Configure Device Template for Network Device Enrollment Service (NDES)

Author Uwe GradeneggerPosted on Categories Network Device Registration Service (NDES), Certificate usageTags

By default, the Network Device Enrollment Service (NDES) requests certificates from the "IPsec (Offline Request)" template. This certificate template is from Windows 2000 times and cannot be edited. Therefore, it is recommended to change the default settings and use your own certificate templates that serve your personal requirements.

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

Configure the certificate template

The SCEP protocol supports three certificate types:

  • EncryptionTemplate: A certificate that can only be used to encrypt data but not to sign it. The Key Usage extension of this certificate includes Key Encipherment (0x20).
  • SignatureTemplate: A certificate that can only be used for signing, but not for encrypting data. The key usage extension of this certificate includes Digital Signature (0x80).
  • GeneralPurposeTemplate: A certificate that can be used for both signing and encrypting data. The Key Usage extension of this certificate includes Key Encipherment and Digital Signature (0xA0).

Typically, however, all three settings are set to the identical value, so NDES can effectively serve only one certificate template.

You are completely free with regard to the content of the certificate template. For example, the "Enhanced Key Usage" extension depends on the desired use case. Often, for example, "Secure E-Mail" or "Client Authentication" is used here.

Microsoft uses the term "Enhanced Key Usage", the correct name according to RFC 5280 is "Extended Key Usage"..

In the "Subject Name" tab, it must be configured that the requester provides the identity with the certificate request. This is mandatory for NDES, but of course also means a certain security risk, since the authority to determine the identities is thus relinquished to the requesting users.

It is recommended to configure in the Issuance Requirements tab that certificate requests require an authorized signature with the "Certificate Request Agent" application policy. Certificate requests are signed by NDES with the Enrollment Agent certificate, so another security barrier can be created in this way: it is no longer possible to bypass the NDES server for certificate requests.

In the Security tab, make sure that the following entities are given the enroll right:

  • The identity of the SCEP application pool on the NDES server. This can be either a service account or the computer account of the NDES server, depending on the configuration. The certificates are requested using this account.
  • Any account that should be able to request one-time passwords (OTPs) from the NDES server and will access the mscep_admin application. NDES checks the authorization on the certificate template to determine the authorization to issue the OTPs.

Configuring the NDES server to use the certificate template

The configuration of the corresponding certificate templates can be found in the registry on the NDES server under:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP

Note that the name of the LDAP object of the certificate template is entered, i.e. the name without the spaces.

The configuration is applied to the NDES server using the iisreset command.

iisreset

Related links:

External sources

13 thoughts on “Gerätevorlage für den Registrierungsdienst für Netzwerkgeräte (NDES) konfigurieren”

  1. Pingback: The Network Device Enrollment Service (NDES) administration web page (certsrv/mscep_admin) reports "You do not have sufficient permission to enroll with SCEP. Please contact your system administrator." - Uwe Gradenegger
  2. Pingback: Using Your Own Registration Authority (RA) Certificate Templates for the Network Device Enrollment Service (NDES) - Uwe Gradenegger
  3. Pingback: Is there a dependency of the Network Device Enrollment Service (NDES) with the NTAuthCertificates object - Uwe Gradenegger
  4. Pingback: Basics Network Device Enrollment Service (NDES) - Uwe Gradenegger
  5. Pingback: Installing the Network Device Enrollment Service (NDES) without Enterprise Administrator Permissions - Uwe Gradenegger
  6. Pingback: Basics: Enroll on Behalf of (EOBO) - Uwe Gradenegger
  7. Pingback: Classification of ADCS components in the Administrative Tiering Model - Uwe Gradenegger
  8. Pingback: Details about the event with ID 31 of the source Microsoft-Windows-NetworkDeviceEnrollmentService - Uwe Gradenegger
  9. Pingback: The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect." - Uwe Gradenegger
  10. Pingback: Details about the event with ID 6 of the source Microsoft-Windows-NetworkDeviceEnrollmentService - Uwe Gradenegger
  11. Pingback: Limits of Microsoft Active Directory Certificate Services - Uwe Gradenegger
  12. Pingback: Identity selection for the IIS application pool of the Network Device Enrollment Service (NDES) - Uwe Gradenegger
  13. Pingback: Configuring the Network Device Enrollment Service (NDES) to Operate with a Domain Account - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish