This section describes how to configure the Windows domain for WSTEP enrollment with Entrust Certificate Enrollment Gateway.

Certificate Enrollment Gateway supports read-only domain controllers for WSTEP enrollment. A read-only domain controller (RODC) is a server that hosts an Active Directory database's read-only partitions and responds to security authentication requests. Certificate Enrollment Gateway can accept WSTEP enrollment requests and authenticate the request using an RODC.

Any configuration changes to a domain controller that are documented in this guide must be performed on the write-able domain controller.

• Active Directory schema requirements
• Active Directory role requirements for running the Entrust-provided PowerShell scripts
• Creating a service logon account for read-only access to Active Directory
• Creating a Kerberos Service Account for Kerberos authentication
• Configuring the Group Policy for cross-forest deployments
• Adding referrals for cross-forest deployments