Setting Permissions for the CMS Server Service Account

The CMS Server service account must have these rights to perform the following tasks:

  • Issue and manage certificates

  • Request certificates and

  • Use Enrollment Agent certificates.

To set permissions for WildFly service account, complete the following steps.

  1. Open a DOS Command Prompt window.

  2. Enter MMC and press Enter to open the Microsoft Management Console.

  3. On the File menu, click Add/Remove Snap-in.

  4. In the Add Standalone Snap-in window, click Certification Authority, and then click Add.

  5. Click Finish, then Close, and then OK.

  6. In the console tree, expand Certification Authority, right-click the CA to which you want to set permissions, and then click Properties.

    Note: The following illustrations are for Microsoft Windows 2008 and Windows 2012.

    Windows Certificate Authority Properties dialog box open to the Security tab

  7. In Properties, select the Security tab.

  8. Click Add. The Select Users, Computers, Service Accounts, or Groups dialog is displayed.

    Windows Select Users, Computers, Service Accounts, or Groups dialog box with buttons for selecting Object Types and Locations and a field for entering object names, as well as an Advanced button and a Cancel button at the bottom and a Close button in the top right corner

  9. Click Locations.

    Windows Locations dialog box where you can select the location, as well as an OK button and a Cancel button at the bottom right and a Close button in the top right corner

  10. Highlight the name of the local computer or domain to which the user belongs.

  11. Click OK.

  12. In the Enter the object names to select text box, enter the object name.

    (Optional) If you do not know the user’s name, click Advanced, and then click Locations. Under Location, click the name of the local computer or domain to which the user belongs, and then click OK. Under Search results, click Find Now, click the user’s name, and then click OK. The name of the local computer or domain to which the user belongs appears in the Enter the object name to select text box.

  13. Click Check Names. This displays the name of the local computer or domain to which the user belongs in the text box, as illustrated next.

    Windows Select Users, Computers, Service Accounts, or Groups dialog box with buttons for selecting Object Types and Locations and an object name field with CMS server user entered next to a Check Names button, as well as an Advanced button, an OK button and a Cancel button at the bottom and a Close button in the top right corner

  14. Click OK to add the user name to the Group or user names list in the Properties window, as illustrated next.

    Windows Certificate Authority Properties dialog boxes open to the Security tab with Issue and Manage Certificates and Request Certificates set to Allow

  15. In the Permissions for <CMS Server User> list (2008 /2012), in the Allow column, select the Issue and Manage Certificates and Request Certificates options (as illustrated on this page).

  16. Click OK.