Shulou(Shulou.com)06/01 Report--

IF your DC and CA use same server, when you use a domain user as NDES service account and configure it, system will propomt "Logon failure: the user has not been granted the requested logon type at this computer"

Slove:

You must edit the "Default domain controllers policy" in Group Policy Editor.

Add the account that you will use for the NDES role to: Windows Settings/Security Settings/Local Policy/User Rights Assignment/Log on locally and log on as service.

This will allow you to set up the NDES role on a domain controller.

Is a domain user account

a. Be a member of the local IIS_IUSRS group: you can also use net localgroup IIS_IUSRS\ / Add to add the NDES service account to the local IIS_IUSRS group.

b. Request permission on the configured CA

On the CA to be used by NDES, open the Certificate Authority console with an account with administrative CA privileges.

Open the Certification Authority console. Right-click the certification authority, and then click Properties.

In the Select a user, computer, service account, or group text box, type the name of the NDES service account, click check name, and then click OK.

Make sure the NDES service account is selected. Make sure that the allow check box corresponding to request Certificate is selected. Click OK.

On the Security tab, you can see the account that has permission to request a certificate. By default, the group authenticated users has this permission. The service account you create will become a member of the authenticated user (if you are using the account). If authenticated user has permission to request a certificate, no additional permissions need to be granted. However, if this is not the case, the NDES service account should be granted permission to request a certificate on the CA. To do this:

Click add.

c. Read and enroll permissions on automatically configured NDES certificate templates

d. Have a service principal name (SPN) set in Active Directory

Make sure that the account you are using is a member of the Domain Admins group. Open the Windows PowerShell or command prompt as an administrator.

Register the server principal name (SPN) for the NDES service account by using this command syntax: setspn-s http/\. For example, to register a service account named NdesService in the cpandl.com domain running on a computer named CA1, run the following command: setspn-s http/CA1.cpandl.com cpandl\ NdesService

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.