Certificate Enrollment Web Services primers

From http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-policy-web-services-in-active-directory-certificate-services-ad-cs.aspx: 

Starting in Windows Server 2008 R2, there is an enrollment protocol that is based on WS-Trust and contains two new role services.
These services use HTTP-based messaging over a TLS-encrypted transport and they do not depend solely on the Kerberos protocol for authentication.
[Note: Using this for enrollment requires Windows 7 or Windows 2008 R2 clients.]

The role services are called:

• Certificate Enrollment Policy Web Service (the policy service)
• Certificate Enrollment Web Service (the enrollment service)

 ....

Windows Client Enrollment – Policy Server Load Balancing

For Group Policy configured policy settings, you can configure two servers (URLs) as part of the same policy. As a result, both policy server URLs will be functionally equivalent. The client then selects one URL to use, based upon the following rules:

Note: To configure the load balancing behavior described below, Group Policy configured settings must be used. User configured policies do not enable multiple URLs to be configured as part of the same policy.

1. The URI whose policy has been cached from a previous request and whose next update time is the latest is most preferred.
2. If two URI’s have the same next update time then:
   1. The URI with the lower value in the “Cost” registry entry is preferred. The default value is that all costs are equal.
   2. If two costs are equal then:

                                                                          
i. The URI is selected based on authentication type, in the following order: Kerberos, Anonymous, Username/Password cached in the vault or Client Auth Certificate cached in the vault, Username/Password or Client Auth Certificate.

ii. If all properties are equal then a URI is randomly selected.

 

Windows Client Enrollment – Enrollment Server Load Balancing

Once a policy server is selected there may be multiple enrollment servers to choose from. The client will pick an enrollment server as follows:

1. The URI for the enrollment server which has the lowest priority number as defined in the enrollment policy. If two enrollment servers have the same priority then
   1. The URI with the following authentication type is preferred in order: Kerberos, Anonymous, Username/Password cached in the vault or Client Auth Certificate cached in the vault, Username/Password or Client Auth Certificate.
   2. If all properties are equal then a URI is randomly selected.

....

Change the Cost settings

• To change the order in which the client will try different policy servers (Enrollment Policy URIs) within the same policy, update the “cost” registry DWORD. 
  The default value is 0x7ffffffd, a lower value (such as 1) will cause the client to use that policy URI first. 
• The “Cost” registry key is found in the following locations:
  • For group policy configured policy server settings (listed under “Configured by your administrator” in the Certificate enrollment wizard)
    • For user certificate policy
    • HKCUSoftwarePoliciesMicrosoftCryptographyPolicyServers
    • For machine certificate policy
    • HKLMSOFTWAREPoliciesMicrosoftCryptographyPolicyServers

 

• • For user configured policy server settings (listed under “Configured by you” in the Certificate Enrollment wizard
    • For user certificate policy
    • HKCUSoftwareMicrosoftCryptographyPolicyServers
    • For machine certificate policy
    • HKLMSOFTWAREMicrosoftCryptographyPolicyServers