Your network contains an Active Directory domain named contoso.com. Contoso.com
contains three servers.
The servers are configured as shown in the following table.
You need to ensure that users can manually enroll and renew their certificates by using the
Certificate Enrollment Web Service.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
Configure the policy module settings.
B.
Configure the issuance requirements for the certificate templates.
C.
Configure the Certificate Services Client – Certificate Enrollment Policy Group Policy
setting.
D.
Configure the delegation settings for the Certificate Enrollment Web Service application
pool account.
Explanation:
Reference 1)
http://technet.microsoft.com/en-us/library/dd759245.aspx
The Certificate Enrollment Web Service can process enrollment requests for new certificates
and for certificate renewal. In both cases, the client computer submits the request to the
Web service and the Web service submits the request to the certification authority (CA) on
behalf of the client computer. For this reason, the Web service account must be trusted for
delegation in order to present the client identity to the CA.
Reference 2)
http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-webservices-in-active-directory-certificate-services.aspx
Delegation is required for the Certificate Enrollment Web Service account when all of the
following are true:
The CA is not on the same computer as the Certificate Enrollment Web Service
Certificate Enrollment Web Service needs to be able to process initial enrollment requests,
as opposed to only processing certificate renewal requests the authentication type is set to
Windows Integrated Authentication or Client certificate authentication