Installing certificate enrollment web services
The following procedures walk you through the installation and configuration of the required components. If Certificate Autoenrollment is already configured for Windows hosts in your environment, you can skip to Using Certificate Autoenrollment.
To perform these procedures, you need Enterprise Administrator rights to install software and configure Group Policy and Certificate Template policy.
NOTE: Microsoft has documented all of the steps to install and configure Certificate Enrollment Web Services.
Certificate Enrollment Web Services are now installed. Next, you will configure policy settings to enable Certificate Autoenrollment.
Configuring Certificate Services Client - Certificate Enrollment Policy Group Policy
If you are using Group Policy, you must configure the Certificate Enrollment Policy Web Service group policy setting to provide the location of the web service to domain members. Otherwise, you must manually configure the server URL on each system as explained in Using Certificate Autoenrollment.
To configure certificate enrollment policy
-
On the web server that hosts the Certificate Enrollment Policy Web Service, open Server Manager.
-
In the console tree, expand Roles, then expand Web Server (IIS).
-
Click Internet Information Services (IIS) Manager.
-
In the console tree, expand Sites, and click the web service application that begins with ADPolicyProvider_CEP.
NOTE: The name of the application is ADPolicyProvider_CEP_AuthenticationType, where AuthenticationType is the web service authentication type.
-
Under ASP.NET, double-click Application Settings.
-
Double-click URI, and copy the URI value.
-
Click Start, type gpmc.msc in the Search programs and files box, and press Enter.
-
In the console tree, expand the forest and domain that contain the policy that you want to edit, and click Group Policy Objects.
-
Right-click the policy that you want to edit, then click Edit.
-
In the console tree, navigate to User Configuration > Policies > Windows Settings > Security Settings and click Public Key Policies.
-
Double-click Certificate Services Client – Certificate Enrollment Policy.
-
Click Add to open the Certificate Enrollment Policy Server dialog.
-
In the Enter enrollment policy server URI box, type or paste the certificate enrollment policy server URI obtained earlier.
-
In the Authentication type list, select the authentication type required by the enrollment policy server (Kerberos).
-
Click Validate, and review the messages in the Certificate enrollment policy server properties area.
-
Click Add.
The Add button is available only when the enrollment policy server URI and authentication type are valid.
-
In the Group Policy Object Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings and click Public Key Policies.
-
Repeat steps 11-16 for machine configuration.
Configuring Certificate Services Client - Auto-Enrollment Group Policy
If you are using Group Policy, you must enable Certificate Autoenrollment in Group Policy, otherwise, Group Policy may disable Certificate Autoenrollment. If you are not using Group Policy, Certificate Autoenrollment is enabled on each host by default.
To enable Certificate Autoenrollment using Group Policy
-
On a domain controller running Windows Server 2008 R2 open the Start menu and navigate to Administrative Tools > Group Policy Management.
-
In the console tree, double-click Group Policy Objects in the forest and domain containing the Group Policy Object (GPO) that you want to edit.
-
Right-click the GPO, and click Edit.
-
In the Group Policy Object Editor, navigate to User Configuration > Policies > Windows Settings > Security Settings and click Public Key Policies.
-
Double-click Certificate Services Client - Auto-Enrollment.
-
Next to Configuration Model, select Enabled from the drop-down list to enable autoenrollment.
-
Click OK to accept your changes.
-
In the Group Policy Object Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings and click Public Key Policies.
-
Repeat steps 5-7 for machine configuration.
Configuring Certificate Templates for autoenrollment
Certificate enrollment is based on templates which define the properties of certificates generated by the Certificate Authority (CA) when clients request certificates.
To create a new certificate template
-
On the server hosting your Enterprise CA, click Start, select Administrative Tools, and click Certification Authority.
-
In the console tree, expand the CA root node, select Certificate Templates, and click Manage.
-
In the Certificate Templates console, select the template that you would like to enable for autoenrollment, or create a new template.
-
Double-click the template to open its properties and select the Security tab.
-
Add the users and machines that you want to automatically enroll for the certificate and select the Autoenroll permission option.
-
Click Apply.