During Certificate Enrollment configuration, you have the option to specify one of the following types of accounts as the service account:
- The user account that acts as the service account (recommended)
- Built-in application pool identity of the Internet Information Services (IIS) installation on the local computer.
Configuring a specific user account as the service account is the recommended configuration. The user account that is to be configured as a service account must be:
- A domain account in the domain in which the Certificate Enrollment computer is a member.
- A member of the local IIS_IUSRS group.
- Configure with a service principal name (SPN) or Kerberos authentication is selected.