Working to stand up an internal AD CS environment and running into trouble with the Enrollment Web Service on a separate machine from the CA. Followed the delegation info at Delegated Installation for an Enterprise Certification Authority and successfully installed and configured the CA without requiring domain/enterprise admin rights. Now I'm attempting to install the enrollment web service and running into access denied errors. Docs don't mention delegated install for this and keep referring to domain admin rights being required. FWIW, this is what I'm attempting to run:
Install-AdcsEnrollmentWebService -AuthenticationType Kerberos -CAConfig 'subca.domain.tld\CA-NAME' -SSLCertThumbprint '<thumbprint>' -Verbose -WhatIf
And it's throwing:
VERBOSE: Checking whether the registry key for CES exists. VERBOSE: Calling InitializeInstallDefaults method on the setup object. Install-AdcsEnrollmentWebService : CCertificateEnrollmentServerSetup::InitializeInstallDefaults: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED) At line:1 char:1+ Install-AdcsEnrollmentWebService -AuthenticationType Kerberos -CAConf ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (:) [Install-AdcsEnrollmentWebService], UnauthorizedAccessException+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.CertificateServices.Deployment.Commands.CES .InstallAdcsEnrollmentWebService
Can anyone confirm whether the enrollment web service can be installed by a delegated admin? Suggestions appreciated.