Setting up user accounts for Centralized Certificate Module

This post has been republished via RSS; it originally appeared at: IIS Support Blog articles.

I recently worked on a case where the customer mentioned that he has configured the Centralized Certificate Module in IIS but is getting the error “Cannot connect to the specified path. Make sure that the path and the credentials are valid.”

Figure-1

The customer’s scenario was that the IIS server was not joined to the domain and the machine where the certificate store was present was joined to the company domain. The credentials that he was using while configuring the Centralized Certificates module was the domain account which has permissions to access the certificate store.

Before jumping into the solution of the issue, let us know in brief about Centralized Certificate feature in IIS.

Centralized Certificate Module

IIS Server 8.5 and above versions provide a feature called Centralized Certificate. The Centralized Certificate feature allows the server administrators to store and access the certificates centrally on a file share. 

Figure-2

You need to install the Centralized SSL Certificate Support feature of IIS to be able to use the Centralized Certificate feature.

Figure-3

You can refer to the article here for the steps to install the feature.

Configuring the Centralized Certificate Module

When you open the module and click on Edit Feature Settings, you come to the page where you need to configure the module so that it is able to read the certificates from the file share:

Figure-4

Figure-5

Under the Centralized Certificates Location, The Physical Path is the path where the certificates are located.

In this article, I will discuss regarding the Username and the Password that must be used under the Central Certificates Location to configure the Centralized Certificate module in IIS.

Scenario-1:

The IIS Server where you are trying to configure the Centralized Certificate module is joined to a domain and the server/machine where the certificate store is located is joined to the same domain and the account that has permission to access the file share is a domain account:

Here, the username field should be the domain account which has the permission to access the file share and the password field should be the password for the corresponding domain account used. When IIS will try to verify the account credentials, it will generate a token for the same account and try to verify the token with the DC to see if the token is a valid one. If the token is valid, it will fetch the contents of the certificate store and display under the certificate store module.

Example: The IIS server and the File share server are joined to the domain corp.abc.com and the account that has access to the certificate file share is corp\User1. Here, Username: corp\User1.

Scenario-2:

The IIS Server where you are trying to configure the Centralized Certificate module is joined to a domain iis.abc.com and the server/machine where the certificates are located is joined to a different domain file.abc.com and the account that has permission to access the file share is file\User2:

Since both the servers are joined to different domains, if we configure a domain account for file.abc.com domain on the IIS server which is on domain iis.abc.com, when IIS will try to verify the account credentials, it will try to contact the Domain Controller(DC) for file.abc.com domain to get the token to verify the credentials but because IIS server itself is not joined to that domain, it will fail to contact the DC and will throw an Invalid Username or Password error.

Here, you will need to create a Local User account under Local Users and Groups in the IIS server with the username as User2 and the password of this account should be the same as the password for the account User2. The username and password to be configured in the Centralized certificate module in IIS will be the Username and Password for this Local User Account.

Scenario-3:

The IIS Server where you are trying to configure the Centralized Certificate module (Server-1) is a non-domain joined machine and the server/machine where the certificates are located (Server-2) is joined to a domain file.abc.com and the account that has permission to access the file share is a domain account for the domain file.abc.com (file\User2).

Since both the  IIS server is not joined to a domain, if we configure a domain account for file.abc.com domain on the IIS server, when IIS will try to verify the account credentials, it will try to contact the Domain Controller(DC) for file.abc.com domain to get the token to verify the credentials but because IIS server itself is not joined to that domain, it will fail to contact the DC and will throw an Invalid Username or Password error.

Here, you will need to create a Local User account on both Server-1 and Server-2 with the same credentials, i.e., the same username and password and you will need to give access permissions for the certificate store to this Local user account. The username and password to be configured in the Centralized certificate module in IIS will be the Username and Password for this Local User Account.

Scenario-4:

The IIS Server where you are trying to configure the Centralized Certificate module (Server-1) is a non-domain joined machine and the server/machine where the certificates are located (Server-2) is also a non-domain joined machine and the account that has permission to access the file share is a local account on Server-2.

Here also, you will need to create a Local User account on both Server-1 and Server-2 with the same credentials, i.e., the same username and password and you will need to give access permissions for the certificate store to this Local user account. The username and password to be configured in the Centralized certificate module in IIS will be the Username and Password for this Local User Account.

Hence, to summarize the scenarios described above, we have to specify the following accounts in the Centralized Certificate Module in IIS depending on the network that the IIS server and the Certificate Store server are connected to: