Assume the following scenario:
- A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
- The role is installed on a separate server, not on the certification authority directly.
- A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
- The user's login to CAWE fails with HTTP code 401 "Unauthorized: Access is denied due to invalid credentials.":
You do not have permission to view this directory or page using the credentials that you supplied.
The certificate authority web registration is a very old feature from Windows 2000 times - and was last adapted with the release of Windows Server 2003. Accordingly, the code is old and potentially insecure. Likewise, the function supports No certificate templates with version 3 or newer - This means that certificate templates that use functions introduced with Windows Vista / Windows Server 2008 or newer cannot be used. It is recommended that you do not use the certificate authority web registration and instead request certificates via on-board resources or the PSCertificateEnrollment PowerShell module.
Possible causes
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
- Most likely, incorrect credentials were entered. If an authentication dialog came up even though Windows authentication is enabled, the address of CAWE should be added to the "Local Intranet" zone in Internet Explorer.
- A login restriction is configured for the logging in user account.
Details: A login restriction is configured for the logging in user account
The behavior may occur if a logon restriction is set in the logon user's account, for example, the userWorkstations attribute.
Microsoft recommends that you no longer use the attribute.
The attribute can be queried via Windows PowerShell with the following command:
Get-ADUser -Identity {account name} -Properties userWorkstations
Related links:
- Configure Certificate Authority Web Enrollment (CAWE) for use with a Group Managed Service Account (gMSA).
- Configure the Certificate Authority Web Enrollment (CAWE) for use with a domain account.
- Overview of possible delegation settings for certification authority web registration (CAWE)
External sources
- User workstations attribute (Microsoft)