Have you ever had a problem installing the Active Directory Certificate Services Web Enrollment role feature on a server that is separate from the Certificate Authority?
If you have ever installed the AD/CS Web Enrollment role feature on a server separate from your CA, only to have this role feature incorrectly indicate that your target CA is offline, chances are you need to manually delegate additional service capabilities to the AD/CS Web Enrollment server in order to make your Web Enrollment server fully functional.
When installing the ‘Certificate Authority Web Enrollment’ role feature on a server that is NOT also the Certificate Authority, there may be some additional steps required to make this function.
In order for this role feature to function in the capacity in which it is intended, the server object in AD hosting the ‘Certificate Authority Web Enrollment’ role feature must first be modified.
The server object in AD that hosts the ‘Certificate Authority Web Enrollment’ role feature must be given permission to the CA in which it mapped. This permission is given via the Delegation tab in the ‘Active Directory Users and Computers’ snap in.
In order to correctly provide the server object in AD that hosts the ‘Certificate Authority Web Enrollment’ role feature the correct delegation, two delegations must be given. This is a rather straightforward process that this section will illustrate.
Right click on the Web Enrollment Server’s AD object from within the in the ‘Active Directory Users and Computers’ snap in. Select the Delegation tab.
Select ‘Trust this computer for delegation to specific services only,’ then select ‘Use any authentication protocol,’ then press the ‘Add’ button.
Add the services to delegate. Press the ‘Users or computer Button’ and select the CA’s AD Object.
What results is a complete list of all services running on the CA. This procedure does not need all these processes, as only the HOST and RPCSS processes are required.
Next select the following under ‘Available Services,’
Press ‘OK’ then ‘OK’
Reboot both the CA and the Web Enrollment Servers.
That should allow your AD/CS Web Enrollment server to function as intended.