Basics: Authentication procedures for the Internet Information Services (IIS)

The Active Directory Certificate Services offer a number of web-based add-on interfaces (Network Device Registration Service (NDES), Certificate Enrollment Policy Web Service (CEP), Certificate Enrollment Web Service (CES), Certification Authority Web Enrollment (CAWE).

The Microsoft Internet Information Services (IIS) are thus almost indispensable for a Microsoft PKI. Each of the web-based interfaces (and also in-house developments) bring their own unique challenges in terms of authentication procedures and their implementation.

The following article should bring a little clarity to the topic.

Continue reading „Grundlagen: Authentisierungsverfahren für die Internet Information Services (IIS)“

Changes to Certificate Issuance and Certificate-Based Logon to Active Directory with the May 10, 2022 Patch for Windows Server (KB5014754)

With the May 10, 2022 patch, Microsoft is attempting to patch a vulnerability in the Active Directory in which the certificate-based enrollment (commonly known as PKINIT or also Smartcard Logon) to close.

The update changes both the behavior of the Certification Authority as well as the behavior of Active Directory when processing certificate-based logins.

Continue reading „Änderungen an der Zertifikatausstellung und an der zertifikatbasierten Anmeldung am Active Directory mit dem Patch für Windows Server vom 10. Mai 2022 (KB5014754)“

Certificate Enrollment Web Service (CES) request fails with error code "WS_E_ENDPOINT_FAULT_RECEIVED".

Assume the following scenario:

  • A Certificate Enrollment Web Service (CES) is implemented in the network.
  • A certificate request is sent to the CES.
  • The certificate request fails with the following error message:
A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)
Continue reading „Die Beantragung eines Zertifikats über den Certificate Enrollment Web Service (CES) schlägt fehl mit dem Fehlercode „WS_E_ENDPOINT_FAULT_RECEIVED““

Basics and risk assessment Delegation settings

Delegation is required whenever there is an intermediary between the user and the actual service. In the case of certification authority web registration, this would be the case if it is installed on a separate server. It then acts as an intermediary between the applicant and the certification authority.

Continue reading „Grundlagen und Risikobetrachtung Delegierungseinstellungen“

Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with HTTP error code 401 "Unauthorized: Access is denied due to invalid credentials."

Assume the following scenario:

  • A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
  • The role is installed on a separate server, not on the certification authority directly.
  • A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
  • The user's login to CAWE fails with HTTP code 401 "Unauthorized: Access is denied due to invalid credentials.":
You do not have permission to view this directory or page using the credentials that you supplied.
Continue reading „Die Beantragung eines Zertifikats über die Zertifizierungsstellen-Webregistrierung (CAWE) schlägt fehl mit HTTP Fehlercode 401 „Unauthorized: Access is denied due to invalid credentials.““

Perform functional test for certification authority web registration (CAWE)

After installing and configuring Certificate Authority Web Enrollment (CAWE), it is essential to test the component extensively before releasing it to users. Below are instructions for a detailed functional test.

Continue reading „Funktionstest durchführen für die Zertifizierungsstellen-Webregistrierung (CAWE)“

Configure the Certificate Authority Web Enrollment (CAWE) for use with a domain account.

The following describes how to set up Certificate Authority Web Enrollment (CAWE) so that the service runs under a domain account.

Continue reading „Die Zertifizierungsstellen-Webregistrierung (CAWE) für die Verwendung mit einem Domänenkonto konfigurieren“

Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with error code "ERROR_ACCESS_DENIED".

Assume the following scenario:

  • A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
  • The role is installed on a separate server, not on the certification authority directly.
  • A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
  • The request fails with the following error message:
Your request failed. An error occurred while the server was processing your request. Contact your administrator for further assistance.

In the details of the error message you will find the following note:

CCertRequest::Submit: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
Continue reading „Die Beantragung eines Zertifikats über die Zertifizierungsstellen-Webregistrierung (CAWE) schlägt fehl mit Fehlercode „ERROR_ACCESS_DENIED““

Windows security permissions required for Certificate Authority Web Enrollment (CAWE)

Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will impact Certificate Authority Web Enrollment (CAWE).

Continue reading „Benötigte Windows-Sicherheitsberechtigungen für die Zertifizierungsstellen-Webregistrierung (CAWE)“

Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with error code "RPC_S_SERVER_UNAVAILABLE".

Assume the following scenario:

  • A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
  • The role is installed on a separate server, not on the certification authority directly.
  • A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
  • The request fails with the following error message:
Your request failed. An error occurred while the server was processing your request. Contact your administrator for further assistance.

In the details of the error message you will find the following note:

CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)
Continue reading „Die Beantragung eines Zertifikats über die Zertifizierungsstellen-Webregistrierung (CAWE) schlägt fehl mit Fehlercode „RPC_S_SERVER_UNAVAILABLE““
en_USEnglish