Sam
Sam 27.05.2020 10:07 (GMT+3) Certificate Autoenrollment in Windows Server 2016 (part 2)

Hi Vadims

How is load handled on your CA during enrollment/reenrollment ? So if you say have 1000 machines needing a new certificate. They all log on say within the standard 20 minute window first up will they all try and enroll at the same time ? We have had some issues with this in our environment with RPC on the CA being unresposive and was wondering if there was a way to stagger it.

Remigiusz
Remigiusz 26.05.2020 13:33 (GMT+3) Certificate Rules may not work in Software Restriction Policies

Certificate rules are not enabled by default.

See "Enabling certificate rules" in https://docs.microsoft.com/en-us/windows-server/identity/software-restriction-policies/work-with-software-restriction-policies-rules#BKMK_3

Kind regard,

Remigiusz

Vadims Podāns
Vadims Podāns 19.05.2020 00:03 (GMT+3) Certificate Autoenrollment in Windows Server 2016 (part 3)

@Daniel Benway

Use credential roaming for such scenarios.

Daniel Benway
Daniel Benway 18.05.2020 21:48 (GMT+3) Certificate Autoenrollment in Windows Server 2016 (part 3)

Vadims,

Thank you for all your hard work over the years!

Here is a scenario: a user template is duplicated and issued to a CA for autoenrollment, it is set to publish the user certs in AD, and it does not allow reenrollment if a duplicate cert exists in AD. Roaming user profiles have always been disabled. When a new user logs into a workstation, the user is autoenrolled for a new user cert, the cert gets published into the userCertificate attribute of that user’s account in AD, but the private key for that cert stays in the user's local profile on that workstation. When the user logs onto a different workstation, autoenrollment does not create a new cert because the user already has a cert in AD, but the user doesn’t have access the private key associated with that cert because the private key is only on the first workstation and roaming profiles are disabled. What is the solution to this?

Felix Wagner
Felix Wagner 17.05.2020 22:06 (GMT+3) Add multiple Certificate Enrollment Service instances

Hello Vadims,

First of all, I like to say thank you very much for all your wonderful posts! They helped me a lot in the past three months on setting up our new PKI.

But now I struggle with this CES and CEP deployment with Kerberos Authentication. So it is very interesting to read this.

I have found out that I did need to enable Kernel-Mode Authentication in IIS on both CES and CEP to make it work. To make it work on a server where the CA is placed. But I am unsure if this is considered secure. Do you have any thoughts on this?

What I have done is:
* Set SPNs for each CEP and CES instance on their own via a CNAME (found this hint after Server Manager got broken)
* Created a service user -> Like to test it later with this MSU
* Added user to IIS_USR Group on both machines
* Set delegation from the service user to the CA server
* Enabled this IIS Kernel-mode authentication
* Setup GPO to enable the service user to "Allow log on locally", "Impersonate a client after authentication", "Log on as batch job", "Log on as service" and to make everything sure "Obtain an impersonation token for another user in the same session"

But I face an issue if I place CES on another server. I get always thrown Reposnse Codes 500. Not sure how to track it down, and find better logs than those IIS "Failed Request Tracing Rules". Any hint you can give me to look further where this Authentication Error comes from?
 

Thank you very much!