Log in to the CES server using CESAdmin as user name, and then launch PowerShell in administrative mode.
Run the command Import-Module ServerManager.
Run the command Add-WindowsFeature Adcs-Enroll-Web-Svc.
Run the command Install-AdcsEnrollmentWebService -ApplicationPoolIdentity -CAConfig "CA1.contoso.com\contoso-CA1-CA" -SSLCertThumbprint "sslCertThumbPrint" -AuthenticationType Kerberos.
Notes:
- Replace <sslCertThumbPrint> with the thumbprint of the SSL certificate created for the CES server, after deleting the spaces between the thumbprint values.
- Replace CA1.contoso.com with your CA computer name.
- Replace contoso-CA1-CA with your CA common name.
Complete the installation by selecting either Y or A.
Launch the IIS Manager Console.
In the Connections pane, expand the web server that is hosting CES.
Expand Sites, expand Default Web Site, and then click the appropriate installation virtual application name: contoso-CA1-CA _CES_Kerberos.
From the left pane, click Application Pools.
Select WSEnrollmentServer, and then from the right pane, click Actions > Advanced Settings .
Select the identity field under Process Model.
In the Application Pool Identity dialog, select the custom account, and then type CESSvc as the domain user name.
Close all dialogs, and then recycle IIS from the right pane of IIS Manager Console.
From PowerShell, type iisreset to restart IIS.
For CESSvc domain users, enable delegation. For more information, see Enabling delegation.