The Network Device Registration Service (NDES) has two Registration Authority Certificates. With the enrollment agent certificate, certificate requests are signed and one can use the Configure NDES device template accordingly so that certificates are also only issued if the submitted certificate requests also have a corresponding signature..
Do you plan to use the Certification Authority connected to the NDES remove from the NTAuthCertificates objectThe question may arise as to whether mutual dependencies need to be taken into account here - after all, this requires Enroll on Behalf Of (EOBO) the presence of the certificate authority certificate in NTAuthCertificates.
The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.
Does NDES have a dependency on NTAuthCertificates?
NDES can be operated without membership of the Certification Authorities concerned in NTAuthCertificates.
The only exception is the renewal mode, i.e. when a certificate request is to be signed with an existing certificate. In this case, the certificate authority that issued the certificates to be renewed must be a member of NTAuthCertificates. If this is not the case, the NDES server will use the Event no. 28 log when a certificate request is processed in renewal mode and reject it.
However, most client-side implementations of the SCEP protocol do not use renewal mode anyway, so this should not be a major limitation. The biggest Gateway The regular Certificate Enrollment with or without a one-time password remains, the effects of which can, for example, be compared with the TameMyCerts Policy Module for Microsoft Certification Authority can be drastically reduced.
Does NDES use the Enroll on Behalf Of (EOBO) mechanism?
The answer to this question is clearly "no" - the certificate request via NDES does not use an Enroll on Behalf of. It is simply a signed certificate request. Accordingly, it also works if the certificate authority is not a member of NTAuthCertificates.
Conversely, however, this also means that NDES cannot work with Restricted Enrollment Agents.
If you want to equip your certification authority with one or more Network Device Registration Service (NDES) operate and in parallel with Extended Key Usage Constraints make sure that the "Certificate Request Agent" Enhanced Key Usage is included in the list of enhanced key usages, since the Registration Authority (RA) certificates of the NDES must always come from the same certification authority.
Related links:
- Editing the NTAuthCertificates object in Active Directory
- Configure Device Template for Network Device Enrollment Service (NDES)
- Basics: Restricting Extended Key Usage (EKU) in Certification Authority Certificates
- The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect."
English 
Deutsch
2 thoughts on “Gibt es eine Abhängigkeit des Registrierungsdienstes für Netzwerkgeräte (NDES) mit dem NTAuthCertificates Objekt?”
Comments are closed.