In the following deployment scenario, all permissions are based on permissions set on certificate templates that are published in the domain controller. The certificate requests sent to the CA are based on certificate templates.
For this setup, make sure that you have the following:
- A machine hosting the subordinate CA
- A machine hosting the NDES service
- A domain controller
Required users
Create the following users in the domain controller:
- Service Administrator
- Named as SCEPAdmin
- Must be a member of the local admin and Enterprise Admin groups
- Must be logged locally when the installation of NDES role is triggered
- Has Enroll permission for the certificate templates
- Has Add template permission on CA
- Service Account
- Named as SCEPSvc
- Must be member of the local IIS_IUSRS group
- Must be a domain user and has read and enroll permissions on the configured templates
- Has request permission on CA
- Enterprise CA Administrator
- Named as CAAdmin
- Member of Enterprise Admin group
- Must be a part of the local admin group