question

VenkataChaitanyaRajuKonduru-4501 avatar image
0 Votes"
VenkataChaitanyaRajuKonduru-4501 asked FanFan-MSFT commented

Certificate Enrollment Web Service (CES) and Certificate Enrollment Policy Web Service (CEP)

In Microsoft PKI while configuring the CEP and CES we are able to choose only one option for authentication. The options available are 1) Computer Integrated Authentication(Kerberos) 2) Client Certificate Authentication 3) Username and Password. How is it possible to choose both Computer Integrated Authentication(Kerberos) and Username&Password options. Any help in this regard is appreciated. Thank you.

windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
Actually, i tried to install the Certificate Enrollment Web Service (CES) and Certificate Enrollment Policy Web Service (CEP) in my lab too.
Didn't find a way to select the two options (Computer Integrated Authentication (Kerberos) and Username Password) at the same time.
Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VenkataChaitanyaRajuKonduru-4501 avatar image
0 Votes"
VenkataChaitanyaRajuKonduru-4501 answered

90633-image-1.png




@FanFan-MSFT Thank you for the response. I'm not sure how its possible to achieve but looking at the above snapshot says its possible but don't know how?


image-1.png (190.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
1 Vote"
Crypt32 answered FanFan-MSFT commented

Additional CES instances (though, not CEP) are installed using PowerShell: Install-AdcsEnrollmentWebService. Make sure that all instances of CES application run under same account, otherwise it will fail due to SPN collision.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Was the information provided by Crypt32 was helpful?
If there are any progress, please let us know.
Best Regards,

0 Votes 0 ·

Thank you @Crypt32 The link you have shared was helpful. The documentation needs to be updated as I was getting error while performing the 2nd CES instance saying "You cannot set this property because the application pool "WSEnrollmentServer" already exists"
I was finally able to get the second CES instance installed when i omitted "-ServiceAccountName" and "-ServiceAccountPassword" then updating the AppPool identity in IIS to use the service account

Note : We can create multiple instances of CEP also.

@FanFan-MSFT FYI




0 Votes 0 ·
FanFan-MSFT avatar image FanFan-MSFT VenkataChaitanyaRajuKonduru-4501 ·

Good to hear that you have solved this issue.
In addition, thanks for sharing your solution here as it would be helpful to anyone who encounters similar issues.
You may accept the information provided by Cypt32 that was helpful as answer to end this thread.

Best Regards,

1 Vote 1 ·