Hi, everyone.
I'm configuring Certificate Enrollment Web Services installed along with the CA on a Windows 2012 domain controller.
I'm aware best practices is to install CA on member server and not on a DC, but for small businesses it's acceptable.
I'm using most default settings for now, as it is a lab environment. When configuring Certificate Enrollment Web Services, the wizard recommends using a service account. I created a user account and added it to the IIS_USRS group, but the wizard throws error "Logon failed due to insufficient rights".
I believe documentation only states the user should be added to the IIS_USRS group, and I would think that's enough for member servers, but being this a domain controller, there seems to be some other setting required for the account to have adequate permissions.
I tried editting the Default Domain Controller Policy and assigned the "Log on as a service" user right to the account. Rebooted the server, but still the wizard throws same message.
For now I added the account to the Domain Admins group and this allowed for the wizard to complete, but I'm wondering if there are specific less broad permissions that can be assigned to this account to work on domain controller. Please advice.
Thanks