When Enabling WSTEP for users and devices, the Windows machine can display the following error.

Error: Access was denied by the remote endpoint.
080300005 (-2143485947 WS_E_ENDPOINT_ACCESS-DENIED)

See below for a list of possible causes and the corresponding solutions.

Invalid enrollment URL
Invalid agent configuration
Invalid root Active Directory username

Invalid enrollment URL

The CEP URL provided to the Group Policy Manager may contain a typo.

Issue resolution: Check the entered URL matches the URL displayed on the welcome page of the Entrust PKIaaS UI.

Invalid agent configuration

The WSTEP agent configuration is not valid.

Issue resolution: Check the following.

The WSTEP agent runs with a valid configuration before the PKIaaS CEP URL can be defined in a Group Policy Object.
The WSTEP agent on the PKIaaS Virtual Machine completes an initial synchronization of the Kerberos data (SPN, KVNO) from the root Active Directory before the Microsoft Group Policy Manager can validate the PKIaaS CEP URL.

See Troubleshooting WSTEP agent configuration issues for solving agent-related issues.

Invalid root Active Directory username

The username defined on the Entrust PKIaaS UI for the root Active Directory RootAD does not have a properly configured SPN (Service Principal Name) or UPN (User Principal Name).

Issue resolution: Run the following command to fix the root Active Directory username.

ktpass -mapuser <USER> -princ HTTP/<PKIAAS-WSTEP-URL>@<UPPERCASE-DOMAIN-NAME> -pass <PASS> -ptype KRB5_NT_PRINCIPAL /Target <UPPERCASE-DOMAIN-NAME> /crypto ALL