Score:0

How to configure AD Certificate Services to get past this WS_E_ENDPOINT_ACCESS_DENIED error?

us flag

I have followed the Microsoft test lab instructions for setting up a two-tier CA hierarchy. I have the Certificate Enrollment Policy Web Service (CEP) installed on the same machine as the issuing Certificate Authority (CA). And the Certificate Enrollment Web Service (CES) installed on a separate machine. All three of those in the same domain: a.local. I have serverB1 in another domain b.local which has received a server certificate. The instructions told me to simulate a certificate renewal by running the following two commands 1. certutil -f -policyserver * -policycache delete. Output:

Cache Directory: C:\ProgramData\Microsoft\Windows\X509Enrollment

Name: SSL-TLS Server Certificates (Default)
Id: {B85DA5F6-850F-4C44-A80C-F60747D4DD77}
Url: https://IssuingCA.a.local/KeyBasedRenewal_ADPolicyProvider_CEP_Certificate/service.svc/CEP
  Cache file exists: 48b23e1bb48a2bf09ce15b2526ef67eb32fe1251
    1662 (5730) Bytes
    Url: https://IssuingCA.a.local/KeyBasedRenewal_ADPolicyProvider_CEP_Certificate/service.svc/CEP
    LastUpdate 2/18/2022 4:36 PM
    Deleting cache entry!

Orphaned Cache file:
  Cache file exists: 83b7376cb9815a475c54a66bd64eb8bfd31d6005
    1662 (5730) Bytes
    Url: https://IssuingCA.a.local/KeybasedRenewal_ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP
    LastUpdate 2/18/2022 1:38 PM
    Deleting cache entry!

CertUtil: -PolicyCache command completed successfully.
  1. certreq -machine -q -enroll -cert <thumbprint> renew of course with the correct thumbprint substituted. Output:
https://ces1.a.local/IssuingCA_CES_Certificate/service.svc/CES
    The certificate request could not be submitted to the certification authority.
    Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)
Certificate Request Processor: Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)

The Application Pool on CES is delegated to a user a\ces. The CEP was just using the default application pool identity. I tried also changing that to a\ces (and creating the corresponding SPN), but that didn't make any difference. I'm changing that back. Any ideas what is going wrong here? I'm very new to all of this. Just following instructions.

cn flag
did you configure credential delegation on CES app pool identity?
Roman avatar
us flag
As I said, yes, the application pool on CES is delegated to a domain user account.
cn flag
my question was different: is your domain user account trusted for credential delegation?
Roman avatar
us flag
Yes, the properties of the domain account (CES) were modified to "trust this user for delegation", "use any authentication protocol", and for the machine IssuingCA (which is also the CES server): HOST, rpcss. Thank you.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.