After installing the Windows Certificate Enrollment Policy Web Service as documented in Installing the CEP Web Service using the Windows graphical interface, you must select the authentication mode supported for the Certificate Enrollment Policy Web Service endpoints.

The Certificate Enrollment Gateway supports both Windows integrated authentication (Kerberos) and password authentication. Client certificate authentication is currently not supported.

If you support non-domain enrollment endpoints, you must configure the Certificate Enrollment Policy Web Service for username and password authentication.

When authenticating with username and password, the CEP Service supports the following username formats.

• username
• domain\username
• username@domain
• domainfqdn\username
• username@domainfqdn

WSTEP will use the supplied domain information to validate the user. If the domain is not supplied, WSTEP will attempt to use the domain information in the SOAP request. If the SOAP request domain information does not exist, WSTEP will use the configured domain from the Certificate Enrollment Gateway configuring.

To select the authentication mode for the CEP Web Service using the Windows graphical interface

1. Log in to the server where you installed the Certificate Enrollment Policy Web Service. 
2. Open Server Manager. Select Start > Server Manager.
   The Server Manager dialog box appears.
    
3. Select Notifications > Configure Active Directory Certificate Services on the destination server.
   The AD CS Configuration dialog box appears.
   
4. Enter or select the administrator credentials you will use to configure role services.

5. Click Next.  The Role Services page appears. 
   
   

6. Select Certificate Enrollment Policy Web Service.
7. Click Next.
   The Authentication Type for CEP page appears.  
   

8. Select an authentication method supported by Certificate Enrollment Gateway. 

   Client certificate authentication is currently not supported by Certificate Enrollment Gateway.

   If you support non-domain enrollment endpoints, you must select User name and password as the authentication method.

9. Click Next. 
   The Enable Key-Based Renewal for CEP page appears.
    

10. Do not select any options. Click Next.
    The Server Certificate page appears. 
    
11. Select Choose and assign a certificate for SSL later.

12. Click Next.
    The Confirmation page appears.
    
    

13. Click Configure. 
    After the authentication mode is configured, the Results page appears. 
    
    
    

14. Click Close.