For security reasons, it may make sense to operate the CEP with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.
The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.
Was CEP named after the company described in the article "Installing a Certificate Enrollment Policy Web Service (CEP)" described instructions, the service runs with the identity of the application pool after installation.
If CEP and CES are installed on the same server and a service account with delegation is used, the CEP and CES application pools must be run under the same account.
Requirements for the CEP service account
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
The CEP service account...
- must be a member of the IIS_IUSRS local group.
- requires a Service Principal Name (SPN), which must correspond to the fully qualified server name or the alias to be used, depending on the configuration.
Creating the gMSA for the Certificate Enrollment Policy Web Service
The gMSA for CEP can be created with the following PowerShell command, provided that a KDS root key is created in the Active Directory forest was:
New-ADServiceAccount ` -Name gMSA_CEP ` -PrincipalsAllowedToRetrieveManagedPassword CEP01$ ` -DNSHostName gMSA_CEP.intra.adcslabor.com
The arguments given here mean the following:
- The Name argument specifies the name of the gMSA.
- The PrincipalsAllowedToRetrieveManagedPassword specifies the server which is allowed to retrieve the service account password.
- The DNSHostName argument specifies the contents of the account's dNSHostName attribute, since a gMSA technically functions like a computer account.
Configure the Service Principal Name (SPN) for the gMSA.
The following command creates the service principal name (SPN) for the gMSA.
setspn -S HTTP/cep01.intra.adcslabor.de INTRA\gMSA_CEP$
Installing the gMSA on the CEP Server
First, the Active Directory management tools for PowerShell must be installed on the CEP server.
Add-WindowsFeature RSAT-AD-PowerShell
After that, the service account can be installed on the server with the following PowerShell command.
Install-ADServiceAccount gMSA_CEP
The command returns nothing if it was successful.
You can check if this is really the case with the following command line command.
Test-ADServiceAccount gMSA_CEP
This command returns True back when the gMSA has been successfully installed.
Include gMSA in the IIS_IUSRS group on the CEP server.
The configured gMSA must now be added to the local security group IIS_IUSRS so that it can be used by the CEP. This can be done via the management console for local users (lusrmgr.msc).
Configuring the gMSA in the CEP application pool
For the CEP service to work with the installed gMSA, it must be installed in the WSEnrollmentPolicyServer-application pool can be configured in the Internet Information Server (IIS) management console. To do this, right-click on the WSEnrollmentPolicyServer application pool and select the "Advanced Settings..." option.
In the "Identity" option, click on the "..." button on the right side. button.
In the following dialog, select "Custom account" and click on "Set...".
When specifying the identity in the following dialog, some special features have to be considered:
- It is mandatory to specify the domain name.
- Since a gMSA works similarly to a computer account, a dollar sign must be specified at the end of the account noun.
- With a gMSA, no password is specified, so the two fields must remain empty.
Restarting the Web Server service
The Web Server service is then restarted with the iisreset command.
4 thoughts on “Den Certificate Enrollment Policy Web Service (CEP) für den Betrieb mit einem Group Managed Service Account (gMSA) konfigurieren”
Comments are closed.