ICertificateEnrollmentPolicyServerSetup::Install method (casetup.h)
The Install method installs the Certificate Enrollment Policy (CEP) Web Service configured by the ICertificateEnrollmentPolicyServerSetup object.
Syntax
HRESULT Install();
Return value
| Return code | Description |
|---|---|
|
The name specified for the event tracing directory or the application directory already existed but represented a file rather than a directory. |
|
The CEP application already exists. For more information, see Remarks. |
|
The ICertificateEnrollmentPolicyServerSetup object has not been initialized.
The ErrorString property value is set to "The setup object has not been initialized. Please initialize the setup object with the InitializeInstallDefaults method." |
Remarks
This function performs the following actions:
- Initializes Windows Management Instrumentation (WMI).
-
Validates the CEP configuration by verifying that an application with the same name does not already exist. The application name is part of the CEP URL where the URL is of the form "https://computerDNSname/ADPolicyProvider_cep_AuthenticationType/service.svc/cep". The application name consists of "ADPolicyProvider_cep_AuthenticationType" where AuthenticationType can be one of the following:
- kerberos
- usernamepassword
- certificate
Note If an application with the same name exists, the ErrorString property is set to "Setup could not add this role service because it already exists in the default website. Please remove the existing role service or select a different certification authority (CA) or authentication type." -
Creates the %windir%\systemdata\cep\ADPolicyProvider_cep_AuthenticationType application directory. Note This method does not return an error if the name specified already exists as a directory, but if the specified name exists as a file or if some other error occurred, the method returns a failure HRESULT and sets the ErrorString property to "Failed to create the directory %1."
- Creates the %windir%\systemdata\cep\ADPolicyProvider_cep_AuthenticationType\Traces event tracing directory.
- Creates the Web.config and Service.svc files and writes them to the application directory. If the files already exist, they are overwritten.
- Creates an IIS application pool. By default, the pool runs under the ApplicationPoolIdentity account.
- Creates the application in the default website.
- Creates a secure (https) binding to port 443 and sets the certificate hash if one has been specified during configuration by calling the SetProperty method.
- Sets IIS authentication to anonymous if you called SetProperty and specified X509AuthCertificate or X509AuthUsername in the pPropertyValue argument. Sets authentication to Windows if you called SetProperty and specified X509AuthKerberos.
- Sets SSL flags depending on the type of authentication chosen during configuration. The default flags for all authentication types are SSL (require secure channel) and SSL_128 (128-bit encryption). Additionally, if you specify X509AuthCertificate, the SSL_REQUIRE_CERT and SSL_NEGOTIATE_CERT flags are set.
- Adds read and write access to the event tracing directory.
-
Updates the security descriptor of the Deleted Objects container in Active Directory to permit access by the computer and/or the application pool. This enables the CEP service to notify the certification authority when a relevant Active Directory object is deleted. If Active Directory is installed on a domain controller, both the computer and application pool are allowed to access the Deleted Objects container. If Active Directory is not installed on a domain controller, only the computer is allowed access.
Note If access to the Deleted Objects container fails, the method returns a failure HRESULT and sets the ErrorString property to "Setup cannot give the Certificate Enrollment Policy Web Service account List permission on the ""Deleted Objects"" container. The web service will not be able to detect deletion of Active Directory objects such as certificate templates. To complete Setup, a member of the Domain Admins group must manually give the Certificate Enrollment Policy Web Service account List permission on the ""Deleted Objects"" container in Active Directory Domain Services (AD DS)."
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows 7 [desktop apps only] |
| Minimum supported server | Windows Server 2008 R2 [desktop apps only] |
| Target Platform | Windows |
| Header | casetup.h |
| DLL | Certocm.dll |
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for