Certificate Enrollment Web Service (CES) doesn’t work correctly on Windows Server 2012

Update 14.03.2013: added workaround information

SYMPTOMS

Consider the following scenario. You install and configure Certificate Enrollment Web Service (CES) against a Certification Authority (CA) that has spaces and other disallowed by HTML URL scheme characters in the certificate name. When you attempt to use the service for certificate enrollment, the following message appears:

STATUS: Failed. The endpoint address URL is invalid.

Additionally, 2 events are registered in the Application eventlog:

EventID=10000 from CertificationAuthorityClient-CertCli source:

Certificate Enrollment Server https://www.company.com/My Test CA-1_CES_Kerberos/service.svc/CES was not able to process the request: The endpoint address URL is invalid. 0x803d0020 (-2143485920)

EventID=13 from CertificateServicesClient-CertEnroll source:

Certificate enrollment for Local system failed to enroll for a OfflineOCSPResponseSigning certificate with request ID N/A from https://www.company.com/My Test CA-1_CES_Kerberos/service.svc/CES (The endpoint address URL is invalid. 0x803d0020 (-2143485920)).

CAUSE

This issue is caused because Certificate Enrollment Web Service (CES) URL is not properly escaped. Spaces and other special characters must be escaped in the HTTP URL.

For example, you configure CES to work with Certification Authority (CA) named “My Test CA-1” and use Kerberos for authentication. The following URL is generated by CES installer (host name may be different):

https://www.company.com/My Test CA-1_CES_Kerberos/service.svc/CES

While the correct URL is:

https://www.company.com/My%20Test%20CA-1_CES_Kerberos/service.svc/CES

STATUS

Microsoft is informed about this issue. No bug fixes are available. See Workaround section for example steps to overcome the issue.

RESOLUTION

No resolution available.

WORKAROUND

You can use the following PowerShell scripts to:

1) Update URL in IIS server. The caller must be granted local Administrator permissions:

# import required assemblies and modules
Add-Type -AssemblyName System.Web
Import-Module WebAdministration
# retrieve Certificate Enrollment Service applications on the server
$Apps = Get-WebApplication | Where-Object {$_.physicalpath.StartsWith("$($env:windir)\SystemData\CES")}
if (!$Apps) {return}
# loop over each CES app
foreach ($app in $Apps) {
    # retrieve application settings
    $webConfigStore = [Web.Configuration.WebConfigurationManager]::OpenWebConfiguration($app.path)
    # retireve CES URL
    $url = $webConfigStore.AppSettings.Settings["uri"].Value
    if (!$url) {return}
    # encode and write back new URL to application settings
    $webConfigStore.AppSettings.Settings["uri"].Value = [web.httputility]::UrlPathEncode($url)
    # save changes in IIS
    $webConfigStore.Save("Modified")
}
# restart IIS service
Get-Service IISADMIN | Restart-Service

2) Update CES URL in Active Directory. The caller must be granted either Enterprise Admins permissions or delegated permissions to manage Public Key Infrastructure container:

Add-Type -AssemblyName System.Web
# Connect to Enrollment Services container in configuration naming context
$RootDSE = [ADSI]"LDAP://RootDSE"
$ConfigContext = "CN=Enrollment Services,CN=Public Key Services,CN=Services," + $RootDSE.configurationNamingContext
$adsi = [ADSI]"LDAP://$ConfigContext"
$adsi.psbase.Children | ForEach-Object {
    if (!$_) {return}
    # prepare an array for new (fixed) URLs
    $entries = @()
    # enumerate all CES URLs for the current CA server
    $_."msPKI-Enrollment-Servers" | ForEach-Object {
        if (!$_) {return}
        # retrieve priority, authentication and renewal settings. They are not changed.
        $priority = $_[0].ToString()
        $authentication = $_[2].ToString()
        $RenewalOnly = $_[4].ToString()
        # extract current URL. We use regexp to grab only required part
        if ($_ -match "https.+service\.svc/CES") {
            $url = $matches[0]
            # encode extracted URL if necessary. If no encoding is required, the URL is not changed
            $url = [web.httputility]::UrlPathEncode($url)
            # build final entry for current CES entry and add it to array
            $entries += $priority + "`n" + $authentication + "`n" + $RenewalOnly + "`n" + $url
        }
    }
    # write encoded URLs back to Active Directory
    $_."msPKI-Enrollment-Servers" = $entries
    $_.SetInfo()
}

For manual URL change, use the steps provided in the following TechNet wiki article: Implementing Certificate Enrollment Web Services in Windows Server® 2012 that uses an Issuing CA with spaces in the name.

APPLIES TO

Windows Server 2012 (all editions)

Comments:

gomathi • 20.01.2015 21:40 (GMT+3) • Certificate Enrollment Web Service (CES) doesn’t work correctly on Windows Server 2012

HI Am able to setup both CES and CEP servers. Am trying to authenticate to the CEP server using JAVA which is in format of https:///ADPolicyProvider_CEP_Kerberos/service.svc/CEP First i get 401 response.after that i added Negotiate header with Kerberos ticket.But am getting 400 bad request as response. Do u have any idea.? Thanks Gomathi S

Vadims Podans • 21.01.2015 03:44 (GMT+3) • Certificate Enrollment Web Service (CES) doesn’t work correctly on Windows Server 2012

Does your Java application/client support MS-XCEP communication protocol?

Dayapage • 20.11.2019 16:35 (GMT+3) • Certificate Enrollment Web Service (CES) doesn’t work correctly on Windows Server 2012

Hello Vadmins Podans, has this issue now (August 2019) been fixed with a patch? if I am setting up CES on Server 2012R2 does this still apply if i have a CA with spaces in its name?

Post your comment: