Enabling Basic Authentication for the Network Device Enrollment Service (NDES)

Author Uwe GradeneggerPosted on Categories Network Device Registration Service (NDES), SecurityTags ,

If the Network Device Enrollment Service (NDES) is reinstalled (Preferably without Enterprise Administrator permissions), only the Windows-integrated authentication for the administration web page is activated at first. With this (via NT LAN Manager, NTLM) protocol, authentication via user name and password is also possible. However, not all client applications support this.

Likewise, a company might be willing to, Disable NTLM where possible and enforce Kerberos for login. Enforcing Kerberos removes the ability to log in to the Network Device Registration Service administration page via username and password (since this is done with NTLM credentials). However, Basic Authentication can be retrofitted to provide an option here again.

One way out of this dilemma can be Basic Authentication, the setup of which will be explained below.

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

It should be absolutely ensured that the administration web page is configured to use SSL and this is enforced. For the application web page, on the other hand, this is not required.

First, Basic Authentication must be added to the Internet Information Service (IIS) features.

Add-WindowsFeature -Name Web-Basic-Auth

After the web server service is restarted, the IIS Manegement Console is launched and the "View Applications" option is called in the Default Web Site on the right side.

Double-click to open the settings for "/certsrv/mscep_admin".

Here you select the option "Authentication".

The "Basic Authentication" option is activated.

Then click on the "Edit" button and enter a default domain in the following dialog.

Function test

For testing purposes the tool curl which is included in practically every Linux distribution. A Windows version also exists.

curl -u 'username:Password' https://{NDES-Server}/certsrv/mscep_admin/ --output -

The command line arguments mean the following:

  • "-output -" forces the output to the command line, since NDES uses UTF16-LE encoding, which is recognized as "binary" by curl
  • "-insecure" optionally skips the server certificate check (Not recommended for productive use)

Related links:

One thought on “Aktivieren der Basic Authentication für den Registrierungsdienst für Netzwerkgeräte (NDES)”

  1. Pingback: Disabling NTLM and enforcing Kerberos at the Network Device Enrollment Service (NDES) administration web page - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish