ADCS Policy Web Service - Access was denied by the remote endpoint. 0x803d0005 (-2143485947)

 hi there fellow colleagues,

facing problem adcs policy web service on windows server 2008 r2 enterprise (sp1).
• hotfix installed http://support.microsoft.com/default.aspx?scid=kb;en-us;2545850
• application pool identity: applicationpoolidentity (also tested custom service account)
• testing local machine , machine
• ca , cep on same system
• getting kerberos ticket service , can see successful logon event user.
• kerberos authentication working - directly calling url 403.14 (directory listing denied) logon method negotiate

the following message shown in certificate services client - certificate enrollment policy server

the remote endpoint not process request. 0x803d000f (-2143485937)

the following ws-errors in webservices analytic log
•wscall api failed 0x803d0005
•error occurred: 0x0 - there error communicating endpoint @ 'https://cep.example.com/adpolicyprovider_cep_kerberos/service.svc/cep'.
•error occurred: 0x0 - server returned http status code '401 (0x191)' text 'unauthorized'.
•error occurred: 0x0 - requested resource requires user authentication.
•error occurred: 0x803d0005 - access denied remote endpoint.

 in application log can see event id 3, source system.servicemodel 3.0.0.0, level error

 webhost failed process request.

 sender information: system.servicemodel.servicehostingenvironment+hostingmanager/45653674

 exception: system.servicemodel.serviceactivationexception: service '/adpolicyprovider_cep_kerberos/service.svc' cannot activated due exception during compilation.  exception message is: software\microsoft\cep. ---> system.configuration.configurationerrorsexception: software\microsoft\cep

   @ microsoft.certificateservices.policy.derivedhost.initialize()

   @ microsoft.certificateservices.policy.derivedhost.onopening()

   @ system.servicemodel.channels.communicationobject.open(timespan timeout)

   @ system.servicemodel.servicehostingenvironment.hostingmanager.activateservice(string normalizedvirtualpath)

   @ system.servicemodel.servicehostingenvironment.hostingmanager.ensureserviceavailable(string normalizedvirtualpath)

   --- end of inner exception stack trace ---

   @ system.servicemodel.servicehostingenvironment.hostingmanager.ensureserviceavailable(string normalizedvirtualpath)

   @ system.servicemodel.servicehostingenvironment.ensureserviceavailablefast(string relativevirtualpath)

 process name: w3wp

 process id: 3108

the enrollmentpolicywebservice log on other hand tries tell me:

the certificate enrollment policy web service failed initialize. confirm certificate enrollment policy web service installed. try restart internet information services (iis) using iisreset.exe. if problem persists, enable tracing in web.config file, restart iis, attempt obtain policy information client, , contact microsoft customer service , support trace file information.  unknown hresult error code: 0x80131902

i kind of lost , i'd appreciate help...

thanks,

mmf

 

 

 

 

hi all,

i found solution , maybe :)

the .net trust level of cep / ces applications modified harden iis (and didn't know it). .net trust level has full (internal) , set medium. after changing full , restarting iis, works beautifully.

doh,

mmf

Windows Server  >  Security