Cross-Forest Certificate Enrollment
using Certificate Enrollment Web
Services
Example Configuration
DNS name resolution
between forests is required
GPO
URI CEP1
LDAP
RPC/DCOM
HTTPS
Certificate
HTTPS
Certificate Templates
with CES URI
2
Cross-Forest Requirements
0 HTTPS access between the forests
0 DNS name resolution between the forests
0 Certificate clients must trust root certification authority (CA). Part of
typically setup in home forest, but not in foreign forest.
0 Enterprise CA
0 Appropriately configured and issued Certificate Templates
0 CES user account needs read permission to CA
0 CES user account need to be member of IIS_USRS
0 User credentials to obtain a certificate
0 Certificate could be manually transferred to other forest and used for
authentication between forests
0 Certificate Enrollment Web Service, which also requires SSL cert
0 Certificate Enrollment Policy Web Service, which also requires SSL cert
0 URI of the Certificate Enrollment Policy Web Service application –
distributed in Group Policy Object (GPO), added to local policy, or manually
entered
0 If using renewal-only mode, then you need to run command Certutil config "APP1.corp.contoso.com\IssuingCA-APP1" -setreg
3
policy\EditFlags +EDITF_ENABLERENEWONBEHALFOF on CA
Key-based Renewal
Additional Requirements
0 Windows Server 2012
0 Certification authority
0 Certificate Enrollment Policy Web Service
0 Certificate Enrollment Web Service
0 Windows 8 or Windows Server 2012 certificate clients
0 Certificate Enrollment Policy Web Service configured
for key-based renewal
0 Certificate templates issued that are configured to allow
key-based renewal
4
Key-Based Renewal
0 Specific Certificate Template Requirements
5
Certificate Enrollment Policy Web Service Installation
Install-AdcsEnrollmentPolicyWebService
-AuthenticationType <type>
-KeyBasedRenewal
-SSLCertThumbprint <thumbprint>
(dir -dnsname <dnscomputername>).Thumbprint
In key-based renewal mode, the policy server URIs will show
only the key-based renewal enabled templates
The Windows PowerShell
cmdlet must be used when you
want to deploy multiple
enrollment policy virtual
applications on the same
server.
AD CS Deployment Cmdlets in
Windows PowerShell
6
Certificate Enrollment Web Service Installation
0 Install-AdcsEnrollmentWebService
0 -CAConfig “<config>"
0 -SSLCertThumbprint <thumbprint>
0 (dir -dnsname <dnscomputername>).Thumbprint
0 -AuthenticationType <type> (Username, Certificate, Kerberos)
0 -RenewalOnly (only for renewal only mode)
0 -AllowKeyBasedRenewal (only for key-based renewal)
The Windows PowerShell
cmdlet must be used when you
want to deploy multiple
enrollment policy virtual
applications on the same
server.
AD CS Deployment Cmdlets
in Windows PowerShell
7
Testing Key-Based Renewal
From the certificate client run these command from
Windows PowerShell:
0 Cd Cert:\LocalMachine\My
0 Dir | format-list
0 certutil -f –policyserver * -policycache delete
0 certreq -machine -q -enroll -cert <thumbprint> renew
0 Dir | format-list
0 Is there a new thumbprint? If yes, success!
8
Registry Locations for Policy
Servers on the Client
0 HKEY_LOCAL_MACHINE\SOFTWARE
0 \Policies\Microsoft\Crytography\PolicyServers for enrollment policies shown as
Configured by your administrator
0 \Microsoft\Crytography\PolicyServers for enrollment policies listed as
Configured by you
9
Troubleshooting
0 CA invalid or incorrect
1/6
0 Add root CA to Trusted Roots
10
Troubleshooting 2/6
0 Cannot see certificate
templates from client
0 Things to check
0 Template is issued 
0 Connectivity
0 https
0 DNS can resolve URI
0 Certificate type: are you requesting
the right type?
0 User
0 Service
0 Computer
0 Template Settings
0 Read permissions
0 Enroll permissions
0 Ensure that you are not trying key-
based renewal URI expecting a
template that is not configured for
key-based renewal
0 Compatibility tab (more later)
11
Troubleshooting 3/6
0 Validate Server
• Error: This ID conflicts with
an existing ID
• Resolution: Change
Application Settings ID of one
of the conflicting virtual
applications
12
Troubleshooting 4/6
0 Issuing CA is running Windows Server 2012
0 Issuing CA name has spaces
0 Problem: Creates a Certificate Enrollment Web Services URL
with spaces instead of %20 (see error below)
0 Detailed workaround Implementing Certificate Enrollment
Web Services in Windows Server® 2012 that uses an Issuing
CA with spaces in the name
13
Troubleshooting 5/6
0 The Compatibilities tab is
supposed to make life
easier for the
administrator – it disables
settings that don’t work for
specified CAs or clients.
0 One issue is that when
Windows Server 2012 CA
is selected, then Windows
7 and Windows Server
2008 R2 clients don’t see
the template. Resolution,
set CA to Windows Server
2008 R2 in order to service
those clients.
14
Troubleshooting 6/6
0 When you make changes to your configuration
0 Restart IIS (iireset)
0 Certificate Enrollment Web Services server
0 Certificate Enrollment Policy Services server
0 Delete client policy enrollment server cache
 Certutil -f -policyserver * -policycache delete
0 May have to clear registry locations on client
0 May have to update URIs in Group Policy
0 Ensure that your CRL is up-to-date certutil -crl
15
Additional Information Links
0 Certificate Enrollment Web Services in Active
Directory Certificate Services
0 AskDS Blog: Certificate Enrollment Web Services
0 Test Lab Guide: Deploying an AD CS Two-Tier PKI
Hierarchy
0 Test Lab Guide: Demonstrating Certificate Key-Based
Renewal
0 Test Lab Guide Mini-Module: Cross-Forest Certificate
Enrollment using Certificate Enrollment Web Services
16