Trouble setting up CES and CEP PKI in a trusted forest scenario

corndog

2/25/24, 5:20 PM

I have two AD domains with a two-way forest trust. I want computer accounts in DomainB to enroll for computer client auth certificates from the two-tier Windows CA in DomainA. I configured a certificate cert template in the issuing CA for this and gave Read and Enroll rights to the computer in DomainB.

I configured the issuing CA in DomainA for the Certificate Enrollment Policy Web Service and Certificate Enrollment Web Service according to the Microsoft documentation. CEP and CES are using Kerberos authentication using a domain service account with an SPN and configured for Kerberos delegation for HOST and RPCSS. The service account is a member of the IISUsers group and has Request Certificates rights on the issuing CA.

To test, I'm using Cert Manager on a DomainB Win10 computer to manually configure an Enrollment Policy using the CEP URI, but get the error, "Access was denied by the remote endpoint". However, it does complete properly if I remove the SPN and Kerberos delegation for HOST and RPCSS on the service account. The CES service account should have Kerberos delegation configured, right?

If I then try to request a new certificate for the computer in DomainB, I can see the issuing CA but it says Certificate types are not available even though the computer has Read and Enroll rights. Logging tells me nothing, other than it can see the certificate template.

Any ideas what I'm doing wrong here? This should work using Kerberos auth, right?

319

1 + 0

iis

pki

ad-certificate-services

trust-relationship

Score:0

Server

corndog

2/25/24, 9:53 PM

I finally got it figured out. I'm listing the solution here to help others in the future.

The configuration that works is to install the CES and CEP on the CA using the app pool identity (not an AD service account with SPN and Kerberos delegation). It's not needed here because the CES and CEP are installed on the CA. It probably would be if the roles were on separate servers. The CES and CEP are both configured to use Kerberos auth. This config allows computers in DomainB to validate and use the CEP URI.

Once I configured that, computers in DomainB could connect to the CEP and see the template, but were getting a DS Referral error -- 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED) A referral was returned from the server. 0x8007202b (WIN32: 8235 ERROR_DS_REFERRAL). Enable LDAP referral support on the CA with certutil -setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS then restart the CA service and run IISRESET.

+ 1

garethTheRed

2/27/24, 7:16 AM

Remember that's it's not recommended to install IIS on the CA.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Trouble setting up CES and CEP PKI in a trusted forest scenario

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.