Cryptographic Hardening of SCEP Transactions for the Network Device Enrollment Service (NDES)

The Simple Certificate Enrollment Protocol (SCEP) is an ancient protocol from the early 2000s. It does not use Transport Layer Security (TLS). Therefore, the protocol messages are encrypted at the transport layer.

When sending the certificate request to the NDES server, the client will sign the certificate request with the NDES server's CEP encryption certificate (which was previously communicated to it via the GetCACert message).

Upon receiving the issued certificate, the NDES server will encrypt the response using a self-signed certificate temporarily generated by the SCEP client.

In both cases, a symmetric encryption algorithm is used.

Continue reading „Kryptographische Härtung der SCEP-Transaktionen für den Registrierungsdienst für Netzwerkgeräte (Network Device Enrollment Service, NDES)“

Attack on the Active Directory via Microsoft Intune - and how it can be contained with TameMyCerts

Dirk-jan Mollema recently presented an attack that can be used to obtain a certificate for highly privileged accounts via Intune. This can then be used to compromise the entire Active Directory environment.

The attack is similar in its basic features to what I have already described in the article "From Zero to Enterprise Administrator through Network Device Enrollment Service (NDES) - and What to Do About It" and in the article "Attack vector on Active Directory directory service via smartcard logon mechanism" (generally also known as ESC1).

What is new, however, is to utilize the Mobile Device Management (MDM) system - in this case Microsoft Intune - accordingly.

What is not new, however, is what can be done with the TameMyCerts Policy Module for Active Directory Certificate Services to drastically reduce the attack surface...

Continue reading „Angriff auf das Active Directory über Microsoft Intune – und wie er mit TameMyCerts eingedämmt werden kann“

Renewal of a certificate via the Network Device Enrollment Service (NDES) fails with error code CERT_E_UNTRUSTEDCA

Assume the following scenario:

  • A certificate is requested through the Network Device Enrollment Service (NDES).
  • Renewal mode is used here, i.e. the certificate request is signed with an existing certificate.
  • The request for the new certificate fails with the following error message:
A certification chain processed correctly, but one of the CA
certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Continue reading „Die Erneuerung eines Zertifikats über den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlercode CERT_E_UNTRUSTEDCA“

Details of the event with ID 86 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:86 (0xC25A0056)
Event log:Application
Event type:Error
Event text (English):SCEP Certificate enrollment initialization for %1 via %2 failed: %3 Method: %4 Stage: %5 %6
Event text (German):Error during initialization of SCEP certificate registration for %1 via %2: %3 Method: %4 Phase: %5 %6
Continue reading „Details zum Ereignis mit ID 86 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

Details of the event with ID 87 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:87 (0xC25A0057)
Event log:Application
Event type:Error
Event text (English):SCEP Certificate enrollment for %1 via %2 failed: %3 Method: %4 Stage: %5 %6
Event text (German):SCEP certificate registration error for %1 over %2: %3 Method: %4 Phase: %5 %6
Continue reading „Details zum Ereignis mit ID 87 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

From Zero to Enterprise Administrator through Network Device Enrollment Service (NDES) - and What to Do About It

In the following, I would like to present a highly dangerous PKI configuration, perhaps not necessarily known to the general public, which can probably be encountered quite frequently in this way in corporate networks.

I show how, by exploiting various unfortunate circumstances in the Windows PKI, it is possible to elevate privileges from mere network access to complete Active Directory takeover.

The initial point of attack in this example is the Network Device Enrollment Service (NDES).

Continue reading „Von Null auf Enterprise Administrator durch den Registrierungsdienst für Netzwerkgeräte (NDES) – und was dagegen getan werden kann“

SSCEP: Subject of our request does not match that of the returned Certificate!

Assume the following scenario:

sscep: Subject of our request does not match that of the returned Certificate!
Continue reading „SSCEP: Subject of our request does not match that of the returned Certificate!“

Install SSCEP for Linux (Debian Buster) and apply for certificates via the Network Device Enrollment Service (NDES).

If you want to equip a large quantity of systems with certificates, a Manual request and renewal of certificates is not an option. The only viable path is automation.

For systems that are not members of the Active Directory forest, an automatic certificate request via RPC/DCOM not an option.

For certain use cases, the Simple Certificate Enrollment Protocol (SCEP) is an interesting alternative. There are not only clients for Windows for this protocol, but also for Linux with SSCEP. SSCEP is used, among other things, by thin clients with the eLux operating system used.

The following describes how to set up the SSCEP client on a Debian Buster Linux system - either to use it to manage servers or to be able to test the client-side behavior.

Continue reading „SSCEP für Linux (Debian Buster) installieren und Zertifikate über den Registrierungsdienst für Netzwerkgeräte (NDES) beantragen“

Zertifikatbeantragung für Windows-Systeme mit dem SCEP-Protokollüber den Registrierungsdienst für Netzwerkgeräte (NDES) mit Windows PowerShell

If you want to equip Windows systems with certificates that do not have the option of communicating directly with an Active Directory-integrated certification authority, or that are not even in the same Active Directory forest, the only option in most cases is to install certificates manually.

Since Windows 8.1 / Windows Server 2012 R2, however, there is an integrated client for the Simple Certificate Enrollment Protocol (SCEP) on board. On the server side, SCEP is implemented via the Network Device Enrollment Service (NDES) implemented in the Microsoft PKI since Windows Server 2003.

A particularly interesting feature of SCEP is that the protocol allows a certificate to be renewed by specifying an existing one. So what could be more obvious than to use this interface? What is still missing is a corresponding automation via Windows PowerShell.

Continue reading „Zertifikatbeantragung für Windows-Systeme mit dem SCEP-Protokollüber den Registrierungsdienst für Netzwerkgeräte (NDES) mit Windows PowerShell“

Network Device Enrollment Service (NDES) Basics

The Simple Certificate Enrollment Protocol (SCEP) was developed by Verisign for Cisco in the early 2000s to provide a simplified method for requesting certificates. Previously, network devices required manually generating a certificate request on each device, submitting it to a certificate authority, and then manually reinstalling the issued certificate on the corresponding device.

Continue reading „Grundlagen Registrierungsdienst für Netzwerkgeräte (Network Device Enrollment Service, NDES)“

Details of the event with ID 34 of the source Microsoft-Windows-NetworkDeviceEnrollmentService

Event Source:Microsoft-Windows-NetworkDeviceEnrollmentService
Event ID:34 (0x22)
Event log:Application
Event type:Error
Symbolic Name:EVENT_SCEP_RA_EXPIRE
Event text (English):At least one of the certificates for the Network Device Enrollment Service has expired. Verify that both the encryption and signing certificates are valid and restart the service.
Event text (German):At least one certificate for the network device registration service has expired. Make sure that both the encryption and the signing certificates are valid and restart the service.
Continue reading „Details zum Ereignis mit ID 34 der Quelle Microsoft-Windows-NetworkDeviceEnrollmentService“

Details of the event with ID 35 of the source Microsoft-Windows-NetworkDeviceEnrollmentService

Event Source:Microsoft-Windows-NetworkDeviceEnrollmentService
Event ID:35 (0x23)
Event log:Application
Event type:Error
Symbolic Name:EVENT_SCEP_RA_CLOSE_TO_EXPIRE
Event text (English):At least one of the certificates for the Network Device Enrollment Service will expire soon. Check the validity period for both the encryption and signing certificates. Renew any certificates that are nearing the end of their validity period and restart the service.
Event text (German):At least one certificate for the network device registration service will expire soon. Check the validity period for both encryption and signing certificates. Renew any certificates that are about to expire and restart the service.
Continue reading „Details zum Ereignis mit ID 35 der Quelle Microsoft-Windows-NetworkDeviceEnrollmentService“

Details of the event with ID 36 of the source Microsoft-Windows-NetworkDeviceEnrollmentService

Event Source:Microsoft-Windows-NetworkDeviceEnrollmentService
Event ID:36 (0x24)
Event log:Application
Event type:Error
Symbolic Name:EVENT_SCEP_SERVER_SUPPORT
Event text (English):The Network Device Enrollment Service failed while attempting to write the header portion of an http response (%1). %2
Event text (German):An error occurred in the registration service for network devices when an attempt was made to write to the header area of an HTTP response (%1). %2
Continue reading „Details zum Ereignis mit ID 36 der Quelle Microsoft-Windows-NetworkDeviceEnrollmentService“

Details of the event with ID 37 of the source Microsoft-Windows-NetworkDeviceEnrollmentService

Event Source:Microsoft-Windows-NetworkDeviceEnrollmentService
Event ID:37 (0x25)
Event log:Application
Event type:Error
Symbolic Name:EVENT_SCEP_WRITE_DATA
Event text (English):The Network Device Enrollment Service failed while attempting to write the data portion of an http response (%1). %2
Event text (German):An error occurred in the registration service for network devices when an attempt was made to write to the data area of an HTTP response (%1). %2
Continue reading „Details zum Ereignis mit ID 37 der Quelle Microsoft-Windows-NetworkDeviceEnrollmentService“

Requesting certificates through the Network Device Enrollment Service (NDES) fails with HTTP error code 503 and there are no entries in the Event Viewer

Assume the following scenario:

  • A network device enrollment service (NDES) is implemented in the network.
  • The NDES server uses a domain account or a Group Managed Service Account (gMSA) for the identity of the SCEP IIS application pool.
  • Requesting certificates via NDES fails with HTTP error code 503 (Server Unavailable).
  • Calling the mscep and mscep_admin pages also fails with HTTP error code 500.
  • Even after an iisreset or restart of the NDES server, no event appears after calling the mscep or mscsp_admin page that the NDES service has started or that there were errors.
Continue reading „Die Beantragung von Zertifikaten über den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt mit HTTP Fehlercode 503 fehl, und es gibt keine Einträge in der Ereignisanzeige“
en_USEnglish