In my lab, I have the CEP and CES certificate enrollers installed on the same machine as the CA. I went with the 2nd option which was use the application pool because on previous installs, I used the 1st option and set up a service account as described, installed the SPN like in your article but could never get the authentication to work. Now, I am having the same issue using the application pool. It is asking about a "builtin account", which I am wondering if I shouldn't set up a service account and add it to the IIS_user security group like before. I just need confirmation that this is the builtin account the message is telling me about or is is something else.