Contents x
    IIS Configuration for PKI
    • 29 Jan 2025
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    IIS Configuration for PKI

    • Updated on 29 Jan 2025
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    Part 1 - Request Certificate

    1. Log into your MFA server as the Service Account to create a Windows profile.
      rissa login.png

    1. Run the mmc.
      request cert 1 - mmc.png

    1. Click on File > Add/Remove Snap-in...
      request cert 2 - add snapin.png

    1. On the left-hand side, highlight Certificates and click "Add". Select the option to add it as the "Current User".
      request cert 3 - add certs.png

    1. With the Certificates snap-in loaded, expand Certificates and right-click Personal > All Tasks > Request New Certificate...
      request cert 4 - request new cert.png

    1. Click through the wizard with "Next" until you reach the page where you can select your certificates. Select (✓) just your "Enrollment Agent" certificate and click "Enroll".
      request cert 5 - select enrollment agent.png

    1. When the enrollment completes, click "Finish".
      request cert 5a - finish.png

    1. Log out of your Service Account's session on the server.

    Part 2 - Update Install Path Security

    Since the Service Account will be what is used for the IIS application pools, this part will be necessary to allow MFA server logs to run whenever they are set to run.

    1. Log back into your MFA server with an administrative account.
    2. Open your file explorer and navigate to: C:\Program Files\
    3. Right-click on the \Identity Automation folder > Properties.
    4. Go to the Security tab.
      ca iis 1 - install properties.png

    1. Click "Edit..." and add your Service Account.
      ca iis 3 - add rissa.png

    1. Give the account full control over the folder.
      ca iis 2 - securitay.png

      6a. Click "OK" when finished.

    2. Click "OK" to finish with the folder's properties and security step.

    Part 3 - Assign IIS Application Pools

    1. On your MFA server as an administrative account, open IIS.
    2. On the left-hand side, expand your server's name.
    3. Click on Application Pools.
    4. In the center pane, right-click on "oneAppPool40" > Advanced Settings...
      iis pool 2.png

    1. Scroll down to the Process Model section.

    2. Click on the ellipses for Identity.
      6a. A pop-up will appear. Select "Custom account" then click "Set..."
      iis pool 3.png

      6b. In the next pop-up, enter your Service Account's credentials and click "OK" when finished. Be sure to include the domain.
      iis pool 4.png

      6c. Click "OK" to finish setting the identity.


    3. Set Load User Profile to "True".
      iis pool 5.png


    1. Click "OK" to finish updating the advanced settings.
    2. Perform an iisreset.

    You've completed all of the steps for IIS. You can now move on to the final part and Create A Smart Card Certificate Set!

    Was this article helpful?
    What's Next