- Windows Server
- AD CS
- 17 November 2023 at 17:53 UTC
-
- 1/2
Among the Active Directory Certificate Services (AD CS), you will find the Network Device Enrollment Service (NDES) which allows you to implement the SCEP protocol on your Microsoft PKI.
Thanks to this standard and lightweight protocol, you can enroll certificates directly from your compatible network devices (supporting the SCEP protocol).
You will find this SCEP protocol on Cisco switches or routers, for example.
- Create a service account for the Network Device Enrollment Service (NDES)
- Install Network Device Enrollment Service (NDES)
- Configure Network Device Enrollment Service (NDES)
- New certificate templates created on your CA
- Generate temporary passwords for your network devices
- Change Network Device Enrollment Service (NDES) settings through the registry
- Use a custom certificate template for your network device certificates
1. Create a service account for the Network Device Enrollment Service (NDES)
When you run the Network Device Enrollment Service (NDES) setup, you will need to specify a service account for it.
We will therefore create a "NdesSvc" user account on our Active Directory domain controller.
And we choose that the password never expires for this user.
The "NdesSvc" user has been created.
As you will see later in the NDES configuration wizard, this service account must be part of the "IIS_IUSRS" local group of your future NDES server.
To do this, on your NDES server, open the "Computer Management" console (via the "Tools" menu of the server manager, for example) and go to : Local Users and Groups -> Groups.
Next, double-click on the "IIS_IUSRS" local group.
In the "IIS_IUSRS Properties" window that appears, click on : Add.
Indicate the name of the user created previously on your Active Directory domain controller.
In our case, it's the "NdesSvc" user.
The added user appears.
Click OK.
2. Install Network Device Enrollment Service (NDES)
Before installing the Network Device Enrollment Service (NDES) on your future NDES server, ensure that your CA certificate is present in your server's "Trusted Root Certification Authorities" certificate store.
Otherwise, an error will appear during the configuration of NDES and you will have to uninstall, then reinstall NDES.
If your server is a member of your Active Directory domain, all you have to do is force update its policy.
Batch
gpupdate /force
Next, open a "mmc" console and add the "Certificates" component.
As expected, your CA is one of your server's trusted root CAs.
On this server, install the "Active Directory Certificate Services" role.
Uncheck the "Certification Authority" role service checked by default and only check the "Network Device Enrollment Service" checkbox.
To provide the SCEP protocol, your server will rely on IIS.
At the end of the wizard, click on : Install.
Wait while installing Active Directory Certificate Services and the dependent IIS server.
The NDES service has been installed.
3. Configure Network Device Enrollment Service (NDES)
To configure the Network Device Enrollment Service (NDES), click the "Configure Active Directory Certificate Services on the destination server" link.
The "AD CS Configuration" wizard appears.
Click on : Next.
Check the "Network Device Enrollment Service" box and click Next.
As you can see, the Network Device Enrollment Service (NDES) needs a service account to work, and it must be part of the "IIS_IUSRS" local group.
These prerequisites are already met if you have performed the manipulations explained above.
Choose "Specify service account (recommended)" and click : Select.
Indicate the identifiers of the "NdesSvc" user account created previously.
If the credentials are correct and the specified user is part of the "IIS_IUSRS" local group, his name will appear in the box.
Otherwise, an error will occur.
Next, you will need to specify the CA that this NDES server should use.
To do this, click on : Select.
Select your CA and click OK.
The name of your certification authority appears, as well as the domain name of the server where it's installed.
By default, the registration authority (NDES server) will be named : NDES-MSCEP-RA.
You can change this name if you wish, as well as provide information about it :
- their country / region
- an e-mail address
- your company name
- and more
For encryption options, you will be able to choose the signing and encryption key provider, as well as the key size to use.
In our case, we will use a key size of 2048 as is already the case on our certificate authority.
Note that this only sets the certificate options for the administrator who will perform the certificate requests.
Indeed, you can create a custom certificate template later to provide certificates with a smaller key size for your network devices if you wish.
A summary of the Network Device Enrollment Service (NDES) configuration appears.
Click Configure.
Wait while configuring this Network Device Enrollment Service (NDES).
When the configuration is complete, click Close.
When the configuration is complete, click Close.
Once NDES is installed and configured, you will see that IIS Manager has been installed on it.
In this IIS Manager, go to "Application Pools" and you will see that a "SCEP" application pool has appeared.
This makes it possible to provide the protocol of the same name (SCEP).
Share this tutorial
To see also
-
Articles 1/26/2024
SafeNet Authentication Client (SAC) - Installation and overview
-
Windows Server 1/12/2024
WS 2016 - AD CS - Create an enrollment agent
-
Windows Server 12/2/2023
WS 2016 - AD CS - Manage EFS certificates in enterprise
-
Windows Server 9/15/2023
WS 2016 - AD CS - What is a CA and install an enterprise CA
You must be logged in to post a comment