Among the Active Directory Certificate Services (AD CS), you will find the Network Device Enrollment Service (NDES) which allows you to implement the SCEP protocol on your Microsoft PKI.
Thanks to this standard and lightweight protocol, you can enroll certificates directly from your compatible network devices (supporting the SCEP protocol).
You will find this SCEP protocol on Cisco switches or routers, for example.
When you run the Network Device Enrollment Service (NDES) setup, you will need to specify a service account for it.
We will therefore create a "NdesSvc" user account on our Active Directory domain controller.
And we choose that the password never expires for this user.
The "NdesSvc" user has been created.
As you will see later in the NDES configuration wizard, this service account must be part of the "IIS_IUSRS" local group of your future NDES server.
To do this, on your NDES server, open the "Computer Management" console (via the "Tools" menu of the server manager, for example) and go to : Local Users and Groups -> Groups.
Next, double-click on the "IIS_IUSRS" local group.
In the "IIS_IUSRS Properties" window that appears, click on : Add.
Indicate the name of the user created previously on your Active Directory domain controller.
In our case, it's the "NdesSvc" user.
The added user appears.
Click OK.
Before installing the Network Device Enrollment Service (NDES) on your future NDES server, ensure that your CA certificate is present in your server's "Trusted Root Certification Authorities" certificate store.
Otherwise, an error will appear during the configuration of NDES and you will have to uninstall, then reinstall NDES.
If your server is a member of your Active Directory domain, all you have to do is force update its policy.
Batch
gpupdate /force
Next, open a "mmc" console and add the "Certificates" component.
As expected, your CA is one of your server's trusted root CAs.
On this server, install the "Active Directory Certificate Services" role.
Uncheck the "Certification Authority" role service checked by default and only check the "Network Device Enrollment Service" checkbox.
To provide the SCEP protocol, your server will rely on IIS.
At the end of the wizard, click on : Install.
Wait while installing Active Directory Certificate Services and the dependent IIS server.
The NDES service has been installed.
To configure the Network Device Enrollment Service (NDES), click the "Configure Active Directory Certificate Services on the destination server" link.
The "AD CS Configuration" wizard appears.
Click on : Next.
Check the "Network Device Enrollment Service" box and click Next.
As you can see, the Network Device Enrollment Service (NDES) needs a service account to work, and it must be part of the "IIS_IUSRS" local group.
These prerequisites are already met if you have performed the manipulations explained above.
Choose "Specify service account (recommended)" and click : Select.
Indicate the identifiers of the "NdesSvc" user account created previously.
If the credentials are correct and the specified user is part of the "IIS_IUSRS" local group, his name will appear in the box.
Otherwise, an error will occur.
Next, you will need to specify the CA that this NDES server should use.
To do this, click on : Select.
Select your CA and click OK.
The name of your certification authority appears, as well as the domain name of the server where it's installed.
By default, the registration authority (NDES server) will be named : NDES-MSCEP-RA.
You can change this name if you wish, as well as provide information about it :
For encryption options, you will be able to choose the signing and encryption key provider, as well as the key size to use.
In our case, we will use a key size of 2048 as is already the case on our certificate authority.
Note that this only sets the certificate options for the administrator who will perform the certificate requests.
Indeed, you can create a custom certificate template later to provide certificates with a smaller key size for your network devices if you wish.
A summary of the Network Device Enrollment Service (NDES) configuration appears.
Click Configure.
Wait while configuring this Network Device Enrollment Service (NDES).
When the configuration is complete, click Close.
When the configuration is complete, click Close.
Once NDES is installed and configured, you will see that IIS Manager has been installed on it.
In this IIS Manager, go to "Application Pools" and you will see that a "SCEP" application pool has appeared.
This makes it possible to provide the protocol of the same name (SCEP).
Articles 9/8/2023
Windows Server 8/15/2014
Windows Server 10/13/2023
Windows Server 10/27/2023
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment