CA Name.
    6. Click Select and choose the Microsoft CA that will be issuing the certificates using certificate enrollment web service, click OK and then click Next.
    7. For CES authentication type, select Windows Integrated Authentication and then click Next.
    8. For CES service account, select use built in application pool identity.
    9. Click OK and then click Next.
    10. For CEP authentication type, select Windows Integrated Authentication and then click Next.
    11. For Certificate authentication, select Choose and assign a certificate for SSL later and click Next.
    12. Review the confirmation page and click Configure.
    13. When the installation completes, click Close.
  3. Configuring IIS in CEP/CES machine

    To configure the Internet Information Services (IIS) on ADCS:

    1. Type InetMgr.exe in the command prompt to open the Internet Information Services (IIS) Manager.
    2. Click your server name on the left-hand side.
    3. Expand the selection for your server and click Application Pools.
    4. Expand the default web site and click ADPolicyProvider_CEP_Kerberos and open Application Settings.
    5. Edit the entry name FriendlyName and set the value to AppViewX_Enrollment. This is a name that clients will see only when they are manually requesting for certificates.
    6. Click Add and create a new entry with the name RetryIntervalMs and value 300000.
    7. Click the URI and copy the URI to use for group policy updates.
    8. Restart IIS by clicking the server name and then click Restart on the right-hand side.
  4. Steps for configuration verification
    1. Validate if Identity of WSEnrollmentPolicyServer and WSEnrollmentServer is set to ApplicationPoolsIdentity.
      If not, right-click the application pool name and click Advanced Settings > Identity.
      Click the three dots at the end of the identity and configure it as Built in account > ApplicationPoolIdentity as shown:
    2. Enable directory browsing for validation.
      • By clicking the website name [ADPolicyProvider_CEP_Kerberos ] > Directory browsing > Enable [Right Pane]
      • Once enabled, click the Browse Application URL as shown, and enter the service account credentials if required.

        The expected output is as shown:

      • Similarly enable the directory browsing and verify browsing for the CES [<CA_NAME>_CES_Kerberos].