VCF 5.x

The SDDC Manager communicates with the Microsoft CA via the Certification Authority Web Enrollment (certsrv) interface. For this communication to be successful, SDDC Manager requires Basic Authentication to be enabled on the IIS server hosting the CA Web Enrollment pages.

The error occurs because:

1. The Basic Authentication Role Service is not installed on the Windows Server.

2. The Basic Authentication feature is not enabled for the /CertSrv virtual directory within Internet Information Services (IIS).

To resolve this issue, you must install and enable Basic Authentication on the Microsoft CA server.

Step 1: Install Basic Authentication Role Service

1. Log in to the Microsoft CA Server.

2. Open Server Manager and navigate to Manage > Add Roles and Features.

3. In the wizard, proceed to Server Roles.

4. Expand Web Server (IIS) > Web Server > Security.

5. Select Basic Authentication and complete the installation.

Step 2: Enable Basic Authentication in IIS

1. Open the Internet Information Services (IIS) Manager.

2. In the left pane, navigate to [Server Name] > Sites > Default Web Site > CertSrv.

3. In the center "Features View," double-click Authentication.

4. Right-click Basic Authentication and select Enable.

5. (Optional but Recommended) Right-click Anonymous Authentication and select Disable to ensure explicit credential usage.

6. Select the Default Web Site in the left pane and click Restart in the right-hand Actions pane.

Step 3: Validate and Retry in SDDC Manager

1. Return to the SDDC Manager UI.

2. Navigate back to Certificate Management and re-enter your CA details.

3. Ensure the URL is formatted as https://<CA-FQDN>/certsrv.

4. Click Save. The configuration should now complete successfully.

For any further assistance regarding enabling Basic Authentication on the Microsoft CA server please reach out to the vendor.