There are situations in which you cannot operate NDES with changing passwords. This is usually the case when there is either no management solution for the devices to be managed, or when it cannot handle changing passwords. Some solutions cannot handle a password at all.
In this case, you can configure NDES not to generate or require a password.
The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.
This configuration is latently insecure, since anyone who can connect to the NDES server, can arbitrarily request certificates for the certificate template stored in the NDES, which under certain circumstances undermines the security of the entire network. If there are multiple applications on the network that require use without a password, it is advisable to provide a separate NDES server for each. If possible Firewall rules be set up, which restrict the connections to NDES to the authorized systems.
The desired setting can be found in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EnforcePassword
Below this is a 32-bit DWORD value called EnforcePassword, which is set to 1 in the default installation. Setting the value to 0 enables operation without a password.
Afterwards, the NDES service can be restarted with the iisreset command so that the new configuration can be read in.
The NDES administration web page (mscep_admin) should now no longer display a password. Unfortunately, there is no explicit indication that NDES is configured without a password.
English 
Deutsch
3 thoughts on “Den Network Device Enrollment Service (NDES) für den Betrieb ohne Passwort konfigurieren”
Comments are closed.