NDES Deployment and troubleshooting

There are a lot of great guides out there for deploying NDES – Network Device Enrollment Service, but almost all of them were missing some troubleshooting, and I’ve seen a lot of questions from the community that were not able to get everything working. Then we also have the scenarion were you got it working but it stops and then the troubleshooting around that. I’ve done a few NDES installations like this and want to share my experience of this and hopefully this will save someone else out there (You) some time and headache. I my scenario i’m deploying NDES to issue SCEP certificates to my mobile devices.

I wont go into that mush detail in getting the server riles installed since there are plenty of guide that covers that, but here is a quick installation guide.

I’ve used a 2012 R2 server for this installation.

First prepare an account to be used for the installation
- Create an account called SCEPSvc
- Add the account to the Local Administrators Group on the NDES server
- Add the account to the IIS Users Group
  - The account need to have Logon as a Service and Allow Logon Locally
- Add Read en Enroll Permissions on the Certificate Template that will be used
  - By default this is the IPSEC (Offilne Request) template
- Add Request Certificate permissions on the CA Server for the SCEPSvc account
- Add an SPN to the Account
  - SETSPN -S http/SCEPSvc.contoso.com contoso\SCEPSvc

Open the Server Manager and add start the Add role and Feature Wizard.
Select Network Device Enrollment Service
- Click Next
- Specify the service account that you created previously
  - If you skipped any of the permissions added previously you’ll get an error at this point.
- In my case I need to configure NDES to use a Single Password
- Open Regedit and go to HKLM\Software\Microsoft\Cryptography\MSCEP
  a. Change the UserSinglePassword value to 1
Next Open IIS and go to the ApplicationPool called SCEP
- Right Click and select Advanced Settings
- Change Load Userprofile to TRUE
- Stop the SCEP ApplicationPool
- Logoff the server
- Login as the SCEPSvc account
- Logoff the Server
- Login as an administrator
- Start the ApplicationPool again.
- Restart the IIS
  - Verify that you can reach http://localhost/certsrv/mscep_admin
  - Verify that it says “This password can be used multiple times and will not expire”
  - Write down the Challenge Password
  Enter the following in a browers on the server
  http://localhost/certsrv/mscep/?operation=GetCACert&message=test
  - Save the File as .P7B and open it

Now lets write down som details to be used for later
- Open the Certificate at the top and write down the thumbprint
- Open the certificate in the middle from the CEP Encryption template and write down the thumbprint
  - This will be used later if you want to configure a 3:rd party vendor to use SCEP to issue certificates
  - This is often done fo

To change the Certificate Template go to
HKLM\Software\Microsoft\Cryptography\MSCEP
- You can change the template to be used but make sure to give the SCEPSvc account the necessary
  permissions to the new template.
In my case is used a 3:rd party software to require Two-factor authentication to issue certificate to mobile clients that could then be used to logon to OWA for one Month before the provisioning process had to be redone. This is a pretty nice way to provide easy login using certificate but still having an easy but secure way to issue the certificates.

Troubleshooting

Now to the more interesting stuff.

This is easily fixed right? just renew the certificates, I thought so to but it was a bit more complex than I initially thought.I ran into a problem where a got a Error 500 when trying to reach the url http://localhost/certsrv/mscep_admin
- The obvious place to look now is the Event Viewer where I found 2 events
  - The Network Device Enrollment Service cannot be started (0x80070057). The parameter is incorrect.
  - The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.
- So I checked the certificates and found that they hade expired.
  - There are 2 of them an Offline Exchange enrollment certificate and a CEP certificate.

First of all you can’t renew expired certificatesm once expired you need to issue a new certificate. Ok so lets do that, this is when I found that I was not able to request the certificate to the computer store only as the user. I found a lot of post about other people with the same problem, then I found a solution to the problem by following the following blogpost http://blogs.technet.com/b/askds/archive/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates.aspx

Credit for this goes to Jonathan Stephens who made the blog post about the certificate renewal for the NDES certificates.

First create 2 request files with the certificate information

My file looked like this

For the Exchange Enrollment Agent Certificate

Note that I have created a custom certificate template from the 2 original ones.

By default the ExchangeenrollmentAgent and CEPencryption templates are used but I have created new templates.

If you plan to reuse this request you need to change the Certificate Template name.

[NewRequest]

Subject = “CN=KLINGON-MSCEP-RA,OU=Virtual Hosts,OU=Servers,OU=Gsec,DC=GSEC,DC=SE”
Exportable = TRUE
KeyLength = 1024
KeySpec = 2
KeyUsage = 0x80
MachineKeySet = TRUE
ProviderName = “Microsoft Enhanced Cryptographic Provider v1.0”
ProviderType = 1

[EnhancedKeyUsageExtension]
OID = 1.3.6.1.4.1.311.20.2.1

[RequestAttributes]
CertificateTemplate = NDES_Exchange_Enrollment

And for the CEP certificate

[NewRequest]

Subject = “CN=KLINGON-MSCEP-RA,OU=Virtual Hosts,OU=Servers,OU=Gsec,DC=GSEC,DC=SE”

Exportable = TRUE
KeyLength = 1024
KeySpec = 1
KeyUsage = 0x20
MachineKeySet = TRUE
ProviderName = “Microsoft RSA Schannel Cryptographic Provider”
ProviderType = 12

[EnhancedKeyUsageExtension]
OID = 1.3.6.1.4.1.311.20.2.1

[RequestAttributes]
CertificateTemplate = NDES_CEP_Encryption

Then I used the following command to request the cerificate

certreq –f –new exchange_enrollment.inf exchange_enrollment.req
certreq –submit exchange_enrollment.req exchange_enrollment.cer
certreq –accept exchange_enrollment.cer

It will prompt you ans ask from what CA you would like to send your request.

Then just to the same thing again but for the CEP certificate.

Now you can see that the Certificates are in the computer store and they are vaild.

If you are using a 3:rd party implementation like I was you also need to update the certificate thumbprints so that they match the new certificates that you issued.

I have probably missed some step like every other guide out there. I you find something let me know and i’ll update the post.

Hopefully this will help someone out there.

\Mattias

One Comment

Add yours →

mf January 31, 2022 — 05:31

After reading multiple posts and searching everywhere, this article helped me to solve the issue with CEP and get it working. The culprit was the expired certificates and the link you have to Jonathan’s post was the golden egg! However, I followed your steps and made few changes along the way to our config which helped! Thank you!

Here are some notes people may find helpful:
1. In 2022 we are using 2048 keys, make sure your “minimum key length” on the template matches the key length on the certificate request (or .inf file if you are following this article)

2. Make sure that for newly created NDES certificate templates, you Publish them on CA
Certificate Templates” –> “New” –> “Certificate Template to Issue”

3. If you get an error while requesting a new certificate from CA, check if the template’s name is correct, I used the following command to check all templates on our CA
certutil -CATemplates

GSEC