Before you can use the Microsoft Certificate Authority and the preconfigured template, you must configure least privilege access to the Active Directory service account that SDDC Manger uses.

Procedure

  1. Log in to the Microsoft Certificate Authority server by using a Remote Desktop Protocol (RDP) client.

    FQDN

    Active Directory Host

    User

    Active Directory administrator

    Password

    ad_admin_password

  2. Configure least privilege access for svc-vcf-ca on the Microsoft Certificate Authority.
    1. Click Start > Run, enter certsrv.msc, and click OK.
    2. Right-click the certificate authority server and click Properties.
    3. Click the Security tab, and click Add.
    4. Enter the svc-vcf-ca service account and click OK.
    5. In the Permissions for svc-vcf-ca section configure the permissions and click OK.

      Setting

      Value (Allow)

      Read

      Deselected

      Issue and Manage Certificates

      Selected

      Manage CA

      Deselected

      Request Certificates

      Selected

  3. Configure least privilege access for svc-vcf-ca on the Microsoft Certificate Authority Template.
    1. Click Start > Run, enter certtmpl.msc, and click OK.
    2. Right-click the VMware template and click Properties.
    3. Click the Security tab, and click Add.
    4. Enter the svc-vcf-ca service account and click OK.
    5. In the Permissions for svc-vcf-ca section configure the permissions and click OK.

      Setting

      Value (Allow)

      Full Control

      Deselected

      Read

      Selected

      Write

      Deselected

      Enroll

      Selected

      Autoenroll

      Deselected