Configuring Delegation Settings for the Certificate Enrollment Web Service Account
Applies To: Windows Server 2008 R2
Depending on the installation options you selected for the Certificate Enrollment Web Service, you may also need to configure delegation for the Web service to submit certificate requests on behalf of domain users and computers.
If all of the following conditions are true, then you must configure delegation for the Web service account:
The certification authority (CA) and the Certificate Enrollment Web Service are installed on separate computers.
The Web service authentication type is Windows integrated authentication or client certificate authentication.
The Web service is not configured for renewal-only mode.
Domain Admins is the minimum group membership required to complete this procedure.
The Certificate Enrollment Web Service application pool can be configured to use a domain user account or a built-in account such as ApplicationPoolIdentity or Network Service. If a domain user account is specified, then complete the first step to add a service principal name (SPN) to the account object before configuring delegation.
To configure delegation
(Domain user accounts only) To add an SPN for a domain user account, at a command prompt, type setspn –s http/Host Domain\Account, where Host is the computer name of the Web server hosting the Certificate Enrollment Web Service and Domain\Account is the domain account used by the Web service application pool.
Open Active Directory Users and Computers.
In the console tree, expand the domain that contains the account used by the application pool.
If the application pool identity is Network Service, click Computers. Otherwise, click Users.
In the details pane, double-click the account, and then click the Delegation tab.
Click Trust this user for delegation to specified services only.
If the Web service authentication type is Windows integrated authentication, select the Use Kerberos only check box. If the Web service authentication type is client certificate authentication, select the Use any authentication protocol check box.
Click Add, and then click Users or Computers.
Enter the name of the computer that hosts the CA, and then click OK.
In the Available Services list, click HOST and rpcss, and then click OK. Hold down the CTRL key to select multiple items.
Click OK to save the changes.