CredSSP Authentication Configurations on Microsoft CA ServerSummary.. 11 Table of Contents Configure domain admin/user for the CA serverConfigure domain admin/user for an intermediate serverConfigure domain admin/user for the MID-hosted serverRPC configuration for an intermediate serverDomain user configuration to trigger MSCA flow This article helps to set up CredSSP on CA, intermediate, and MID servers. Prerequisite: Ensure the PowerShell execution policy is RemoteSigned Configure domain admin/user for the CA server Follow these procedures on the CA server: Log in as a system administrator.Run the gpedit command from the command prompt. The following screen appears: Configure the Allow delegating fresh credentials screen, as shown below: On the CA server, include the following lines to the list: wsman/*.domain_name wsman/* Add the following items only if you don't have an intermediary server. wsman/mid_server_ip wsman/mid_host_name Run the following command in PowerShell: Enable-WSManCredSSP -Role Server Configure domain admin/user for an intermediate server If you have an intermediate server in your environment, execute these steps: Log in as a system administrator. Run the gpedit command from the command prompt. The following screen appears: Configure the Allow delegating fresh credentials screen, as shown below: Configure the Allow delegating fresh credentials with NTLM-only server Authentication screen, as shown below: On the intermediate server, include the following lines to the list: wsman/*.domain_name wsman/mid_server_ip wsman/mid_host_name Run the following command in PowerShell: Enable-WSManCredSSP -Role Client -DelegateComputer Mid_Server_Host_Name Configure domain admin/user for the MID-hosted server Follow these procedures on the MID-hosted server: Log in as a system administrator. Run the gpedit command from the command prompt. The following screen appears: Configure the Allow delegating fresh credentials screen, as shown below: Configure the Allow delegating fresh credentials with NTLM-only server Authentication screen, as shown below: On the MID server, include the following lines to the list: wsman/*.domain_name wsman/* wsman/intermediate_server_ip wsman/intermediate_server_host_name Add the following items only if you don't have an intermediary server: wsman/ca_server_ip wsman/ca_server_host_name Run the following command on the PowerShell: Enable-WSManCredSSP -Role Client -DelegateComputer intermediate_Server_Host_Name Add the following items only if you don't have an intermediary server. Enable-WSManCredSSP -Role Client -DelegateComputer CA_Server_Host_Name RPC configuration for an intermediate server Prerequisite: Enable CredSSP Authentication. Architecture Diagram: Remote Procedure Call (RPC) is enabled by default (if not enabled, see the image below). Open services.msc as an admin and then enable the RPC services on both intermediate and CA servers. Resolving RPC Error: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA) Stack Trace: at System.Management.ThreadDispatch.Start() at System.Management.ManagementScope.Initialize() at System.Management.ManagementObjectSearcher.Initialize() at System.Management.ManagementObjectSearcher.Get() at Microsoft.PowerShell.Commands.GetWmiObjectCommand.BeginProcessing() Ensure that you enable the above firewall rule on MID, CA, and intermediate servers. Configure remote PowerShell access for non-privileged user accounts: Log in as domain admin and then do the below configurations on CA, MID, and intermediate server. Note: The remaining steps are also mentioned in the Microsoft documentation. You can follow either one (see step 1 and step 2 from the link below): https://helpcenter.gsx.com/hc/en-us/articles/202447926-How-to-Configure-Windows-Remote-PowerShell-Access-for-Non-Privileged-User-Accounts Run PowerShell as an Administrator then execute the below command, Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI -Force Add your Domain Group/User and provide the permissions as shown below: In the Run window dialog, enter compgmtm.msc. Add the Domain Group/User under Performance Log Users, as shown below: Under WMI Control, add the Domain Group/User and then configurations, as shown below: Domain user configuration to trigger MSCA flow All the configuration steps should be executed as a domain admin. Log in to the Domain Controller.Create a group (for example, a custom group). Note: The scope of the custom group should be matched with the existing domain user group. Create a user. Note: You can also assign the MSCA permission to the user directly. Ensure the user is a member of the Domain_Users group and add the user to the custom group, as shown below: Ensure the custom group should not be a member of any other groups. Log in to the CA server and provide CA-level permissions to the custom group. Open certsrv > CAServer > Properties and provide access, as shown below: Provide template-level permissions to Custom Group. Open certsrv > Expand CAServer > Certificate Templates > Manage > Template > Properties and provide access, as shown below: Enable CredSSP for the domain CA, MID, and intermediate servers. Enable RPC between intermediate and CA servers. Configure remote PowerShell access for the Domain User account.