For WSTEP enrollment, Certificate Enrollment Gateway requires a domain user account for read-only access to LDAP and the Global Catalog in Active Directory. This domain user account must be a service account without any special permissions.

If you will use Kerberos authentication, it is recommended that you use the Kerberos Service Account for read-only access to Active Directory instead of creating a separate service account for read-only access to Active Directory. For information about creating the Kerberos Service Account, see Creating a Kerberos Service Account for Kerberos authentication.