Active Directory 2008: Network Device Enrollment Service (NDES) Facts…

The Network Device Enrollment Service (NDES) makes it possible for software running on network devices such as routers and switches (which cannot otherwise be authenticated on the network) to enroll for certificates from a CA. Certificates obtained by these devices are typically used for enabling IPsec.

NDES uses the following components:

Component Description
Network   device The network device is the router,   switch, or other device that needs to obtain a certificate. Network devices   are devices that are unable to request a certificate directly from the CA,   for example non-Windows devices that are not domain members.
Device   administrator The device administrator is the   person responsible for managing the network device.

  • If you are using an enterprise CA, the administrator        must have permissions to obtain the necessary certificates.
  • If you are using a standalone CA, the administrator        must be a member of the CA Administrators group.
Registration   authority (RA) The registration authority (RA) is a   Windows server that is running the NDES service.

  • If you are using an enterprise CA, it is recommended        to install the NDES service on a server other than the CA.
  • If you are using a standalone CA, it is recommended        to install the NDES service on the CA.

The process for obtaining a certificate for the network device is as follows:

  1. On the network      device, the device administrator runs the software included with the      device to generate a key pair.
  2. The device      administrator connects to the registration authority and requests a      password that will be included with the certificate request.
  3. On the network      device, the device administrator completes the certificate request      process. The certificate request is submitted to the RA and includes the      password. Use the following URL to request the certificate: http://servername/certsrv/mscep
  4. The RA forwards      the certificate request to the CA.
  5. The CA approves      the certificate request and returns the certificate to the RA.
  6. The RA returns      the certificate to the network device.

To configure NDES:

  1. Create a user      account that will be used for the NDES service. This user account must be      a member of the IIS_IUSRS built-in group on the local system.
  2. On the RA,      install the Active Directory Certificate Services role with the Network      Device Enrollment Service (NDES) role service. The RA does not need to be      a CA. During the installation, you will specify the NDES service user      account and the CA to which certificate requests received from the RA      should be submitted.
  3. If you are using      an enterprise CA, configure certificate template permissions to allow the      necessary entities to request certificates. The following table lists the      three certificate template types that are used:
Template Permissions
Exchange   Enrollment Agent (Offline request) This certificate template is an   enrollment agent certificate that enables the necessary components in the   request process to request a certificate on behalf of the network device. The   registration authority requests this certificate for itself. Assign the   following permissions to this template:

  • Allow   the Enroll permission to the user responsible for managing the RA.
  • Allow   the Read and Enroll permissions to the RA service account you created in step   1.
  • Allow   the Enroll permission to the device administrator.
CEP   Encryption This certificate template is a key   exchange certificate that identifies how key information will be exchanged   securely. The registration authority requests this certificate for itself.   Assign the following permissions to this template:

  • Allow   the Enroll permission to the user responsible for managing the RA.
  • Allow   the Read and Enroll permissions to the RA service account you created in step   1.
  • Allow   the Enroll permission to the device administrator.
IPsec   (Offline request) By default, the RA is configured to   request an IPsec certificate for network devices. This will be the template   that is used to issue a certificate to the network device. Assign the   following permissions to this template:

  • Allow   the Read and Enroll permissions to the RA service account you created in step   1.
  • Allow   the Enroll permission to the device administrator.

You can configure the RA to request a   certificate based on a different template if desired.

  1. Configure the CA      to issue the three required templates.

Be aware of the following when using NDES:

  • When you add the      NDES service, IIS is installed if it does not already exist. Two virtual      directories are created in IIS:
    • The certsrv/mscep_admin virtual directory is       used to submit password requests.
    • The certsrv/mscep virtual directory is used to       submit certificate requests from the network device.
  • By default, the      RA can accept only 5 active registrations at a time. The registration      status is determined by the password.
    • The RA can issue only 5 passwords for certificate       requests. If you need more active requests, increase the number of       allowed passwords.
    • After 60 minutes, the password expires and cannot be       used to complete the request. You must request a new password if the       password has expired.
    • If you restart IIS, the password cache is cleared.       This allows new password requests, but also invalidates any current       passwords.
    • You can configure the RA to accept requests without a       password.
  • Instead of      modifying the templates used for NDES, you should duplicate the template      to create a new one. When you do this, you must modify the registry      settings on the RA to identify the new template names to use.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s