Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Certificate Web Enrollment Policy Service, Access was denied by the remote endpoint. 0x803d0005

Unanswered Certificate Web Enrollment Policy Service, Access was denied by the remote endpoint. 0x803d0005

  • Friday, November 09, 2012 9:53 PM
     
     
    Sign In to Vote
    0

    This question was asked based on Windows 7 and Server 2008 R2... per link below

    http://social.technet.microsoft.com/Forums/en-IE/winserversecurity/thread/809459c7-e090-48d2-bdff-ab42b3ba8270

    I figured in starting a new thread since no answer was given.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    I am inquiring if there is any fix for Windows Server 2012.

    I had tried the setspn -s and used setspn -L DOMAIN\CEWS_Service_User_Name and the URI is listed utilizing the -L and username parameter.

    Verified the CEP machine IIS AppPool user name is set with CEWS_Service_User_Name

    Applied and verified Delegation Service Type (HOST and rpcss of ca.pre.domain.suf machine).

    I am curious if anyone else have come across the same issue as below from the following site: http://technet.microsoft.com/en-us/library/tlg-key-based-renewal.aspx

    Topic: To configure WEB1 for automated certificate renewal
    specifically item 8 thru 10. upon validation, it error when validating with the following: Access was denied by the remote endpoint. 0x803d0005 (-2143485947)

     

All Replies

  • Sunday, November 11, 2012 3:48 PM
     
     
    Sign In to Vote
    0

    Hi,

    What type of auth are you using? Are you using renewal mode only? Do you have proper certificate already distributed on the machine? With Server Auth?

     
  • Sunday, November 11, 2012 11:33 PM
     
     
    Sign In to Vote
    0

    per topic: certificate (that is X.509 Certificate Authentication Type)

    yes... certificate was issued using PS request submitted and approved using CA Console, then get using PS. the certificate utilized with the specific machine (not the ca, cep, or cew), shows correct client version in accordance with the following:

    Enhanced Key Usage:

         Server Authentication (1.3.6.1.5.5.7.3.1)

         Client Authentication (1.3.6.1.5.5.7.3.2)

    • Edited by RoninB Sunday, November 11, 2012 11:43 PM
    •  
     
  • Monday, November 12, 2012 11:48 AM
     
     
    Sign In to Vote
    0

    Hi Ronin,

    For renewals only you don't need to configure delegation. The enrollment service takes original certificate to authenticate the renewal request. After that enrollment service will submit the request under its own credential so the server/service account should be able to Read CA configuration. You should check in CA console on the Properties -> Security Tab. Additionally, if using Renewal mode, service account also has to have Request Certificates permission.

      • Permissions required to obtain policy from the policy web service:
        • The client will obtain policy based on the credentials used to connect to the policy web service URI. 
        • Authenticating user must have read and enroll on a template in order for that template to be retrieved as part of the policy.
        • For machine certificates, in addition to the authenticating user having read and enroll on the template, the machine must have read and enroll as well.  If the requesting machine does not have enroll, the user performing the enrollment or renewal will be able to see the policy but will fail upon the enrollment or renewal request.
        • If using renewal-only mode, user the enrollment web service is running as must have “request certificates” permission on the CA
        • If there is not at least one certificate enrollment web service configured for a CA configured to issue a template, that template will not be returned as part of the policy, regardless of permissions settings. (taken from Windows Server 2008 R2 Certificate Enrollment Web Services Whitepaper)

    I had same issue, after configuring permissions on the CA it started to work as expected.

     
  • Wednesday, November 21, 2012 6:06 PM
     
     
    Sign In to Vote
    0

    Hi Ronin,

    For renewals only you don't need to configure delegation. The enrollment service takes original certificate to authenticate the renewal request. After that enrollment service will submit the request under its own credential so the server/service account should be able to Read CA configuration. You should check in CA console on the Properties -> Security Tab. Additionally, if using Renewal mode, service account also has to have Request Certificates permission.

      • Permissions required to obtain policy from the policy web service:
        • The client will obtain policy based on the credentials used to connect to the policy web service URI. 
        • Authenticating user must have read and enroll on a template in order for that template to be retrieved as part of the policy.
        • For machine certificates, in addition to the authenticating user having read and enroll on the template, the machine must have read and enroll as well.  If the requesting machine does not have enroll, the user performing the enrollment or renewal will be able to see the policy but will fail upon the enrollment or renewal request.
        • If using renewal-only mode, user the enrollment web service is running as must have “request certificates” permission on the CA
        • If there is not at least one certificate enrollment web service configured for a CA configured to issue a template, that template will not be returned as part of the policy, regardless of permissions settings. (taken from Windows Server 2008 R2 Certificate Enrollment Web Services Whitepaper)

    I had same issue, after configuring permissions on the CA it started to work as expected.

    1st.... I am following the test lab guide: http://technet.microsoft.com/en-us/library/tlg-key-based-renewal.aspx#1

    every steps is completed including prerequisites (i.e. Base configuration Test Lab)

    basically, I am on the last stage:

         Step 7 of the "http://technet.microsoft.com/en-us/library/tlg-key-based-renewal.aspx#1"

              "To configure WEB1 for automated certificate renewal"

                   8. In Certificate Enrollment Policy Server, in the Enter enrollment policy server URI text box, enter the following URI: https://cep1.corp.contoso.com/KeyBasedRenewal_ADPolicyProvider_CEP_Certificate/service.svc/CEP

    the machine (for sake of clarifying, call it ND1) in question is a NON-Domain member..., however according to the guide, upon acquiring a certificate from a AD CA, this should allow the machine (ND1) to change ITS own GP to utilize certificate authentication by setting its policy (Certificate Services Client – Certificate Enrollment Policy) to type X.509 and using the certificate enrollment policy URI.

    with your bullet point 3, "For machine certificates, in addition....", again the machine in question is not a member of the domain. changing the certificate template security to add ND1 in the CA certificate template is not an option.

     
  • Saturday, December 29, 2012 12:44 PM
     
     
    Sign In to Vote
    0

    Hi Ronin,

    Sorry for late answer. I obviously missed before that you are using non domain joined machine. You cannot configure renawal only for those machines. Machine has to be joined to the domain, enroll for a cert while internal, and renew once it is external.

    Key based renewal in 2012 supports your scenario.

    Check this link: http://technet.microsoft.com/en-us/library/hh831373.aspx (Support for Key based renewal)

    Regards,

    Natty