I want to be able to use Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service for Internet-based domain members to enroll and renew their certificates. I have a couple questions on the design. I have been reviewing all the documents I can find on design for Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service. One design option that seems to be missing from the options in the documents I look at is having both servers reside on the internal network, then use a reverse proxy to redirect Internet clients via HTTPS to the servers. I am just curious if anyone knows of a reason this configuration will NOT work? Secondly, the authentication options include Windows Integrated Authentication, Client Certificate Authentication, and Username and Password. If my clients are domain members and the users are logged in with cached domain credentials, will Windows Integrated Authentication work if the internet-based client connects via reverse proxy to the enrollment server? The documents sound like this wouldn't work as the client does not have a direct connection to the internal network to truly authenticate to a domain controller, but I want to be sure I'm understanding it correctly. Thanks for any assistance you can provide!

Hello, Thank you for your post. This is a quick note to let you know that we are performing research on this issue. Best Regards Elytis ChengElytis Cheng TechNet Community Support

hi, As we know, enterprise CA issues certificate based on certificate template, and the tempate has been set proper permissions to determine who can request certificate. so please tell me if your CA is enterprise or standalone. Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

The CA is Enterprise. The question is not about permissions on templates though. The question is about the authentication methods available in CEWPS and CEWS and whether windows authentication would work through a reverse proxy. I think Jason Jones answered it and that is that I would have to configure the authentication on the reverse proxy along with the https-based access to the CEWPS and CEWS services to get it to work.