AD Certificate Services delegated install of enrollment web service


  • Working to stand up an internal AD CS environment and running into trouble with the Enrollment Web Service on a separate machine from the CA. Followed the delegation info at Delegated Installation for an Enterprise Certification Authority and successfully installed and configured the CA without requiring domain/enterprise admin rights. Now I'm attempting to install the enrollment web service and running into access denied errors. Docs don't mention delegated install for this and keep referring to domain admin rights being required. FWIW, this is what I'm attempting to run:

    Install-AdcsEnrollmentWebService -AuthenticationType Kerberos -CAConfig 'subca.domain.tld\CA-NAME' -SSLCertThumbprint '<thumbprint>' -Verbose -WhatIf

    And it's throwing:

    VERBOSE: Checking whether the registry key for CES exists.
    VERBOSE: Calling InitializeInstallDefaults method on the setup object.
    Install-AdcsEnrollmentWebService : CCertificateEnrollmentServerSetup::InitializeInstallDefaults: Access is denied.
    0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
    At line:1 char:1
    + Install-AdcsEnrollmentWebService -AuthenticationType Kerberos -CAConf ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Install-AdcsEnrollmentWebService], UnauthorizedAccessException
        + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.CertificateServices.Deployment.Commands.CES

    Can anyone confirm whether the enrollment web service can be installed by a delegated admin? Suggestions appreciated.

    Monday, November 28, 2016 9:25 PM

All replies

  • Hi,

    Try this command:

    Install-AdcsWebEnrollment [-CAConfig <String> ] [-Credential <PSCredential> ] [-Force]

    Besides, you could also add -credential parameter in your original command to see if it helps.

    Best regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Tuesday, November 29, 2016 7:57 AM
  • Thanks for the reply, Andy. However, I'm not interested in Certificate Authority Web Enrollment at this time. I want to set up Certificate Enrollment Web Service, a completely different role service. (I find the names highly confusing.)

    In any case, Install-AdcsEnrollmentWebService also has a -Credential parameter, so I tried passing a credential object for my delegated user. No change, which is expected since it's the same user I'm running the command as.

    Going to run through Certificate Enrollment Web Services in Active Directory Certificate Services again today. Other suggestions welcome.


    Tuesday, November 29, 2016 3:07 PM