General Configuration
To allow SCEPman to handle incoming SOAP requests successfully, we need to take a few steps:
Create Service Principal
Use the New-SCEPmanADPrincipal Cmdlet of the SCEPman Powershell module to create the service principal in your on-prem Active Directory domain. It will also export a keytab from this account and encrypt it to SCEPman's CA certificate.
Execute this Cmdlet with an account that has Domain Administrator permissions and network access to a Domain Controller. The variant below also outgoing HTTPS network access your SCEPman instance.
Running this command will perform the following:
Create a computer object in the
OU=Example,DC=contoso,DC=comOrganizational Unit.Download SCEPman's CA certificate to encrypt the keytab in step 5.
Add a service principal name (SPN) to the computer object.
Create a keytab for the computer account containing the encryption key based on the computer's password.
Encrypt the keytab with the CA certificate of SCEPman, so only SCEPman can decrypt it again using the CA private key.
Output the encrypted keytab, so it can be transferred to SCEPmans configuration.
The Base64 encoded output must then be transferred to the environment variable AppConfig:ActiveDirectory:Keytab of your SCEPman app service.
Add Keytab to SCEPman
The integration can easily be enabled by adding the following environment variables in the SCEPman App Service. Depending on your use case, enable one or more of the available certificate templates:
Example with all certificate templates enabled:
AppConfig:ActiveDirectory:Keytab
Base64 encoded keytab for the service principal created in Step 1
AppConfig:ActiveDirectory:Computer:Enabled
true
AppConfig:ActiveDirectory:User:Enabled
true
AppConfig:ActiveDirectory:DC:Enabled
true
Ensure Custom Domain and BaseUrl
For successful authentication with SCEPman, ensure that a custom domain using an A record is pointed to the app service. Otherwise, the client will fail to request a valid Kerberos ticket from the domain controller.
Ensure that SCEPman is configured to be accessible using a custom domain:
Custom DomainThe same requirement also applies after the initial policy request (listing the certificate templates) to enroll certificates. To allow a successful authentication here, make sure to also setup the AppConfig:BaseUrl variable to your custom domain or use the dedicated AppConfig:ActiveDirectory:BaseUrl setting if require the AD Endpoint to be accessible on a different Url than your other SCEPman endpoints are.
Known Issues
WS_E_ENDPOINT_ACCESS_DENIED
Error: WS_E_ENDPOINT_ACCESS_DENIED
Hex: 0x803d0005
Dec: -2143485947This error is known to occur during the validation of the CEP server when you are using the default URIs of the Azure app service. This error is caused by the Kerberos protocol asking for a service principal name of the A record of the service that is to be accessed. In the case of the default app service domains, for example contoso.azurewebsites.net is just a CNAME and points to an A record similar to:
waws-prod-ab1-234-c56d.westeurope.cloudapp.azure.comAs this A record of an infrastructure host is not guaranteed to be consistent in the future, adding a service principal name for this host is not recommended.
Make sure to add a custom domain to your app service and use an A record within your DNS provider to point it to the app service instead of a CNAME.
Custom DomainERROR_INVALID_PARAMETER
Error: ERROR_INVALID_PARAMETER
Hex: 0x80070057
Dec: -2147024809This error occurs during the CEP server registration if you enter an URI that begins with http://. Make sure to only register a CEP server using https://
ERROR_ACCESS_DENIED
When registering a CEP server in machine context, the acting user (the account that started gpmc.msc) needs to be a member of the local Administrators group on the computer while editing the GPO.
Make sure to start gpmc.msc with elevated permissions in this case.
Last updated
Was this helpful?