AD Certificate Services delegated install of enrollment web service

working stand internal ad cs environment , running trouble enrollment web service on separate machine ca. followed delegation info @ delegated installation enterprise certification authority , installed , configured ca without requiring domain/enterprise admin rights. i'm attempting install enrollment web service , running access denied errors. docs don't mention delegated install , keep referring domain admin rights being required. fwiw, i'm attempting run:

install-adcsenrollmentwebservice -authenticationtype kerberos -caconfig 'subca.domain.tld\ca-name' -sslcertthumbprint '<thumbprint>' -verbose -whatif

and it's throwing:

verbose: checking whether registry key ces exists.  verbose: calling initializeinstalldefaults method on setup object.  install-adcsenrollmentwebservice : ccertificateenrollmentserversetup::initializeinstalldefaults: access denied.  0x80070005 (win32: 5 error_access_denied)  @ line:1 char:1  + install-adcsenrollmentwebservice -authenticationtype kerberos -caconf ...  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      + categoryinfo          : notspecified: (:) [install-adcsenrollmentwebservice], unauthorizedaccessexception      + fullyqualifiederrorid : system.unauthorizedaccessexception,microsoft.certificateservices.deployment.commands.ces     .installadcsenrollmentwebservice

can confirm whether enrollment web service can installed delegated admin? suggestions appreciated.

hi,

try command:

install-adcswebenrollment [-caconfig <string> ] [-credential <pscredential> ] [-force]

https://technet.microsoft.com/en-us/library/hh848381(v=wps.630).aspx

besides, add -credential parameter in original command see if helps.

best regards,

andy

---

please remember mark replies answers if help.
if have feedback technet subscriber support, contact tnmff@microsoft.com.

Windows Server  >  Directory Services