Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services Example Configuration DNS name resolution between forests is required GPO URI CEP1 LDAP RPC/DCOM HTTPS Certificate HTTPS Certificate Templates with CES URI 2 Cross-Forest Requirements 0 HTTPS access between the forests 0 DNS name resolution between the forests 0 Certificate clients must trust root certification authority (CA). Part of typically setup in home forest, but not in foreign forest. 0 Enterprise CA 0 Appropriately configured and issued Certificate Templates 0 CES user account needs read permission to CA 0 CES user account need to be member of IIS_USRS 0 User credentials to obtain a certificate 0 Certificate could be manually transferred to other forest and used for authentication between forests 0 Certificate Enrollment Web Service, which also requires SSL cert 0 Certificate Enrollment Policy Web Service, which also requires SSL cert 0 URI of the Certificate Enrollment Policy Web Service application – distributed in Group Policy Object (GPO), added to local policy, or manually entered 0 If using renewal-only mode, then you need to run command Certutil config "APP1.corp.contoso.com\IssuingCA-APP1" -setreg 3 policy\EditFlags +EDITF_ENABLERENEWONBEHALFOF on CA Key-based Renewal Additional Requirements 0 Windows Server 2012 0 Certification authority 0 Certificate Enrollment Policy Web Service 0 Certificate Enrollment Web Service 0 Windows 8 or Windows Server 2012 certificate clients 0 Certificate Enrollment Policy Web Service configured for key-based renewal 0 Certificate templates issued that are configured to allow key-based renewal 4 Key-Based Renewal 0 Specific Certificate Template Requirements 5 Certificate Enrollment Policy Web Service Installation Install-AdcsEnrollmentPolicyWebService -AuthenticationType <type> -KeyBasedRenewal -SSLCertThumbprint <thumbprint> (dir -dnsname <dnscomputername>).Thumbprint In key-based renewal mode, the policy server URIs will show only the key-based renewal enabled templates The Windows PowerShell cmdlet must be used when you want to deploy multiple enrollment policy virtual applications on the same server. AD CS Deployment Cmdlets in Windows PowerShell 6 Certificate Enrollment Web Service Installation 0 Install-AdcsEnrollmentWebService 0 -CAConfig “<config>" 0 -SSLCertThumbprint <thumbprint> 0 (dir -dnsname <dnscomputername>).Thumbprint 0 -AuthenticationType <type> (Username, Certificate, Kerberos) 0 -RenewalOnly (only for renewal only mode) 0 -AllowKeyBasedRenewal (only for key-based renewal) The Windows PowerShell cmdlet must be used when you want to deploy multiple enrollment policy virtual applications on the same server. AD CS Deployment Cmdlets in Windows PowerShell 7 Testing Key-Based Renewal From the certificate client run these command from Windows PowerShell: 0 Cd Cert:\LocalMachine\My 0 Dir | format-list 0 certutil -f –policyserver * -policycache delete 0 certreq -machine -q -enroll -cert <thumbprint> renew 0 Dir | format-list 0 Is there a new thumbprint? If yes, success! 8 Registry Locations for Policy Servers on the Client 0 HKEY_LOCAL_MACHINE\SOFTWARE 0 \Policies\Microsoft\Crytography\PolicyServers for enrollment policies shown as Configured by your administrator 0 \Microsoft\Crytography\PolicyServers for enrollment policies listed as Configured by you 9 Troubleshooting 0 CA invalid or incorrect 1/6 0 Add root CA to Trusted Roots 10 Troubleshooting 2/6 0 Cannot see certificate templates from client 0 Things to check 0 Template is issued 0 Connectivity 0 https 0 DNS can resolve URI 0 Certificate type: are you requesting the right type? 0 User 0 Service 0 Computer 0 Template Settings 0 Read permissions 0 Enroll permissions 0 Ensure that you are not trying key- based renewal URI expecting a template that is not configured for key-based renewal 0 Compatibility tab (more later) 11 Troubleshooting 3/6 0 Validate Server • Error: This ID conflicts with an existing ID • Resolution: Change Application Settings ID of one of the conflicting virtual applications 12 Troubleshooting 4/6 0 Issuing CA is running Windows Server 2012 0 Issuing CA name has spaces 0 Problem: Creates a Certificate Enrollment Web Services URL with spaces instead of %20 (see error below) 0 Detailed workaround Implementing Certificate Enrollment Web Services in Windows Server® 2012 that uses an Issuing CA with spaces in the name 13 Troubleshooting 5/6 0 The Compatibilities tab is supposed to make life easier for the administrator – it disables settings that don’t work for specified CAs or clients. 0 One issue is that when Windows Server 2012 CA is selected, then Windows 7 and Windows Server 2008 R2 clients don’t see the template. Resolution, set CA to Windows Server 2008 R2 in order to service those clients. 14 Troubleshooting 6/6 0 When you make changes to your configuration 0 Restart IIS (iireset) 0 Certificate Enrollment Web Services server 0 Certificate Enrollment Policy Services server 0 Delete client policy enrollment server cache Certutil -f -policyserver * -policycache delete 0 May have to clear registry locations on client 0 May have to update URIs in Group Policy 0 Ensure that your CRL is up-to-date certutil -crl 15 Additional Information Links 0 Certificate Enrollment Web Services in Active Directory Certificate Services 0 AskDS Blog: Certificate Enrollment Web Services 0 Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy 0 Test Lab Guide: Demonstrating Certificate Key-Based Renewal 0 Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services 16