Before client computers can use the Certificate Enrollment Policy Web Service, a Group Policy setting must be configured to provide the location of Web service to domain members.

To configure certificate enrollment policy
  1. On the Web server that hosts the Certificate Enrollment Policy Web Service, open Server Manager.

  2. In the console tree, expand Roles, and then expand Web Server (IIS).

  3. Click Internet Information Services (IIS) Manager.

  4. In the console tree, expand Sites, and click the Web service application that begins with ADPolicyProvider_CEP.


    The name of the application is ADPolicyProvider_CEP_AuthenticationType where AuthenticationType is the authentication type of the Web service.

  5. Under ASP.NET, double-click Application Settings.

  6. Double-click URI, and copy the URI value.

  7. Click Start, type gpmc.msc in the Search programs and files box, and press ENTER.

  8. In the console tree, expand the forest and domain that contain the policy that you want to edit, and click Group Policy Objects.

  9. Right-click the policy that you want to edit, and then click Edit.

  10. In the console tree under Computer Configuration\Policies\Windows Settings\Security Settings, click Public Key Policies.

  11. Double-click Certificate Services Client – Certificate Enrollment Policy.

  12. Click Add to open the Certificate Enrollment Policy Server dialog box.

  13. In the Enter enrollment policy server URI box, type or paste the certificate enrollment policy server URI obtained earlier.

  14. In the Authentication type list, select the authentication type required by the enrollment policy server.

  15. Click Validate, and review the messages in the Certificate enrollment policy server properties area. The Add button is available only when the enrollment policy server URI and authentication type are valid.

  16. Click Add.

Additional references