For WSTEP enrollment, the enrollment service in Active Directory must use the following URL to communicate with Certificate Enrollment Gateway:

Where:

• <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.
• <auth> is the authentication method, either usertoken for user name and password authentication or kerberos for Kerberos (Windows integrated) authentication.
• <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.
• <CA-ID> is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the Windows endpoint.

For example, when authenticating with a user name and password:

For example, when authenticating with Kerberos: